|
 |
 |
 |
 |
|
Preliminary results of the nationwide pandemic exercise for the financial services industry were released recently, and show that while the industry itself is among the most prepared, there is still much work to be done for individual institutions to be fully prepared for a true pandemic disaster.
Richard Swart: When you say operations were affected, was it just having to shut down their branches, or were they actually having to go into a full disaster recovery mode? William Henley: Well, we had two thrifts: One thrift implemented its disaster recovery plan, but it did not have to relocate; and the other thrift implemented its internal incident management plan. And then the other two just had minor disruptions, you know, a lot of that had to--or of those--I think it was more employees that had to relocate because of where their residences were located in danger zones, so they had a little disruption there, but nothing that they couldn’t overcome.
What is the biggest lesson learned from the fast-moving wildfires that scorched a seven-county wide swath of Southern California in late October? “Have a plan.”
UPDATED 10/31 -- For more than a week, wildfires ravaged Southern California, and financial institutions in the area were forced to temporarily close branches and initiate their emergency response plans. The wildfires are slowing, and as firefighters work to extinguish the last of the fires, news has been positive from federal regulatory agencies regarding their institutions that were affected and their emergency response capabilities. From the Office of Thrift Supervision, the number of OTS-supervised institutions affected by the California wildfires were under 10. (See related information
Nearly 3000 Firms Participating in Nationwide Test The multi-week, sector-wide pandemic exercise that kicked off on September 24 is underway with 2725 firms registered and participating. The exercise, which is the first of this scope in the U.S., is sponsored by the U.S. Treasury Department, in partnership with FSSCC, the Financial and Banking Information Infrastructure Committee (FBIIC), and with the Securities Industry and Financial Management Association (SIFMA) playing a key planning and project management role.
The number of financial institutions signed up for the upcoming nationwide pandemic exercise for the financial services industry is more than 1,200 firms. The exercise, slated to run over a 3 week period beginning on September 24, will allow financial institutions to test their business continuity plans and response to a pandemic. Sponsored by the U.S. Treasury Department, the exercise will be operated by the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC) and the Financial Banking Information Infrastructure Committee (FBIIC). “In this exercise, firms will be able take this information and actually use their crisis management team, and have the team play through the exercise. Firms can involve the actual people who would likely be involved in a real event,” said Dave Engaldo, a member of the FSSCC leadership team.
In mid July the Department of Homeland Security (DHS) took a major step in implementing its system for credentialing public and private sector first responders by conducting a demonstration in Washington, D.C., and other cities across the U.S. The development of a credentialing system has been a key objective for DHS since 9/11. The goal is to create common credentials for public and private first responders by working on key screening initiatives, including fostering the interoperability of credentialing systems for federal, state and local governments.
The planned pandemic exercise for the financial services sector already has more than 650 institutions signed up since registration opened on July 20. Sponsored by the U.S. Treasury Department, the national pandemic exercise scheduled for September 24 through October 12 will be operated by the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC) and the Financial Banking Information Infrastructure Committee (FBIIC). “We have no limit to the number of institutions that may sign up, the only restriction to registration is the deadline for registration, August 31,” explained Dave Engaldo, a member of the FSSCC leadership team.
How prepared is your financial institution in the event a pandemic hits? Financial institutions may now register to participate in the pandemic flu exercise for the financial services sector. From September 24 through October 12, the Financial Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC) will conduct a pandemic flu exercise. The exercise is sponsored by the US Department of the Treasury and the Securities Industry and Financial Markets Association. Deadline for registration is August 31, 2007.
Later this fall, the Treasury Department plans a multi-week test of the financial services industry’s ability to respond to a pandemic outbreak, the exercise will include scenarios predicted for the avian flu.
Given the high cost of containing information security breaches, financial institutions have invested lots of time and money into developing incident response programs. But how do they know if their program is working properly? To assist financial institutions in this process, the Federal Deposit Insurance Corporation has published guidance on incident response program best practices—a how-to approach to keeping sensitive data from being accessed by unauthorized individuals. Many financial institutions are finding it challenging to assemble an incident response program (IRP) that not only meets minimum requirements as prescribed by financial institution regulators, but also provides for an effective methodology to manage security incidents for the benefit of the financial institution and its customers. Financial institutions are required to include incident response as part of their information security program. The federal financial institution regulatory agencies have issued interpretive guidance prescribing standard procedures that should be included in IRPs. In addition, at least 33 states have passed laws requiring that individuals be notified of a breach in the security of computerized personal information.
Just because it hasn’t happened yet, don’t think that the avian influenza pandemic isn’t going to happen. “It’s not a matter of if, it’s a matter of when,” a DHS representative said during a presentation to a financial services industry group. And when the avian flu does make the jump to human to human transmission, the mortality rate of 54% seen between 1997 and 2005’s more than 100 human victims will increase dramatically. Short of a nuclear exchange between nations, nothing has the potential to threaten as many lives and cause as much disruption to the global economy as the H5N1 avian influenza.
The Office of the Comptroller of Currency (OCC) issued a bulletin on February 21 about the changes in Daylight Savings Time. All financial institutions should be aware that Daylight Savings Time begins earlier and ends later this year. The OCC bulletin reminds institutions and their technology service providers of the upcoming change in the schedule for Daylight Savings Time. Institutions may be exposed to a variety of risks if they do not prepare their systems to reflect this change. The Credit Union National Association (CUNA) also noted DST change to its membership earlier in February. Daylight Savings Time (DST) in the United States will begin earlier and end later in 2007. The Energy Policy Act of 2005, signed into law August 2005, moves the beginning of DST from the first Sunday in April to the second Sunday in March (March 11). DST will now end the first Sunday in November (November 4) instead of the last Sunday in October.
A Business Continuity Plan (BCP) is the process whereby financial institutions ensure the maintenance or recovery of operations, including services to customers, when confronted with adverse events such as natural disasters, technological failures, human error, or terrorism. The objectives of a BCP are to minimize financial loss to the institution, continue to serve customers and financial market participants, and mitigate the negative effects disruptions can have on an institution’s strategic plans, reputation, operations, liquidity, credit quality, market position, and ability to remain in compliance with applicable laws and regulations. Changing business processes (internally to the institution and externally among interdependent financial services companies) and new threat scenarios require financial institutions to maintain updated and viable BCPs.
Disaster Recovery is about three things: planning, testing, and procedures. Each part is as important as the other. The planning phase often gets a lot of attention and for good reason. Financial institutions have to satisfy compliance initiatives and answer to the FFIEC and OCC. But that is not where the story ends. Satisfying compliance initiatives may get you off the hook with the regulators and make you look good on paper, but what you are really interested in is staying in business for the long haul. The statistics are staggering. Eighty-five percent of companies without a disaster recovery plan go out of business within a year after a disaster. All your hard work blown away by a Katrina, washed away by a tsunami, crumbled by an earthquake, or smashed by terrorists.
Given the high cost of containing information security breaches, financial institutions have invested lots of time and money into developing incident response programs. But how do they know if their program is working properly?
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication