This is the accessible text file for GAO report number GAO-04-984 
entitled 'Financial Market Preparedness: Improvements Made, but More 
Action Needed to Prepare for Wide-Scale Disasters' which was released 
on October 27, 2004.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Report to the Committee on Energy and Commerce, House of 
Representatives:

September 2004:

FINANCIAL MARKET PREPAREDNESS:

Improvements Made, but More Action Needed to Prepare for Wide-Scale 
Disasters:

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-984]:

GAO Highlights:

Highlights of GAO-04-984, a report to the Committee on Energy and 
Commerce, House of Representatives

Why GAO Did This Study:

In February 2003 reports, GAO identified actions needed to better 
prepare critical financial market participants for wide-scale 
disasters, such as terrorist attacks. To determine progress made since 
then, GAO assessed (1) actions that critical securities market 
organizations took to improve their ability to prevent and recover 
from disruptions, (2) actions that financial market and 
telecommunications industry participants took to improve 
telecommunications resiliency, (3) financial regulatorsí efforts to 
ensure the resiliency of the financial markets; and (4) SECís efforts 
to improve its program for overseeing operations risks at certain 
market participants.

What GAO Found:

The critical securities market organizations and market participants 
GAO reviewed had taken actions, since GAOís previous reports, to 
further reduce the risk that their operations would be disrupted by 
terrorist attacks or other disasters. For example, they had added 
physical barriers, enhanced protection from hackers, or established 
geographically diverse backup facilities. Still, some entities had 
limitations that increased the risk that a wide-scale disaster could 
disrupt their operations and, in turn, the ability of securities 
markets to operate. For example, three organizations were at a greater 
risk of disruption than others because of the proximity of their 
primary and backup facilities. In addition, four of the eight large 
trading firms GAO reviewed had all of their critical trading staff in 
single locations, putting them at greater risk than others of a single 
event incapacitating their trading operations. Geographic concentration 
of these firms could leave the markets without adequate liquidity for 
fair and efficient trading in a potential disaster. 

Since GAO last reported, actions were taken to improve the resiliency 
of the telecommunications service critical to the markets, including 
creating a private network for routing data between broker-dealers and 
various markets. Maintaining telecommunications redundancy and 
diversity over time will remain a challenge. Financial market 
regulators also took steps that should reduce the potential that 
future disasters would disrupt the financial markets, such as issuing 
business continuity guidelines for financial market participants 
designed to reopen trading markets the next business day after a 
disruption. However, despite the risk posed by the concentration of 
broker-dealersí trading staffs, and the lack of regulations requiring 
broker-dealersí to be prepared to operate following a wide-scale 
disruption, SEC had not fully analyzed the extent to which these 
organizations would be able to resume trading following such a 
disruption. 

Furthermore, while SEC has made some improvements to the voluntary 
program it uses to oversee the information security and business 
continuity at certain critical organizations, it has not taken steps 
to address key long-standing limitations. Despite past difficulties 
obtaining cooperation with recommendations and a lack of resources to 
conduct more frequent inspections, SEC had not proposed a rule making 
this program mandatory or increased the level of the programís 
resourcesóas GAO has previously recommended. In addition, SEC appeared 
to lack sufficient staff with expertise to ensure that the 
organizations in the program adequately addressed the issues 
identified in internal or external reviews, or to identify other 
important opportunities for improvement. Although SEC staff continue 
to assess the impact of a recent reorganization involving the programs 
staff, whether the current placement of the program within SEC is 
adequate for ensuring that the program receives sufficient resources 
is not yet clear.

What GAO Recommends:

GAO recommends that the Chairman, SEC, fully analyze the readiness of 
the securities markets to recover from major disruptions and work with 
industry to determine actions that would better prepare the markets to 
resume trading. This report also recommends actions to improve SECís 
information technology oversight program, including establishing a 
time frame for proposing a rule making the program mandatory, 
increasing its resources, and continuing to assess the alignment of 
the program within SEC.

SEC generally agreed with the findings and recommendations of this 
report.

www.gao.gov/cgi-bin/getrpt?GAO-04-984.

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Davi M. D'Agostino at 
(202) 512-8678 or dagostinod@gao.gov.

[End of section]

Contents:

Letter:

Results in Brief:

Background:

Critical Organizations Reduced Risks from Physical or Electronic 
Attacks, but Some Organizations Still Had Limitations That Increased 
Potential for Disruptions:

Steps Are Under Way to Meet Challenge of Improving the Resiliency of 
Telecommunications:

Federal Financial Regulators Took Actions to Improve the Readiness of 
Securities Markets, but Further Actions Needed:

SEC Took Some Actions to Enhance Its ARP Program but Has Not Addressed 
Other Limitation to Its Effectiveness:

Conclusions:

Recommendations for Executive Action:

Agency Comments and Our Evaluation:

Appendixes:

Appendix I: Objectives, Scope, and Methodology:

Appendix II: Role of the Department of Homeland Security:

Appendix III: Comments from the Federal Reserve:

Appendix IV: Comments from the Securities and Exchange Commission:

Appendix V: GAO Contacts and Staff Acknowledgments:

GAO Contacts:

Acknowledgments:

Related GAO Products:

Abbreviations:

ARP: Automation Review Policy:

BCP: Business Continuity Plan:

CBR: chemical, biological, and radiological:

DHS: Department of Homeland Security:

ECN: Electronic Communications Network:

FBIIC: Financial and Banking Information Infrastructure Committee:

FCC: Federal Communications Commission:

FFIEC: Federal Financial Institutions Examination Council:

FISCAM: Federal Information System Controls Audit Manual:

FS/ISAC: Financial Services Information Sharing and Analysis Center:

FSSCC: Financial Services Sector Coordinating Council:

HSPD-7: Homeland Security Presidential Directive 7:

IAIP: Information Analysis and Infrastructure Protection:

MARC: Mutual Aid Restoration Consortium:

NASD: National Association of Securities Dealers, Inc.

NASDAQ: Nasdaq Stock Market, Inc.

NCS: National Communications System:

NRIC: National Reliability and Interoperability Council:

NSTAC: National Security Telecommunications Advisory Committee:

NYSE: New York Stock Exchange:

OCC: Office of the Comptroller of the Currency:

OCIE: Office of Compliance, Inspections, and Examinations:

SEC: Securities and Exchange Commission:

SFTI: Secure Financial Transaction Infrastructure:

SIA: Securities Industry Association:

SIAC: Securities Industry Automation Corporation:

TSP: Telecommunications Service Priority:

Letter September 27, 2004:

The Honorable Joe Barton, Chairman: 
The Honorable John D. Dingell, Ranking Minority Member: 
Committee on Energy and Commerce: 
House of Representatives:

The Honorable Fred Upton, Chairman: 
The Honorable Edward J. Markey, Ranking Minority Member: 
Subcommittee on Telecommunications and the Internet: 
Committee on Energy and Commerce: 
House of Representatives:

The Honorable Cliff Stearns, Chairman: 
The Honorable Jan Schakowsky, Ranking Minority Member: 
Subcommittee on Commerce, Trade, and Consumer Protection: 
Committee on Energy and Commerce: 
House of Representatives:

The massive destruction to property and supporting utility 
infrastructure resulting from the September 11, 2001, terrorist attacks 
on the World Trade Center exposed the vulnerability of the financial 
markets to disruption by such events. In February 2003, we reported 
that critical financial market participants and regulators took many 
actions to reduce the risk that such disasters would disrupt the 
markets' operations in the future.[Footnote 1] However, we also 
reported that some critical market participants still had limitations 
in their physical security protections or business continuity 
capabilities that increased their risk of being disrupted. In addition, 
we found that financial regulators had begun to take steps--such as 
issuing draft recovery goals and best practices for entities that 
perform the critical clearing and settlement functions that ensure that 
ownership and payments are transferred after trades occur--to reduce 
the likelihood that future disasters would lead to widespread payment 
defaults. Nevertheless, we also reported that regulators could take 
further actions to better ensure that trading could resume in a timely 
manner after such events. Thus, in our 2003 report, we recommended that 
the Securities and Exchange Commission (SEC) work with industry to 
improve the preparedness of the financial sector to resume operations 
after future disruptions.

To further improve the preparedness of securities organizations, we 
also made recommendations to SEC to improve the Automation Review 
Policy (ARP) program that it uses to oversee security and operations 
continuity issues at exchanges, clearing organizations, and electronic 
communications networks (ECN), which are electronic venues for matching 
and executing orders to trade securities. Finally, we recommended that 
SEC make compliance with ARP mandatory and, if possible, increase the 
level of staffing and resources committed to the program.

Because of ongoing concerns about our nation's vulnerability to 
terrorist attacks, you asked that we review progress made since our 
previous report by (1) securities market organizations, including 
exchanges and clearing organizations; (2) market participants, such as 
key banks and broker-dealers; and (3) financial regulators to reduce 
the likelihood of potential terrorist attacks and other disasters 
disrupting market operations. You also asked us to report on the 
progress that SEC has made in responding to our recommendations of 
developing goals, strategies, and business continuity practices that 
could better ensure that market participants, which are needed for 
trading activities to resume, would be prepared for future disasters. 
In addition, you asked that we review the actions SEC has taken to 
improve the ARP program. Specifically, we assessed (1) actions that 
critical securities market organizations and key trading or clearing 
firms undertook to reduce their risk of disruption from terrorist 
attacks or other disasters; (2) steps that financial market 
participants, telecommunications industry organizations, and others 
took to improve the resiliency of telecommunications systems; (3) 
financial regulators' efforts to ensure the resiliency of the financial 
markets; and (4) the progress SEC has made in improving the ARP 
program.

