Podcast: Planning for Business Continuity and Disaster Recovery

In this podcast, Ken Bentsen, SIFMA President and CEO, along with Tom Price, managing director, and Charles DeSimone, vice president, both of whom work on SIFMA’s operations, technology, cyber & BCP efforts, provide an informative overview of the industry-wide business continuity test facilitated by SIFMA on October 24, 2020 and highlight its successful completion.


Transcript:

Ken Bentsen: Welcome to The SIFMA Podcast. I’m Ken Bentsen, SIFMA President and CEO. Today we are discussing the successful SIFMA-led business continuity test which took place over the weekend.  Here with me to discuss the issues and SIFMA’s broader BCP and disaster recovery efforts are my colleagues Tom Price, managing director, and Charles DeSimone, vice president, both of whom work on SIFMA’s operations, technology, cyber & BCP efforts.  So, let’s get started.

Ken:  Tom, let’s start at the top.  Could you give us an overview of this past weekend’s test?

Tom Price: Thanks, Ken.  On Saturday, October 24, SIFMA led a successful industry-wide business continuity test.  This test is a critical exercise that highlights our industry’s ability to operate through a significant emergency using backup sites, recovery facilities and backup communications capabilities across the industry.  The exercise involves test transactions for products like commercial paper, equities, options, fixed income, and included processes such as settlement, payments, Treasury auctions and market data.  Regulation Systems Compliance and Integrity requires that each SCI entity designate members and participants that meet a certain criteria like market share to take part in an annual business continuity and disaster recovery test, and SIFMA facilitates the test for the industry as part of our business continuity planning and disaster recovery work.  Reg SCI entities completed their testing requirements in parallel with the SIFMA industry backup test which we’ve been organizing for well over a dozen years.

Ken: Charles, maybe you can tell us, what is the scope of Reg SCI?

Charles DeSimone: Sure. The SEC adopted Regulation SCI in 2014 to strengthen the technology infrastructure of the U.S. securities markets.  Specifically, the rules are designed to reduce the occurrence of systems issues, improve resiliency when systems problems do occur, and enhance the SEC’s oversight and enforcement of securities market technology infrastructure.  Reg SCI applies to “SCI entities,” a term which includes SROs–including stock and options exchanges, registered clearing agencies, FINRA and the MSRB, alternative trading systems that trade NMS and non-NMS stocks exceeding specified volume thresholds, disseminators of consolidated market data, or plan processors, and certain exempt clearing agencies. The regulation applies primarily to the systems of SCI entities that directly support any one of six key securities market functions – trading, clearance and settlement, order routing, market data, market regulation, and market surveillance.

Charles:  Tom, you opened by saying the test was successful. Would you share the results?

Tom: Happy to Charles. Participants in the robust SIFMA test included approximately 100 security firms and 80 different industry participants.  During the test, approximately 2,000 communications connections were established between security firms and banks and the exchanges, markets and utilities.  The results underscore the ability of the securities industry to operate through adverse conditions, which is of particular focus and importance given the COVID-19 global pandemic.

Tom: Ken, I’d like to ask you a question. SIFMA’s business continuity and cybersecurity efforts are an evergreen Board priority. Can you share with us how the discussions evolved in 2020, given all the unforeseen events of this year?

Ken: Sure, it’s a great question.  Financial services is a critical infrastructure sector as defined by the U.S. Department of Homeland Security.  Its assets, systems and networks, whether physical or virtual, are so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on security, national economic security and the national public health or safety.  Obviously, the crisis we’ve been in since March with the pandemic underscores the importance of things like BCP, systems resiliency, operational resiliency and cyber resiliency are to maintaining and operating and keeping markets open.  From the outset of this crisis, we arranged coordination among financial firms, exchanges, industry utilities, regulators, government agencies and public sector emergency managers.  The number one goal of our BCP practice and efforts is to keep markets open and functioning, and they have done that.  Despite significant obstacles, the industry kept the markets running, provided businesses with much needed liquidity during a time of severe stress, continued to serve and advise clients, and ensured timely clearance and settlement activities.  This successful effort should provide great confidence that the industry can successfully navigate any future turmoil or uncertainty, be it a natural disaster, health crisis, social unrest or otherwise.  I think what underscores that is the fact that this isn’t just something the industry picks up and does.  It’s underscored by the test that happened this past weekend and many other exercises and tests that the industry does throughout the year, year after year, ensuring that the muscle memory is there, to be able to navigate any sort of crisis, whether it’s a pandemic, whether in the past it was Super Storm Sandy, whether it’s outages of a major utility—things that frankly you can plan for but you can’t predict.  That planning and exercising is so important.  And that’s why our Board recognizes that even this year more than ever, business continuity testing and preparedness is essential to well-functioning markets.

