US regulators have issued guidance on effective disaster recovery and business continuity planning for financial institutions.
The Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC)’s Division of Swap Dealer and Intermediary Oversight and the Financial Industry Regulation Authority (FINRA) have advised firms to prepare for widespread disruption during the upcoming hurricane season. This regulatory warning comes as the SEC and FINRA asked asset managers at the beginning of 2013 about how their disaster recovery / business continuity plans worked during Hurricane Sandy, as they sought to identify weaknesses in infrastructure and procedures. To ensure business continuity, regulators advise businesses to have fully functioning secondary locations to work from and tested communication plans in place. It is also recommended that firms improve their recovery time after disruptive events.
This guidance comes 10 months after Hurricane Sandy caused massive disruption to financial services on the East Coast. Hurricane Sandy shut the NASDAQ and NYSE for an unprecedented two days while Goldman Sachs and Citi told their employees to work remotely.
While Dodd-Frank stipulates managers must have disaster recovery and business continuity in place, it defines them broadly. Nonetheless, institutional investors have made it no secret they want managers to employ effective disaster recovery and business continuity policies.
Natural disasters are not the only threats to hedge funds’ infrastructure and business continuity. The importance of disaster recovery and business continuity was also reiterated in a recent paper on systemic risk by the Depositary Trust & Clearing Corporation (DTCC), which identified cyber-crime as the biggest threat to market stability, putting it ahead of counterparty risk and concentration risk at central counterparty clearing houses (CCPs).
Cyber-threats can take many forms. The most obvious include denial of service, unwanted disclosure of non-public material data and the corruption of books and records. A DTCC survey of exchanges reported 53% had experienced a cyber-attack in the last 12 months. The reputational risk and potential systemic risk of falling victim to one of these attacks is enormous, and it is something hedge funds ought to protect themselves against. An effective disaster recovery and business continuity plan as well as a partnership with a managed security services provider is essential to a hedge fund’s success.
When a hedge fund in lower Manhattan lost power due to Hurricane Sandy, ACE IT Solutions, in partnership with Datto, delivered seamless intelligent business continuity by providing complete access to the virtual server with ample time to meet the trading deadline.