In performing our follow-up work, we reviewed regulatory and industry 
documents and interviewed staff from broker-dealers, banks, regulators, 
telecommunications providers, industry associations, and other 
organizations. We visited seven organizations that we categorized as 
"critical," based on our consideration of whether viable immediate 
substitutes existed for the products or services they offered or 
whether the functions they performed were essential for the overall 
ability of the U.S. securities markets to continue operations. We 
inspected various physical and electronic security measures at these 
seven organizations and reviewed their business continuity 
capabilities. In assessing the organizations' physical and electronic 
security and business continuity efforts, we used criteria that were 
either established by regulators or were generally accepted by 
government or industry. For our reviews, we relied on documentation and 
descriptions provided by market participants and regulators and reviews 
conducted by other organizations. When feasible, we also directly 
observed controls in place for physical security, electronic security, 
and business continuity at the organizations assessed. We did not test 
these controls by attempting to gain unauthorized entry or access to 
facilities or information systems, neither did we directly observe 
testing of business continuity capabilities. We also discussed the 
business continuity capabilities and improvements made by eight large 
broker dealers and banks that collectively represented a significant 
portion of trading and clearing volume on U.S. securities markets. In 
addition, we reviewed the efforts that financial market regulators, 
industry associations, and telecommunications carriers and 
organizations took to improve the resiliency of the financial markets. 
We performed our work from September 2003 through August 2004 in 
accordance with generally accepted government auditing standards. For 
security reasons, we did not include the names of the organizations we 
reviewed, their functions, or their locations in this report.

Results in Brief:

Since our 2003 report, all of the critical securities market 
organizations and trading firms we reviewed further reduced the risk 
they faced from physical or electronic attacks and improved their 
ability to recover from such events. For example, the organizations had 
reduced risks by adding physical barriers around their facilities, 
enhancing protection from hackers, or establishing geographically 
diverse backup facilities. However, three of the seven organizations, 
which we determined to be critical to the functioning of the securities 
markets, faced increased risk of operations disruptions because of 
limitations in their business continuity capabilities. Because these 
three organizations had backup operating sites located within the same 
geographic area as their primary facilities, they were at greater risk 
than the other organizations that a single, wide-scale event could 
prevent them from accessing or operating from either site.[Footnote 2] 
One of these three organizations also faced an increased risk that its 
operations could be disrupted because it had not yet developed 
procedures to ensure that staff capable of conducting its critical 
operations would be available if an attack or other event incapacitated 
personnel at its primary site. Each of the seven critical organizations 
we reviewed also improved the security of their information systems and 
networks. In addition, we reviewed eight broker-dealers and banks that 
conduct significant portions of U.S. securities markets trading and 
clearing activities, and we found that these firms also had further 
reduced the risk that potential future disasters would disrupt their 
operations. However, four of these key firms continued to face greater 
risk than others because they had concentrated key trading staff in 
single locations. Officials at some of these firms said they recognized 
this increased risk, but they said the decreased efficiency and 
increased costs that would be associated with splitting or rotating 
these staff exceeded the risk of disruption. Nevertheless, a wide-scale 
disaster could incapacitate trading staff at a sufficient number of 
firms to prevent the timely resumption of fair and orderly trading in 
the securities markets because a number of these firms were in the 
same geographic area.

Securities market participants, telecommunication carriers and 
industry organizations, and government agencies also worked to improve 
the resiliency of telecommunications services critical to the financial 
sector. Many firms learned in the aftermath of the September 2001 
attacks that their telecommunications services were not as resilient as 
expected because, in some cases, their communications carriers had 
rerouted their lines over time to follow similar physical paths. In 
response to the challenge of maintaining diversity, a new private 
communications network has been created to provide more reliable and 
resilient communications for the broker-dealers, exchanges, and 
clearing organizations that participate in securities and other 
markets. In addition, federal financial regulators and 
telecommunications organizations have been working together on 
initiatives to enhance telecommunications resiliency for the financial 
sector, such as identifying best practices and sponsoring financial 
market participants in federal programs that increase the priority for 
restoration of damaged communications circuits. Further, large 
telecommunications carriers serving the financial district in Manhattan 
also have been taking steps to improve the diversity of their network 
infrastructures and are offering services that may improve their 
customers' communications resiliency.

