Pandemic Planning from the Securities Industry Perspective

Emergency Management Leader Offers Business Continuity Insights for Banking Institutions Howard Sprow, vice president of Business Continuity Planning for the Securities Industry and Financial Markets Association (SIFMA) is a long-time leader in emergency management issues in the financial services industry. Part of his role at SIFMA is running the annual business continuity tests for the financial services industry, specifically securities markets and brokerages, clearinghouses and exchanges. Recently we interviewed him on SIFMA's work in business continuity and pandemic planning.

Q: What was SIFMA's role in the national pandemic exercise and how did it come about?

Sprow: We represent the securities industry at SIFMA, and were heavily involved in building out the exercise. One of our roles within SIFMA is business continuity testing. We have a very extensive business continuity planning committee. It is the largest committee in SIFMA by far with an extensive user community of BCP managers, emergency managers, public sector managers in emergency management with more than 150 organizations represented on the committee.

In that committee we do a lot of business continuity planning and preparedness, and emergency management strategy and certainly pandemic planning and preparation. This group provided much of the manpower and expertise to help develop for Treasury and FSSCC (Financial Services Sector Coordinating Council) the pandemic exercise, and in fact we were the ones that conceived it.

Q: What are some of the findings that came out of this national exercise?

Sprow: We are looking at results of exercise now within SIFMA and FSSCC. One of the FSSCC forums is the Infectious Diseases forum which I chair. We are merging some of our work to produce a set of FSSCC-recommended guidelines for handling pandemics. We look for this to come out later this year. These guidelines will be suggestions for how different organizations will handle a pandemic, and things to consider when planning for it.

Q: How would SIFMA suggest a pandemic plan be in an overall Business Continuity Plan for a financial services company?

Sprow: From [that] side a pandemic is quite different from regional threats or any other type of event, which most are only of a short, immediate duration.

If it's a hurricane, it lasts a few days, a terrorist event, a matter of a few seconds, and then you begin the recovery process. With a pandemic it will be totally different on both counts. It will be national, even global in scope rather than affecting a few local branches of a company, it will affect all of them, maybe at the same time.

The other thing is it is fairly long in duration, longer than 6 weeks, and likely in multiple waves of two, possibly even three waves of infection, and it could go on for a long time and it would affect all of your facilities and your employees. It wouldn't impact your physical office structure, so the planning and response are different. So institutions must come up with strategies that are broader looking.

Q: What do SIFMA and industry leaders see as important parts of a toolkit for pandemic response?

Sprow: The elements to consider as suggested options, across the board for a securities firm, insurance company, institutions, a lot of it is the same: you need to have mechanisms to communicate effectively with your employees and customers. Websites are obviously an effective way to communicate, offer customer service support, with a call center or other mechanisms, such as face to face transactions at a branch level. You need to be able to communicate what's going on to your employees both before and during a pandemic because information is going to be key to helping your employees and customers get through this, and for purposes of keeping your business up and running.

Beyond that there are a number of tools that have been identified or strategies that have been identified by institutions and others that are worth looking at - (one of them) is social distancing.

It is wise to develop some type of strategy to spread your employees out across your institution. There are number of ways to do this, and institutions and firms are using this in their plans. You have back up sites, you can deploy some employees there to help everybody spread out and lessen to some degree the possibility of spreading the virus. It would also help employees feel more at ease about being in the office.

You need to study your functions in detail to understand which ones have to be done in the office. Certainly, there are some functions at each institution or firm that have to be done on site, some can be done remotely.

Q: What's SIFMA's view of regulatory relief during a pandemic? What considerations may we expect to see on this from regulators?

Sprow: I would not say "expect to see," but rather say "hope to see" regulatory relief from regulators. On the securities side, we've been working with our regulators for over a year on this topic, and we have a very productive dialogue going on with them as to how this may play out.

You can understand the regulatory position, which is because the nature of a pandemic is going to be so fluid we are not going to be able to predict or know what we're going to face. It may not be as severe as some people may think, and that would lead to a different level of regulatory relief. It may be worse than we think, or it may be worse in certain areas or in certain functions. It's very difficult for regulators to predetermine how regulatory relief may look. In the securities industry we're looking at certain things that came out of the exercise and trying to predefine what regulations might link to the business problems presented. That is the next step we're in the somewhat early stages of that with our regulators.

The regulatory relief question was a written answer on the survey at the end of the national exercise, and there were some common answers we were seeing across the board. Some of those things we saw were participants asking if routine audits and examinations would be deferred; education requirements for market professionals maybe should be relaxed. Then there was a very large category that can take many twists and turns, and that was regulatory reporting. There are many regulatory reports that have to be filed. While we are in a highly automated age, many of the reports still require a fairly heavy manual component in order to make them work, and this manual component varies from firm to firm.

On the banking side, the same types of issues were asked -- examinations if they could be deferred, regulatory reporting again comes up. The banking industry is under reporting requirements just the same as the securities industry, and the reports also are manually done at many banks. Regulations, extended time to comply with them, branch closures regulation relief, reserve and liquidity requirements -- these are just some of the things that came out of the answers from the survey after the exercise.

Organizations like the ABA (American Banking Association) are working with banking regulators to identify the functions that could be most impacted by high absentee rates, and what are the processing issues around them and how do they relate to the regulations. This will create a roadmap of the regulations the regulators will need to explore as a pandemic approaches.

Q: Where does this leave the industry at this point after the exercise?

Sprow: The national exercise was designed to look at a very realistic scenario, and it is the most plausible scenario to be put out so far. The answers we got back were very well thought-out responses and we came back with many lessons learned. So we now need to follow up on those lessons learned across the sector and this upcoming guidance will reflect that. Those institutions that participated in the exercise also need to take what they learned about their plans and implement changes accordingly. This was a chance for them to check their plans and strategies, and the majority that took part said they did take away specific changes and critical things that they would be changing in their planned response as a result of what they learned during the exercise.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.