The Coming Pandemic: How Prepared Are We?

Expert Says Financial Institutions Still Have a Lot of Work to Do
The Coming Pandemic: How Prepared Are We?
The good news is: The financial services industry is "head and shoulders" above other industries when it comes to being prepared for a pandemic disaster.

The bad news is: There's still a ton of work to be done before banking institutions can say they're truly ready to face such a crisis.

This is the two-pronged message from Regina Phelps, ( http://www.ems-solutionsinc.com/about_phelps.html) an internationally recognized expert in the field of emergency management and continuity planning. And her opinion is supported by key financial services figures, who are rallying institutions to meet compliance with new FFIEC guidelines (SEE RELATED STORY: New Pandemic Guidance Issued by FFIEC).

Banking institutions have received more oversight and regulatory scrutiny than virtually any other industry. And robust pandemic plans are already taking shape.

"[But] there's still a huge amount to be done to be ready for something as significant as an 18-month pandemic," Phelps says. And the recent national pandemic exercise (" Pandemic Exercise Report Released") showed just how much work is still to be done, she explains.

"For companies that have already spent a lot of money and time on pandemic planning it was a pretty simple exercise," Phelps says. "Although for those just getting started, it was really complicated... For those institutions, it was more than they had ever thought about."

State of the Industry
Given the reality of a pandemic disaster - and given that the recent State of Information Security survey showed that it's the type of crisis financial institutions are least prepared for - now is the time for organizations to give the matter serious thought.

Doug Johnson, Vice President of Risk Management and Policy for the American Bankers Association, feels the recent pandemic exercise demonstrated the industry's resolve to tackle this threat. In all, 2700 institutions participated in the pandemic exercise, and many community-based institutions were able to gain a great deal of insight into the effects of a pandemic on their operations, Johnson says. Those that did not participate have the opportunity to use the exercise scenario to test their plans.

"While other sectors are working diligently to prepare for a potential pandemic, no other industry has completed as extensive an exercise as financial services has," Johnson says.

George Hender, chair of the Financial Services Sector Coordinating Council (FSSCC), which co-sponsored the pandemic exercise, notes the importance of financial institutions plans, which are tied to the wider market resiliency. "The recent world market stumble that happened during 9-11 and the ensuing days after will give you a picture of what will happen to the world markets and how they would react when the avian flu is announced," Hender says. "It's not going to be good thing."

The national exercise reinforces the need for the industry to say "We're ready, we've tested our markets, and our institutions and we are confident that the global markets are going to continue to operate smoothly and will be able to sustain operations during a pandemic," he adds.

A Different Kind of Disaster

But the reality is, Phelps says: A pandemic disaster is different than any kind of crisis that's been handled before.

"This is really a people event," Phelps says. In a pandemic, the infrastructure would most likely remain intact, and the disaster is not one of physical property loss or utility loss. "I recommend that everyone go back and look at this disaster from a much different perspective -- what if they can't get their people into work, or they refuse to come to work."

Financial institutions must reassess how they're going to deliver service to their customers, she says. "Several large banks I work with have looked at how they would provide safety deposit box availability, how they would do teller lines, things you wouldn't normally have to think about," Phelps says. Banks wouldn't open all teller lines, and there would be sanitizing gel at every one of the stations. "Institutions would put more space between staff and the customers."

One way to achieve this is by moving as much of the institution's business to the Internet. "That's assuming the Internet is still standing," Phelps says. One recent DHS study done at the behest of the financial services industry points to the fragile telecommunications industry infrastructure and possibilities that it would not be able to withstand the extra demands that a home-bound population would incur on it during a pandemic.

Regardless, institutions would want to do as much business by phone or by some other vehicle -- to still service customers but not have them in front of staff.

Also to consider: the normal, everyday type of tasks such as emptying the ATM deposit envelopes and counting the deposits. "Say that a teller is assigned daily to empty the ATM deposits," Phelps says. "During a pandemic, an institution would probably want to let those newly deposited envelopes sit for 24 hours."

General research has shown viruses will die on objects like bank notes or checks if left untouched for a day. Phelps says only one study on European bank notes performed last year showed viruses living on bank notes for as long as 17 days. That study has not been replicated.

"If institutions are concerned about the spread of the virus from bank notes in ATM envelopes, they are better off letting them sit for a couple of days," she says. One drawback: the longer wait for the availability of those funds.

For customers using those ATMs or visiting a branch during a pandemic, the use of ATM keypads will need to change. When using an ATM, institutions will want to tell customers to punch in their PINs with an object, like a pen or a pencil. At the teller window, the customer who doesn't have a pen will be given a pen to sign with, and then told to "keep it." Phelps quips, "Depending on how many customers a particular branch has, there might be a lot of pens that need to be ordered."

The Bucket List
When beginning the pandemic plan at an institution, Phelps recommends institutions divide their employees and place them into one of four possible "buckets."

  • Mission-critical employees who have to be at work. In the banking industry, that would include a percentage of data center staff, a certain number of people in the customer service areas, (tellers and customer call center staff); and finally the institution's security staff. "Other than those people, probably nobody else should be on the list. If it's not a branch bank, they probably don't need anybody there." Phelps adds that the institutions she has worked with have identified only a very small number of Category 1 staff.
  • Mission-critical employees who could work remotely. This means as long as they could log on and work on their applications, they would be able to be productive. Phelps recommends institutions planning to have their employees work remotely should already have started this process. This is achieved by having employees work from home at least one day a month via a laptop or desktop along with all the peripherals they would need, including a broadband connection and computer support help desk, so they feel comfortable linking remotely. "Institutions will need to have established processes and have thought out how this would be deployed across with larger numbers of staff logging on remotely. You don't just hand someone a laptop with a set of instructions and expect those people to operate it from day one." She adds that during an emergency is not the time or place to begin testing technology.
  • Non mission-critical employees who could work remotely if able.
  • Non mission-critical employees who can't work from home. This would include such staff as mail room clerks or receptionists.

This single exercise is the beginning of any pandemic planning effort, Phelps says. Otherwise an institution doesn't know what to plan for or who's going to be in the office, or who's going to work from home, what equipment they're going to need. "This little exercise will help set all of an institution's parameters and expectations on how the institution will operate," Phelps says.

Nowhere to Hide
The normal model for business continuity program planning usually will have the scenario where the business is hit by a disaster, and the business then relocates to a hot site where business operations are recovered and business resumes at the site until the disaster is over and employees can go back to the main site, she explains.

"I want to impress on institutions -- don't plan to relocate, because your remote site will most probably also be involved in a pandemic," Phelps says. "Remember when this pandemic hits, it won't just be in one area. It will be spread across wide geographic areas -- the whole country may be affected There is no going away, There is no escape. People need to understand that there will be nowhere to hide."

This makes pandemic planning difficult. Most financial institutions have regional planning models, "Where the institution is hit in a hurricane in Miami, so they relocate that part of the business to Los Angeles," she notes. Phelps predicts that smaller banks and credit unions are in for challenges when it comes to pandemic planning. "There is a huge challenge when you have only 50 employees -- how do you cross-train, and what if all the replacements become sick?"

Documentation on operations and processes will be essential. "Institutions will need to have a list of absolutely drop-dead operations that must take place for the institution to remain in business."

See Sidebar: Four Pillars of Pandemic Planning


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.