Summary
September 11 exposed the vulnerability of U.S. financial markets to wide-scale disasters. Because the markets are vital to the nation's economy, GAO assessed (1) the effects of the attacks on market participants' facilities and telecommunications and how prepared participants were for attacks at that time, (2) physical and information security and business continuity plans market participants had in place after the attacks, and (3) regulatory efforts to improve preparedness and oversight of market participants' risk reduction efforts.
The September 11 attacks severely disrupted U.S. financial markets, resulting in the longest closure of the stock markets since the 1930s and severe settlement difficulties in the government securities market. While exchange and clearing organization facilities were largely undamaged, critical broker--dealers and bank participants had facilities and telecommunications connections damaged or destroyed. These firms and infrastructure providers made heroic and sometimes ad hoc and innovative efforts to restore operations. However, the attacks revealed that many of these organizations' business continuity plans (BCP) had not been designed to address wide-scale events. GAO reviewed 15 organizations that perform trading or clearing and found that since the attacks, these organizations had improved their physical and information security measures and BCPs to reduce the risk of disruption from future attacks. However, many of the organizations still had limitations in their preparedness that increased their risk of being disrupted. For example, 9 organizations had not developed BCP procedures to ensure that staff capable of conducting their critical operations would be available if an attack incapacitated personnel at their primary sites. Ten were also at greater risk for being disrupted by wide-scale events because 4 organizations had no backup facilities and 6 had facilities located between 2 to 10 miles from their primary sites. The financial regulators have begun to jointly develop recovery goals and business continuity practices for organizations important for clearing; however, regulators have not developed strategies and practices for exchanges, key broker-dealers, and banks to ensure that trading can resume promptly in future disasters. Individually, SEC has reviewed exchange and clearing organization risk reduction efforts, but had not generally reviewed broker-dealers' efforts. The bank regulators that oversee the major banks had guidance on information security and business continuity and reported examining banks' risk reduction measures annually.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
No director on record
No team on record
No phone on record
Recommendations for Executive Action
Recommendation: So that trading in U.S. financial markets can resume after future disruptions in as timely a manner as appropriate, the Chairman, Securities and Exchange Commission (SEC), should work with industry to develop goals and strategies to resume trading in securities.
Agency Affected: Securities and Exchange Commission
Status: Implemented
Comments: In April 2003, SEC and other federal financial regulators issued the Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System. The paper established goals and practices for the resumption of trading after a disruption for key clearing and settlement organizations. In addition, in September 2003, SEC issued a policy statement that established recovery goals and business continuity guidelines for securities exchanges and ECNs.
Recommendation: So that trading in U.S. financial markets can resume after future disruptions in as timely a manner as appropriate, the Chairman, SEC should work with industry to determine sound business continuity practices that organizations would need to implement to meet these goals.
Agency Affected: Securities and Exchange Commission
Status: Implemented
Comments: In April 2003, SEC and other federal financial regulators issued the Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System. The paper established goals and practices for the resumption of trading after a disruption for key clearing and settlement organizations. In addition, in September 2003, SEC issued a policy statement that established recovery goals and business continuity guidelines for securities exchanges and ECNs. If organizations follow the guidelines in the interagency paper and the policy statement, they should be able to meet the relevant trading resumption goals.
Recommendation: So that trading in U.S. financial markets can resume after future disruptions in as timely a manner as appropriate, the Chairman, SEC should work with industry to identify the organizations, including broker-dealers, that would likely need to operate for the markets to resume trading and ensure that these entities implement sound business continuity practices that at a minimum allow investors to readily access their cash and securities.
Agency Affected: Securities and Exchange Commission
Status: Implemented
Comments: In April of 2003, SEC and the banking regulators issued the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System." The Paper identifies business continuity practices and recovery goals for key clearing and settlement organizations. In September 2003, SEC issued a policy statement that establishes business continuity principles to be followed by securities exchanges and electronic clearing networks. Finally, in April 2004, SEC approved essentially identical rules from NASD and NYSE that require their members to develop business continuity plans that address various elements, including data backup and recovery as well as alternate means of communication with customers. While these rules do not require trading firms to actually have plans to resume operating or trading activities after a disaster, they do require broker-dealers to develop procedures to ensure that they promptly could provide customers with access to their funds and securities if the broker-dealers were unable to continue business operations.
Recommendation: So that trading in U.S. financial markets can resume after future disruptions in as timely a manner as appropriate, the Chairman, SEC should work with industry to testing trading resumption strategies to better assure their success.
Agency Affected: Securities and Exchange Commission
Status: Implemented
Comments: To assure that trading in U.S. financial markets can resume after future disruptions in as timely a manner as appropriate, we recommended that SEC work with industry to test trading resumption strategies. SEC essentially delegated industry-wide testing to the Securities Industry Association (SIA). SIA, together with the Bond Market Association, the Futures Industry Association and the Financial Information Forum led a test on October 14, 2006, the second year for this industry-wide effort. More than 250 organizations, including broker-dealers, markets, service bureaus, and industry utilities participated, with test participants representing more than 80 percent of normal market volume. In addition, new test components were added to the 2006 test, such as money markets and payment system processors. Test results showed a 95 percent success rate overall for successful test connections. SIA officials told us that such tests will continue, on an annual basis, providing assurance that securities market participants can perform critical activities in the event of a disaster.
Recommendation: In addition, to improve the effectiveness of the SEC's Automation Review Policy (ARP) program and the preparedness of securities trading and clearing organizations for future disasters the Chairman, SEC should issue a rule requiring that the exchanges and clearing organizations engage in activities consistent with the operational practices and other tenets of the ARP program.
Agency Affected: Securities and Exchange Commission
Status: Implemented
Comments: SEC Market Regulation Division staff told us that they are confident they will obtain approval of a rule that will make adherence to the ARP program mandatory for affected organizations the end of 2007. SEC staff told us they are exploring the possibility of recasting the current draft rule as a principles-based one rather than one that is a more specific rule and are travelling to the United Kingdom in September to learn how best to administer such rules. Their plan is to submit the revised rule, which will only require minor change to become more principles oriented, to the SEC Commissioners for approval and issuance by year end.
Recommendation: In addition, to improve the effectiveness of the SEC's ARP program and the preparedness of securities trading and clearing organizations for future disasters, the Chairman, SEC should if sufficient funding is available, expand the level of staffing and resources committed to the ARP program.
Agency Affected: Securities and Exchange Commission
Status: Implemented
Comments: SEC has hired 2 staff with MBAs and IT operational experience and is in the process of hiring an additional MBA with IT experience.