Since our 2003 report, financial market regulators have worked to 
reduce the degree to which potential future disasters would disrupt the 
financial markets. The regulators for banks and securities firms issued 
joint guidance that directs key clearing and settlement organizations 
to implement business continuity best practices--including having 
geographically diverse backup capabilities--by the end of 2004 that 
will enable them to resume clearance and settlement activities within 4 
hours following a wide-scale disruption. To better ensure that trading 
activities would also resume without undue delay, SEC also issued a 
policy statement that expects exchanges and ECNs to implement certain 
business continuity practices by the end of 2004. Specifically, these 
organizations would have to have the capability to resume trading the 
next business day after a wide-scale disaster. In addition, the New 
York Stock Exchange (NYSE) and the National Association of Securities 
Dealers (NASD) adopted new rules that require their member broker-
dealers to have business continuity plans in place by September 2004. 
As we reported in 2003, part of the delay in reopening the trading 
markets after the September 2001 attacks was attributable to the 
difficulties that broker-dealers faced in recovering their trading 
operations. SEC officials told us that because trading is a voluntary 
activity, and SEC cannot compel broker-dealers to participate in the 
markets to any degree, none of the new regulatory guidance requires 
trading firms to develop capabilities to resume operations following 
such events. Although several of the firms that account for a 
significant amount of securities trading volume face increased risk 
that a wide-scale disaster could disrupt their trading operations, SEC 
had not yet completely analyzed whether a sufficient number of trading 
firms are likely to be ready to resume trading after a wide-scale 
disruption. In addition, SEC had not completely analyzed whether firms 
located outside the affected area would be able and willing to conduct 
trading at a level necessary to ensure sufficiently fair and liquid 
markets if the currently most active firms were not.

While SEC had taken some steps to improve its ARP program, the agency 
had yet to address limitations that have hampered the effectiveness of 
the program. SEC staff now more frequently contact the entities they 
review--exchanges, clearing organizations, and ECNs--to determine 
whether appropriate actions are being taken in response to 
recommendations made by ARP staff. Although in the past, SEC has had 
problems with organizations cooperating with some ARP recommendations 
and other program components, SEC staff said that currently cooperation 
has improved. However, they also agreed that a rule making compliance 
with ARP guidelines mandatory--as we had recommended in our 2003 
report--would help ensure future compliance with the ARP program. While 
such a rule had been drafted, it had not yet been presented to the 
Commission. In addition, despite recommendations in our prior reports 
to increase ARP staff to do more frequent and in-depth examinations and 
the increased resources made available to the agency, SEC had not yet 
significantly increased the resources devoted to the ARP program. 
Further, while internal and external reviews of the operations of 
exchanges, clearing organizations, and ECNs are key to the 
effectiveness of the ARP program, we found instances where SEC had not 
ensured that the entities took adequate and timely steps to address the 
concerns identified in those reviews. Moreover, our work raised 
additional concerns that the ARP programs' staff expertise and approach 
may not adequately address information security issues at the 
organizations it reviews. For example, at the critical organizations 
that we reviewed, we identified important additional opportunities for 
improvements in information security that internal or external 
reviewers or ARP staff had not identified. The ARP program was moved to 
a new office within the Division of Market Regulation in November 2003, 
and SEC staff told us this move has been beneficial but that they 
continue to assess its impact. However, whether the current placement 
of the program within SEC is adequate for ensuring that the ARP program 
receives sufficient resources and attention is not yet clear.

This report includes recommendations to the SEC Chairman to fully 
analyze the readiness of the securities markets to resume trading after 
potential future disasters, ensure that the ARP program has sufficient 
staff with appropriate expertise to review information security issues, 
and continue to assess the alignment of the ARP program within SEC's 
organizational structure. In commenting on a draft of this report, SEC 
generally concurred with our recommendations and described the actions 
it planned to take to implement them.

Background:

Customer orders for stocks and options, including those from individual 
investors and from institutions such as mutual funds, are generally 
routed through a broker-dealer and executed at one of the many 
exchanges located in the United States. After a securities trade is 
executed, the ownership of the security must be transferred and payment 
must be exchanged between the buyer and the seller. This process is 
known as clearance and settlement and is performed by separate clearing 
organizations for stocks and for options. A depository maintains 
records of institutional ownership for the bulk of the securities 
traded in the United States. Banks also participate in the U.S. 
securities markets by acting as clearing banks that maintain accounts 
for broker-dealers to accept and make payments for these firms' 
securities activities. Payments for corporate and government securities 
transactions, as well as for business and consumer transactions, are 
transferred by payment system processors, including those operated by 
the Board of Governors of the Federal Reserve (Federal Reserve) and 
private organizations. Virtually all of the information processed is 
transferred between parties via telecommunications systems; and as a 
result, the securities markets depend heavily on its supporting 
telecommunications infrastructure.

