Financial Market Preparedness:

Improvements Made, but More Action Needed to Prepare for Wide-Scale Disasters

GAO-04-984: Published: Sep 27, 2004. Publicly Released: Oct 27, 2004.

Additional Materials:

Contact:

Richard J. Hillman
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

In February 2003 reports, GAO identified actions needed to better prepare critical financial market participants for wide-scale disasters, such as terrorist attacks. To determine progress made since then, GAO assessed (1) actions that critical securities market organizations took to improve their ability to prevent and recover from disruptions, (2) actions that financial market and telecommunications industry participants took to improve telecommunications resiliency, (3) financial regulators' efforts to ensure the resiliency of the financial markets; and (4) SEC's efforts to improve its program for overseeing operations risks at certain market participants.

The critical securities market organizations and market participants GAO reviewed had taken actions, since GAO's previous reports, to further reduce the risk that their operations would be disrupted by terrorist attacks or other disasters. For example, they had added physical barriers, enhanced protection from hackers, or established geographically diverse backup facilities. Still, some entities had limitations that increased the risk that a wide-scale disaster could disrupt their operations and, in turn, the ability of securities markets to operate. For example, three organizations were at a greater risk of disruption than others because of the proximity of their primary and backup facilities. In addition, four of the eight large trading firms GAO reviewed had all of their critical trading staff in single locations, putting them at greater risk than others of a single event incapacitating their trading operations. Geographic concentration of these firms could leave the markets without adequate liquidity for fair and efficient trading in a potential disaster. Since GAO last reported, actions were taken to improve the resiliency of the telecommunications service critical to the markets, including creating a private network for routing data between broker-dealers and various markets. Maintaining telecommunications redundancy and diversity over time will remain a challenge. Financial market regulators also took steps that should reduce the potential that future disasters would disrupt the financial markets, such as issuing business continuity guidelines for financial market participants designed to reopen trading markets the next business day after a disruption. However, despite the risk posed by the concentration of broker-dealers' trading staffs, and the lack of regulations requiring broker-dealers' to be prepared to operate following a wide-scale disruption, SEC had not fully analyzed the extent to which these organizations would be able to resume trading following such a disruption. Furthermore, while SEC has made some improvements to the voluntary program it uses to oversee the information security and business continuity at certain critical organizations, it has not taken steps to address key long-standing limitations. Despite past difficulties obtaining cooperation with recommendations and a lack of resources to conduct more frequent inspections, SEC had not proposed a rule making this program mandatory or increased the level of the program's resources--as GAO has previously recommended. In addition, SEC appeared to lack sufficient staff with expertise to ensure that the organizations in the program adequately addressed the issues identified in internal or external reviews, or to identify other important opportunities for improvement. Although SEC staff continue to assess the impact of a recent reorganization involving the programs staff, whether the current placement of the program within SEC is adequate for ensuring that the program receives sufficient resources is not yet clear.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: In addition, to improve the effectiveness of SEC's ARP program, which oversees preparedness of securities trading and clearing organizations for future disasters, the Chairman, SEC, should assess the adequacy of ARP staffing in terms of positions and technical skill levels, including information security expertise, given its mission and workload.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: The SEC Automation Review Program, which oversees information technology and operational issues at exchanges and markets, has hired two additional staff with MBAs with concentrations in Management Information Systems and work experience in IT and is in the process of hiring one additional MBA with a concentration in Management Information Systems.

    Recommendation: In addition, to improve the effectiveness of SEC's ARP program, which oversees preparedness of securities trading and clearing organizations for future disasters, the Chairman, SEC, should establish a definite time frame for the submission of a rule requiring exchanges and clearing organizations to engage in activities consistent with the operational practices and other tenets of the ARP program.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: Since we made this recommendation, staff from SEC's Market Regulation Division provided us with a timeline by which they took and planned to take various actions to present a rule for Commission approval that will make adherence to the ARP program mandatory for affected organizations, as we previously recommended. Events that have occurred on this timeline include the original drafting of the rule, revision of the draft rule to make it more of a prudential-style rule, and and its submission to SEC's Office of General Counsel in October 2007. Since then, the staff have responded with changes per OGC comments, including submitting a revised version of the draft rule to their OGC again in June 2008. As of July 2008, the division's staff have advised us that they will encourage their counsel's office to complete its review and submit the rule for commission approval.

    Recommendation: To provide greater assurance that the critical trading that is conducted in U.S. financial markets can resume, in as timely a manner as appropriate, after disruptions, the Chairman, SEC, should fully analyze the readiness of the securities markets to recover from major disruptions and work with industry and other federal agencies, as appropriate, to determine reasonable actions that would increase the likelihood that trading in the markets could resume when appropriate.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: We have recommended in several past reports (GAO-03-251, GAO-03-414, and GAO-04-984) that SEC fully analyze the readiness of the securities markets to recover from major disruptions and continue trading activities. In conducting work for the most recent follow-on report to those engagements, SEC staff told us that they have considered how a wide range of disaster scenarios would affect the securities markets in consultation with the other federal agencies and local emergency management officials in New York and Chicago. Furthermore, they have conducted an analysis of the major firms to ascertain their willingness and ability to continue to trade in the event of a wide-scale disruption. This analysis was done in conjunction with compliance reviews related to recently issued market-wide business continuity guidance. SEC staff told us that the examined firms all expressed a commitment to continue to operate and have allocated substantial resources to enhance their resilience sufficiently to permit them to trade. Lastly, SEC has developed an expanded examination module to obtain more detailed information on firms' business continuity capabilities related to trading activities. SEC staff have made this part of the existing examination guidance for the SEC examiners and told us that they expect to use this expanded guidance in the applicable broker-dealer examinations beginning with the 2007 cycle. Based on the work discussed above, SEC staff believe that market participants have increased their resilience since September 11 and that sufficient numbers of firms and staff likely would be able to operate from various locations to allow U.S. markets to resume trading when appropriate.

    Recommendation: In addition, to improve the effectiveness of SEC's ARP program, which oversees preparedness of securities trading and clearing organizations for future disasters, the Chairman, SEC, should continue to assess the organizational alignment of the ARP program within SEC.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: SEC staff considered the alignment of the ARP program and recently reorganized it to combine it with staff that perform market surveillance activities. In response to our recommendation, SEC said that as part of its strategic planning process, it will continue to assess the proper placement of ARP within the organization.

    Mar 10, 2014

    Jan 6, 2014

    May 23, 2013

    May 22, 2013

    May 21, 2013

    Apr 24, 2013

    Apr 18, 2013

    Feb 28, 2013

    Feb 22, 2013

    Jan 29, 2013

    Looking for more? Browse all our products here