U.S regulators have recommended that all futures and securities firms review and update their current data backup, disaster recovery, and business continuity solutions.
Prompted by closures in the equities and options market in the aftermath of Hurricane Sandy, Regulators including the SEC, FINRA, and the CFTC contacted firms to assess the impact Hurricane Sandy had on their operations
The regulators asked each firm for specifics regarding any backup disaster recovery (BDR) and business continuity plan (BCP) they had in place prior to Hurricane Sandy. The responses they gathered were compiled to develop a list of best practices and lessons learned.
The regulators have since gone on to suggest that all firms refer to these best practices and lessons as part of reviewing and improving upon their current BDR and BCP procedures. By doing this, the regulators hope that firms will be better prepared for similar events. Regulators feel that a comprehensive BDR and business continuity strategy will help firms improve responsiveness and minimize downtime.
Managed Service Providers (MSPs) have always stressed the importance of the BDR and BCP solutions they offer to small-to-medium-sized businesses. That said, it doesn't hurt to see what government regulators recommend to those handling our money. We've summarized portions of the full report, addressing only the parts that we feel can easily be applied to SMBs. The full report can be read here at http://www.sec.gov/about/offices/ocie/jointobservations-bcps08072013.pdf.
Widespread Disruption Considerations
True business continuity plans go beyond technology. What is the probability of a widespread lack of telecommunications during a disaster? We're talking no Internet and no cell phone coverage. Large-scale events can knock out power and limit our access to drinkable water and food supplies. Getting around may be complicated. Roadways might be inaccessible and fuel may be scarce. Part of being prepared for the unknown is to assess how any plausible scenario would impact day-to-day operations and services.
A critical component to business continuity planning is remote access. Every employee should have the ability to efficiently work from home if a disaster strikes or blocks access to the office. If there is no power or no Internet and phone, alternatives should be defined to carry out key operations.
Alternative Location Considerations
The implications of region-wide disruptions must be factored into the location choices for backed-up data centers. Keeping backups within close proximity may seem like a smart strategy to ensure they're readily accessible, but this does you no good if it's a region wide disruption.
When it comes to supporting business critical activities at an alternative location, what will be the site's staffing needs? How about office space, equipment, and available resources? Printed copies of the business continuity plan, contact lists, and other business documents and manuals should also be kept at the alternate site if electronic files can't be accessed.
Any critical vendor relationships should also have an adequate business continuity plan, as they may be affected by the same event as you. Vendors risk ratings should be considered based on the quality of their BDR and BCP strategies.
Telecommunications Services and Technology Considerations
The telecommunications infrastructure must be enhanced. Consider secondary phone lines, backup mobile phone services with different carriers, emergency Wi-Fi spots, and cloud technology.
Review and Testing
Annual full BCP tests should be conducted. If the business continuity plan changes often, more frequent testing is recommended. All personnel should be trained for their specific role in the plan.