Although thousands of entities are active in the U.S. securities 
markets, certain key participants are critical to the ability of the 
markets to function. Some are more important than others because they 
offer unique products or perform vital services. For example, markets 
cannot function without the activities performed by clearing 
organizations; and in some cases, only one clearing organization exists 
for particular products. In addition, other market participants are 
critical to the overall market functioning because they consolidate and 
distribute price quotations or information on executed trades. Other 
participants may be critical to the overall functioning of the markets 
only in the aggregate. For example, if one of the thousands of broker-
dealers in the United States is unable to operate, its customers may be 
inconvenienced or unable to trade, but the impact on the markets as a 
whole may just be a lower level of liquidity or reduced price 
competitiveness. However, a small number of large broker-dealers 
account for sizeable portions of the daily trading volume on many 
exchanges. If several of these large firms were unable or unwilling to 
operate, the markets might not have sufficient trading volume to 
function in an orderly or fair way.

Several federal organizations oversee the various securities market 
participants.[Footnote 3] SEC regulates the stock and options exchanges 
and the clearing organizations for those products. In addition, SEC 
regulates the broker-dealers that trade on those markets and other 
participants, such as mutual funds, which are active investors. The 
exchanges also have responsibilities as self-regulatory organizations 
for ensuring that their participants comply with the securities laws 
and the exchanges' own rules. SEC or one of the depository institution 
regulators oversees participants in the government securities market, 
but the Department of the Treasury (Treasury) also plays a role. 
Treasury issues rules pertaining to securities market, but SEC or the 
bank regulators are responsible for conducting examinations to ensure 
that these rules are followed. Additionally, several federal 
organizations have regulatory responsibilities over banks and other 
depository institutions, including those active in the securities 
markets. The Federal Reserve oversees bank holding companies and state-
chartered banks that are members of the Federal Reserve System. The 
Office of the Comptroller of the Currency (OCC) examines nationally 
chartered banks.

Critical Organizations Reduced Risks from Physical or Electronic 
Attacks, but Some Organizations Still Had Limitations That Increased 
Potential for Disruptions:

Critical organizations and other trading and clearing firms improved 
their readiness for future terrorist attacks or other disasters in 
several ways, but some still remained at greater risk of disruption 
than others. For example, since our 2003 report, all of the seven 
critical organizations we reviewed reduced risks by adding physical 
barriers around their facilities, enhancing protection from hackers, or 
establishing geographically diverse backup facilities. However, 
several organizations still faced an increased risk of disruption from 
potential future attacks, either because of the location of their 
backup facilities or because they have not taken steps to better ensure 
the availability of critical staff. The key broker-dealers and banks 
that conduct significant trading and clearing activities that we 
reviewed had also improved their business continuity capabilities, but 
some were still at greater risk of disruption than others due to the 
concentration of key trading staff in single locations. Working 
together through industry associations, market participants also 
improved their ability to withstand future disasters by, for example, 
establishing crisis command centers.

Critical Organizations Further Improved Physical and Electronic 
Security:

Since our previous report, almost all of the critical organizations 
took steps to improve their physical and electronic security. Physical 
security encompasses measures such as installing physical barriers 
around buildings, screening people and objects, and using employee and 
visitor identification systems. We assessed the organizations' physical 
security using standards and best practices developed by the Department 
of Justice.[Footnote 4] For example, as a deterrent to potential 
attacks, one organization increased the number of armed security 
officers that protect the perimeter of its facility. These security 
personnel are also now clad in military-style uniforms and possess 
greater firepower than they did previously. In addition, this 
organization installed additional video cameras to allow it to monitor 
more locations around its facility. Another organization we reviewed 
had installed new perimeter barriers and X-ray equipment outside of its 
facility to better protect its lobby and other interior spaces. Four of 
the critical organizations we reviewed still faced increased risks in 
their physical security, such as an inability to control vehicular 
traffic around their primary facility, which put them at greater risk 
of disruption from potential physical attacks than other organizations. 
However, each of these four organizations also had geographically 
diverse backup facilities capable of conducting some or all of the 
organization's critical operations, mitigating the effect of a 
disruption at the primary facility.

All seven organizations had also implemented countermeasures to 
mitigate chemical, biological, and radiological (CBR) threats. For 
example, each organization had identified its facilities' outdoor air 
intakes, which can be highly vulnerable to CBR attacks, and took steps 
to prevent access to them. Such steps included installing locks, video 
cameras, security lighting, and intrusion detection sensors in order to 
establish a security zone around the air intakes. The organizations 
also took actions to prevent public or unauthorized access to areas 
that provide access to centralized mechanical systems, including 
heating, ventilation, and air conditioning equipment. Finally, some 
organizations also isolated their lobbies, mail processing areas, and 
loading docks.

An effective physical security program includes periodic testing of 
controls such as reviews of security guard performance outside of 
normal business hours, attempts to bring in prohibited items (such as 
weapons), and review of employees' use of access to restricted and 
sensitive areas. Periodic monitoring of such controls not only provides 
a valuable means of identifying areas of noncompliance or previously 
undetected vulnerabilities, but can also serve to remind employees of 
their security responsibilities and demonstrate management's 
commitment to security. Each of the organizations we visited performed 
these types of tests on a periodic basis.

