Financial institutions occupy a central position within both the national and world economies. Several state and federal regulatory agencies closely supervise these institutions because of their importance to our economy and the far-reaching consequences of their activities. These regulators are aware that advances in computer processing and the use of data centers have led these businesses to increase the number and complexity of their transactions exponentially in recent years. In part because of the increased computerization of financial transactions, regulatory agencies require financial institutions to provide for continuing operations and to protect data through business continuity and disaster recovery planning.
The Sarbanes-Oxley Act and Securities and Exchange Commission regulations provide significant regulations governing financial institutions. Specific examples of such requirements include Financial Industry Regulatory Authority (formerly the NASD) Rule 3510 and New York Stock Exchange Rule 446, which requires members to establish and maintain business continuity plans. These two rules each require that members and member organizations develop procedures reasonably designed to ensure they will be able to meet existing obligations to customers. Each plan must address record back-up and recovery for electronic data among other things and identify “all mission critical systems and back-up for such systems”. Rule 446 defines a mission critical system as:
Any system that is necessary...to ensure prompt and accurate processing of securities transactions, including order taking, entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts and the delivery of funds and securities.
Other mandates include:The Gramm-Leach-Bliley Act [501(b)] requires financial institutions to establish standards to safeguard the security, integrity, and confidentiality of customers’ records.
The Federal Financial Institutions Examination Council Information Technology Examination Handbook requires a comprehensive business continuity plan that may be examined by FFIEC member agencies.
The Expedited Funds Availability Act requires institutions to exercise diligence in emergency situations in order for institutions in order to qualify for an exception to the “funds availability requirement” that otherwise requires liquid funds to be available for transactions.
Although it is reasonable to assume that the majority of the financial institutions in this country have backup computer systems together with business continuity and disaster recovery plans, experience has shown that these do not always operate as planned. Even the best thought-out plans can sometimes fail. A classic example of a failure in a disaster situation occurred when the World Trade Center towers collapsed in 2001, simultaneously destroying the primary and backup communications fiber and power supply cables because they passed through the same conduit.
Any facility can be subject to an unexpected power outage and suffer a disruption despite business continuity and disaster recovery plans. For example, a data center co-location provider’s facility recently suffered an outage of 45 minutes when it lost grid power and backup generators failed to start. Several well-known and popular websites were unavailable for several hours as a result.
Preparations made to deal for disaster may be insufficient if adequate attention is not given to the alternative plans. For example, the majority of the nation’s securities markets were able to continue operations without any significant disturbances during the northeast power outage of August 2003; however, the American Stock Exchange (Amex) was only able to operate for 30 minutes on August 15 due to its inability to implement its alternative plan. Amex had planned to operate that day using generators for its systems and utility-provided steam for the cooling system for the electronics on the exchange’s trading floor. During the early morning hours that day, the steam utility stopped generating the steam power that Amex needed. Amex was ultimately able to obtain a backup steam-generation boiler with the assistance of the New York City Office of Emergency Management but was only able to operate from 3:45 p.m. until 4:15 p.m.
Loss of service to customers may lead to potential financial liability on the part of financial institutions in the event customers attempt to recoup losses, to the extent possible, under either contract or negligence theories. To the extent that backup or business continuity plans were flawed, improperly executed, or not in compliance with applicable regulations, liability might ensue despite protective language in the institution’s agreements with its customers. Such language might include force majeure provisions characterizing a loss of power as an event beyond the control of the institution.
Further, financial institutions are not likely to be able to recoup the institution’s damages or any damages paid to the financial institution’s customers from the electric utility. This is the case even when the utility is responsible for the outage. This is due to the fact that many utilities operate under tariff provisions that limit the utility’s liability for power outages.
To protect themselves, financial institutions should maintain their systems in excellent condition and keep disaster recovery plans updated and tested on a regular basis. Financial institution personnel must be properly trained to handle power outages and procedures should be in place for handling outages when they occur. Financial institutions should anticipate and plan for possible failures in backup and recovery systems and ensure that the appropriate personnel having experience with the equipment are available at all times to handle a power outage based upon the assumption that an outage will occur and backup systems may fail.
Financial institutions should also seek to insure their facilities for losses due to power outages. A well-thought out contingency plan, complete with business continuity and disaster recovery planning, regularly tested equipment, properly trained personnel and well-documented procedures will help financial institutions to avoid potential outages or reduce their severity and, consequently, their risk of liability.