Business Continuity Planning

This paper, published in partnership with Protiviti, identifies and examines the operational recovery capabilities that are increasingly becoming standard expectations for third parties providing services to financial institutions.

Financial companies need to collect and share sensitive information to run their everyday business. Members of SIFMA’s Data Protection Working Group have developed a set of principles for the protection of sensitive data that align with the NIST Cybersecurity Framework.

• Data Protection Principles

The Financial Sector Cloud Outsourcing Issues and Considerations document seeks to address challenges related to transparency, resource gaps, exposure to operational incidents originating at cloud service providers (CSPs), and contract negotiation dynamics.

SIFMA, in partnership with Bortstein Legal Group, first developed this paper in 2020 and updated it in early 2024. Since 2020, the use of cloud infrastructure has grown significantly, and the attention of regulators to cloud — and the broader topics of operational risk and technology risk — remains high. In this paper, we examine the regulatory guidance in the United States, the European Union, the United Kingdom, and Canada, relevant to financial institutions’ relationships with providers of cloud services such as ‘Software as a Service’ (“SaaS”), ‘Infrastructure as a Service’ (“IaaS”), ‘Platform as a Service’ (“PaaS”).

Financial Institutions’ (FIs’) growing reliance on cloud services raises regulatory concerns about concentration risk and financial stability. To address this, regulators are mandating portability of data and services between cloud providers. However, this paper details why portability – or any other resiliency solutions – should not be prescribed, and that regulators should take a risk-based approach.

Financial firms whose essential staff who may be traveling to critical facilities during hours when shelter-in-place directives are in force should physically carry on their persons:

• Memorandum on Identification of Essential Critical Infrastructure Workers During COVID-19 Response (CISA, March 28, 2020);
• Statement by Secretary Steven T. Mnuchin on Financial Services Sector Essential Critical Infrastructure Workers, (U.S. Department of the Treasury, March 22, 2020);
• Documentation, on company letterhead, detailing work-related travel and how it aligns with the financial services sector list of essential critical infrastructure workers; and
• A company identification card and government-issued ID.

SIFMA’s industry-wide business continuity test is a critical exercise that highlights our industry’s ability to operate through a significant emergency using backup sites, recovery facilities and backup communications capabilities across the industry. SIFMA urges all firms to participate in this important annual event.

The 2021 Industry Test was held on Saturday, October 23, 2021. Learn more.

The 2022 test will be held on Saturday, October 15, 2022.

Cybersecurity is a top priority in the financial industry to ensure the security of customer assets and information and the efficient, reliable execution of transactions within markets.

• Cybersecurity Resources for Member Firms
• Cybersecurity Issue Page
• Quantum Dawn Cybersecurity Exercises
• GFMA Work on Cybersecruity and Operational Resiliency
• Principles for Data Recovery from a Severe Cyber Scenario
  

In the event of a significant incident that affects or has the potential to affect the operations of the financial system, SIFMA helps to coordinate the financial industry’s business continuity planning efforts.

These efforts are managed through SIFMA’s Emergency Crisis Management Command Center, which identifies the status of industry participants, disseminates vital information and facilitates actions to assist market response and recovery. Coordination is arranged amongst financial firms, exchanges, industry utilities, regulators, government agencies and public sector emergency managers. SIFMA also has an Emergency Site for industry alerts.

SIFMA is closely monitoring the Coronavirus (COVID-19) and its impact on our industry and the markets.

Financial services is a critical infrastructure sector as defined by the U.S. Department of Homeland Security. Its assets, systems and networks, whether physical or virtual, are so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on security, national economic security and national public health or safety.

In the event of a significant incident that affects or has the potential to affect the operations of the financial system, SIFMA helps to coordinate the financial industry’s business continuity planning efforts. These efforts are managed through SIFMA’s Emergency Crisis Management Command Center, which identifies the status of industry participants, disseminates vital information and facilitates actions to assist market response and recovery. Coordination is arranged amongst financial firms, exchanges, industry utilities, regulators, government agencies and public sector emergency managers. SIFMA also has an Emergency Site for industry alerts. SIFMA regularly engages in BCP exercises and we have a high degree of confidence in the industry’s ability to respond to and recover from emergencies.

In addition to business continuity planning efforts on behalf of the industry, SIFMA has coordinated requests for regulatory relief, monitored market trends and metrics, and looked to how the markets and industry might be reshaped by the pandemic. View more information and resources on the COVID-19 response.

• BCP Inquiries: Stephen Byron and Tom Wagner
• Media Inquiries: Katrina Cavalli