The critical organizations also continued to invest in information 
security measures to reduce the risk that their operations would be 
disrupted by electronic attacks. Electronic attacks can come in 
different forms and include attacks in which persons (such as hackers) 
attempt to gain unauthorized access to a specific organization or 
system or attacks by computer programs or codes, such as viruses or 
worms. We applied criteria from the Federal Information System Controls 
Audit Manual, as well as other federal guidelines and industry best 
practices, to assess the organizations' information security. For more 
information on the scope of our assessment, please see appendix I. All 
of the organizations we reviewed enhanced protections against 
unauthorized outside access to their computer systems. For example, one 
organization increased the coverage of its intrusion detection and 
prevention systems to better monitor and address attacks by outsiders. 
Some of the organizations we reviewed also had invested in more secure 
technologies. For example, one organization put in place a new 
multitiered external network, which provides multiple layers of 
security. During our reviews, we also identified and discussed with 
these organizations additional actions they could take to further 
improve their information security.

Critical Organizations Improved Their Ability to Recover from 
Disruptions, but Some Faced Limitations That Increased Risks:

All the critical organizations had also further increased their ability 
to recover from attacks or other disasters since our 2003 report, but 
some still had limitations in their business continuity capabilities 
that increased their risk of disruption. Since our report, these 
organizations also have more specific standards against which to 
measure their capabilities because federal financial regulators have 
issued business continuity guidelines and principles that set 
expectations for these organizations.[Footnote 5] These regulatory 
guidelines direct the organizations to establish geographically diverse 
backup capabilities and state that the operation of a backup site 
should not be impaired by a wide-scale evacuation at the primary site 
or the inaccessibility of the staff. Although the guidance does not 
specify a minimum distance between primary and backup facilities, 
regulators state that such facilities should not rely on the same 
infrastructure components, such as transportation, telecommunications, 
water supply, and power supply.

As of May 2004, four of the seven critical organizations had 
geographically dispersed backup sites that their officials indicated 
were capable of conducting the organizations' critical operations. Each 
backup site was located at a considerable distance from the 
organizations' primary sites--ranging from almost 300 miles to over 
1,100 miles. However, as of June 2004, the remaining three critical 
organizations that we noted in our previous report as lacking 
geographic separation between their primary and backup facilities did 
not have geographically diverse backup facilities capable of assuming 
all critical operations. Instead, these three organizations' current 
backup facilities were located within the same geographic area as their 
primary sites (although, as discussed below, one organization had a 
geographically diverse facility that it could use to run some of its 
critical applications). Officials at one organization said that these 
facilities do not depend on the same infrastructure components as their 
primary facilities; although, in some cases, they would depend on the 
same transportation system. Although having backup sites does reduce 
the risk that these organizations' operations would be disrupted in 
future attacks, both primary and backup facilities could be affected by 
wide-scale events, and thus, these organizations faced an increased 
level of risk of operational disruptions.

However, officials at the three critical organizations that lacked 
geographically dispersed backup sites were reducing the risks resulting 
from the proximity of their primary and backup facilities. One 
organization established a geographically diverse backup site, and as 
of June 2004, had the ability to run some of its critical operations 
from that site. Officials at this organization anticipated being able 
to conduct all of its critical operations from the new site by the end 
of 2005. To reduce the risk arising from certain types of events, the 
other two organizations had begun work to establish management systems 
that would allow them to operate the hardware and systems at their 
primary sites from geographically remote locations. Federal financial 
regulators have stated that having a backup site that is fully capable 
of operating all critical functions is necessary for organizations to 
ensure that they can meet regulators' recovery objectives. (We discuss 
recovery objectives more fully later in this report.) However, these 
organizations' remote management capabilities, which both intended to 
have in place by the end of 2004, would allow them to continue 
operating under disaster scenarios in which their facilities were not 
damaged but were rendered physically inaccessible for public safety or 
other reasons. As of August 2004, one of these two organizations had a 
plan to implement a geographically diverse backup site by April 2005. 
The other organization was considering alternatives for being able to 
recover its operations in geographically dispersed locations but had 
not developed any definite plans.