Ken:  Tom, can you walk us through the objectives of the test?

Tom:  The testing program combines several different elements, each with different parameters, though all share the common objectives of ensuring firms and market infrastructure providers are prepared to respond to disruptions that would force them to use backup infrastructure.  The objective of the 2020 Reg SCI test is that SCI entities conduct functional and performance testing of  business continuity and disaster recovery plans with participating members to exercise and verify the ability to operate through a business continuity or a disaster recovery event using their backup sites, recovery facilities and backup communication capabilities.  The 2020 test was designed to verify that SCI entities are able to demonstrate that they can support the maintenance of fair and orderly markets in the event the Reg SCI entities’ business continuity and disaster recovery plans need to be activated.  The 2020 test is an industry coordinated test as required by Reg SCI, but it is not an end-to-end industry integrated test; it is a test for each individual SCI Entity to test its own business continuity and disaster recovery environment.  The test is not systems capacity test; however, the test should generate enough message traffic to support trading and dissemination of market data through the SIPs.  The test is not a pass/fail exercise for the participating members. However, some SCI members, based on their rulebook, will publish results. Others will provide members with a scorecard outlining capabilities and issues.  Alongside the Reg SCI test, we have a more basic connectivity test program, which focuses on establishing connections and basic message traffic with the infrastructure providers who are not part of the Reg SCI entities – such as fixed income trading venues, market data providers, FX venues, payment platforms, and service bureaus – and this allows broker-dealers who are not mandatory Reg SCI testers to carry out more basic testing with Reg SCI entities.  In addition, the U.S. Treasury also holds a simulated Treasury auction as well.

Tom:  Charles, can you explain how the test itself operates?

Charles:  Sure, I’d be happy to. All participants conducted the test from their production or disaster recovery environments.  For the Reg SCI test, firms submitted a representative sample of daily trade transactions to the exchanges.  The trades covered all in-scope product types.  The exchanges then conducted trade matching and transmitted matched trades to clearing agencies to demonstrate connectivity to the clearing agency.  The exchanges received and verified messages such as pending/rejected trades and executions.  All entities worked together successfully to execute the test.  During the test day itself, SIFMA operates a virtual command center to oversee the test and to help troubleshoot any issues that may arise.

Ken: Finally, Tom, what is on the horizon in the operations, technology, cyber & BCP arena for SIFMA?

Tom Price: The most immediate is that we’re hosting SIFMA’s Ops Virtual Forum, which is taking place on November 4 and 5, which of course has sessions focused on cybersecurity but will more broadly have the business continuity theme woven throughout the program.  SIFMA, with our partner Protiviti, published a new report on COVID-19 lessons learned to date, weighing the benefits and disadvantages of various responses and approaches. The report identifies key considerations that should be top of mind of business leaders as they strategize to build resiliency and thrive in the new environment.  At the Ops Virtual Forum, we’ll be reviewing the lessons learned and the findings. Looking ahead, we’re very focused on one point which is also highlighted in the paper:  now is the time for firms to assess which existing operational practices should remain in place and which should be changed. We need to evaluate which metrics best demonstrate their ability to respond to a crisis and determine which operational resiliency programs to implement or accelerate to prepare for any future disruptions.  And of course, we are already planning for our bi-annual Quantum Dawn cyber exercise, being held in late 2021.

Ken: That’s great. I want to thank you Tom and Charles for this discussion on the overview of the event of SCI testing over this past weekend and also the discussion around BCP more generally. Again, the events of the last several months underscore the importance of BCP testing and learning from those exercises—not just from the testing but from the experience—and how we fold that into our practices on resiliency going forward.   To learn more about SIFMA and our work to promote effective and resilient capital markets, please visit us at www.sifma.org, and thank you for joining us today.

Kenneth E. Bentsen, Jr. is president and CEO of SIFMA, the voice of the nation’s securities industry. He is also chief executive officer of the Global Financial Markets Association (GFMA). Tom Price is a managing director and head of technology, operations and business continuity for SIFMA. Charles DeSimone is a vice president of technology and operations for SIFMA.