Additionally, at the time we conducted this review, six of the seven 
organizations had arrangements in place that appear to ensure the 
availability of critical staff. Organizations also can enhance business 
continuity capabilities following a disaster by implementing plans to 
ensure the availability of key staff, if staff who perform critical 
activities at a primary facility become incapacitated. For example, one 
organization rotated its critical staff among multiple locations, 
ensuring that all such staff were never in the same location at the 
same time. However, one of the seven organizations had not developed a 
formal plan for ensuring the availability of key staff. Officials at 
this organization said they believed that a sufficient number staff 
necessary to conduct critical operations were not at the primary 
facility at any one time for a variety of reasons, including vacations 
and business travel. However, they had no formal plan to ensure that 
sufficient numbers of trained staff would be available should staff at 
the primary facility be lost. In July 2004, officials from this 
organization said they were seeking to have such a plan in place in the 
near future. This particular organization already has faced an 
increased risk of disruption because it was also one of the three 
organizations that did not yet have a geographically diverse backup 
facility. While this organization had improved its physical security, 
which can help protect an organization's primary facility as well as 
its critical staff, it was still at greater risk of disruption than 
other critical organizations.

Further, all seven organizations that we reviewed appeared to be 
following sound practices for ensuring the continuity and 
recoverability of their critical telecommunications services. Business 
continuity guidelines identify five telecommunications-related 
practices that organizations can follow to improve the continuity of 
their critical telecommunications services: developing and maintaining 
an inventory of existing telecommunications services, identifying those 
services critical to continued operations, identifying the risks to 
those services, developing strategies and solutions to mitigate those 
risks, and testing those risk mitigation and continuity 
strategies.[Footnote 6] Specifically, the critical organizations we 
reviewed inventoried their voice and data telecommunications services 
and identified those services critical to their operations. The 
organizations also took actions to identify and mitigate their 
respective risks. For example, to mitigate the risk that a single 
failure point in their internal networks might disrupt their 
operations, all organizations linked their facilities to public 
networks at two diverse points on their premises and distributed those 
connections throughout their facilities through redundant cabling. To 
limit their exposure to disruptions in public network facilities, some 
organizations also subscribed to services that linked their facilities 
to the public network at multiple points and also linked them to 
services that would reroute their connections around failure points 
that might occur in the public networks. To improve service 
recoverability, six of the seven organizations were also taking 
advantage of a federal telecommunications priority program that would 
provide increased priority for restoration of the key 
telecommunications circuits in their inventories in the event of a 
disruption.[Footnote 7] These critical organizations were also testing 
their own abilities to recover their communications operations during a 
disaster and to communicate with key customers and organizations. 
Further, within their overall continuity strategies, most critical 
organizations were either establishing or continuing to operate out-of-
region telecommunications facilities that would, among other things, 
reduce the risk that a failure in local telecommunications services at 
any one location would pose a risk to their continuing operations.

Finally, given that most organizations had limited resources, 
effectively managing operations risks involved balancing additional 
protections for facilities, personnel, and systems with enhancing 
business continuity capabilities. As part of this process, 
organizations take into consideration that enhancing capabilities in 
one area can help mitigate vulnerabilities in another area. For 
example, as noted previously, four of the critical organizations we 
reviewed had weaknesses in their physical security but also had 
geographically diverse backup facilities capable of conducting some or 
all of the organization's critical operations, mitigating the effect of 
a disruption at the primary facility. That is, if a physical security 
weakness allowed a disruption to occur at the organization's primary 
facility, operations could be transferred to a backup facility. 
Similarly, one organization that had not yet implemented a 
geographically diverse backup facility had made significant 
improvements to the physical security protections in place at its 
primary facility, which can help reduce the likelihood of that facility 
becoming incapacitated by potential physical attacks.

Broker-Dealers and Banks Also Reduced Their Risk of Disruption, but 
Some Faced Increased Risk Because of Concentration of Key Staff:

The trading firms with whom we spoke--eight trading firms, including 
five large broker-dealers and three banks whose activities represent a 
significant portion of the total trading and clearing volume on U.S. 
markets--also took steps to improve their recovery capabilities, but 
some still faced increased risk of disruption. The smooth functioning 
of U.S. securities markets also depends on the ability of trading firms 
to conduct trading and clear and settle their transactions. In our 2003 
report, we noted that because of the considerable efforts required for 
broker-dealers to restore operations, insufficient liquidity existed to 
open the markets during the week of the September 2001 attacks. For 
example, several large broker-dealers had not invested in backup 
facilities and had to recreate their trading operations at new 
locations; others needed to improve their business continuity 
capabilities for telecommunications. All of the firms we spoke with 
during this review said they had backup data centers capable of running 
critical applications and also had alternate locations out of which key 
staff could operate if the primary facilities should become unusable. 
For example, to address the potential for a region-wide disruption in 
New York City, one firm was developing a geographically diverse backup 
center. Another firm improved its ability to ensure the availability of 
critical staff by dividing key technical and business staff between two 
separate locations. All of the firms also took steps to improve their 
ability to retain telecommunications capabilities in the event of a 
disruption. For example, all five of the broker-dealers with whom we 
spoke had begun using the Secure Financial Transaction Infrastructure, 
a private telecommunications network linking financial market 
participants.[Footnote 8] Four of the broker-dealers and all three of 
the banks also said they were required to meet federal regulatory goals 
for the recovery of their clearing and settlement operations and that 
they were taking steps that would allow them to meet those goals within 
the recommended time frames.[Footnote 9]

However, four of these firms were at greater risk of a disruption to 
their trading operations than other firms because of the concentration 
of key trading staff in a single location at the same time. Each of 
these firms did have alternate locations out of which key trading staff 
could work, which would allow them to recover their trading activities 
if their primary site were damaged or inaccessible. However, officials 
at these firms said that if the trading staff at the primary site were 
incapacitated, they would either not be able to resume trading quickly 
enough to meet regulators' goal of recovering trading activity on a 
next-day basis, or if able to resume trading, they would not be able to 
trade at normal capacity. For example, officials at two firms said that 
if they were to lose their trading operations staff, it would likely 
take several weeks to reconstitute their trading operations, even using 
staff from other locations. Officials at one of these firms said that 
replacing highly skilled trading staff with inexperienced staff could 
put the firm's capital at risk and that while they might eventually 
reconstitute their trading operations, they would likely exit the 
market for an indefinite period of time. Although officials at both of 
these firms said they recognized that they faced increased risk, they 
said at this point, the decreased efficiency and increased costs that 
would be associated with splitting or rotating these staff were viewed 
as too great, compared with the potential risk of disruption.

Securities Industry Organizations Undertook Testing and Crisis 
Coordination Efforts:

In addition to taking actions individually, securities market 
participants also have worked jointly to improve the readiness of the 
financial sector for potential future attacks. One of the weaknesses we 
noted in our 2003 report was that some organizations had not completely 
tested their business continuity capabilities, and some also lacked 
sufficient connectivity to the backup sites of other organizations. To 
increase the industry's overall readiness, the Securities Industry 
Association (SIA), which represents over 600 of the broker-dealers 
active in U.S. markets, has been coordinating an industry-wide testing 
project since September 2002. The first phase of the project had 
broker-dealers testing connections from their backup facilities to the 
core clearing and settlement organizations and correctly sending and 
receiving information. The second phase of the project will involve 
broker-dealers, exchanges, and other securities market participants in 
exercises that will simulate regional power and telecommunications 
outages. During the exercises, participants will be expected to conduct 
critical operations from an alternative location as well as test 
connectivity and communications capabilities.

Although testing took longer than originally envisioned, SIA 
substantially completed the first phase by June 2004. According to SIA 
officials, smaller firms that are not testing as quickly as others 
contributed to the delay. Also according to SIA staff, the more than 
110 firms that completed at least part of the first phase of testing 
represented over 80 percent of broker-dealer trading activity, and 
nearly all of the 25 largest firms have completed most or all parts of 
this testing. Further, SIA conducted a disaster simulation exercise--
involving key industry participants as well as SEC--in May 2004 to help 
better prepare for the second phase of testing, which was scheduled to 
begin in the third quarter of 2004.

To address another concern revealed by the 2001 attacks, securities 
market associations established crisis command centers or other 
coordination procedures. Just after the September 2001 attacks, some 
market participants encountered difficulties in communicating and 
coordinating with other market participants, regulators, and 
governmental bodies that responded to the disaster. More specifically, 
to coordinate the industry's response and the dissemination of 
information during a crisis, in June 2002 SIA created a crisis command 
center. SIA also placed a representative at the New York City Office of 
Emergency Management, an office that acts as an interagency coordinator 
in partnership with local, state, federal, and private entities to 
provide comprehensive emergency response, hazard planning and disaster 
mitigation to New York City. According to SIA officials, they activated 
the SIA command center during the August 2003 blackout and during 
Hurricane Isabel in September 2003, allowing them to test and validate 
the functioning of the command center.

In addition, the trade association that represents firms active in bond 
trading, the Bond Market Association, also took action to improve its 
members' response to future crises. According to organization 
officials, this association created a structure for coordinating the 
response of participants in the fixed-income securities markets. The 
association would communicate with its members through one of its 
standing committees regarding the condition of the fixed-income 
securities markets and the potential opening and closing of those 
markets. In addition, the association's committee would share 
information and coordinate its actions with the SIA command center.

Finally, information regarding business continuity practices and 
potential threats to the industry has been shared with market 
participants. For example, SIA collected and distributed business 
continuity best practices to its members, established subcommittees to 
study business continuity-related issues, and conducted conferences to 
share and foster discussion of these issues in the securities industry. 
Also, Treasury designated another organization, the Financial Services 
Sector Coordinating Council (which comprises representatives from 
private firms in the financial industry) as the private-sector 
coordinator for critical infrastructure protection for the banking and 
finance sector. In particular this council, along with SIA and the 
American Bankers Association, has supported and promoted use by the 
financial sector of the Financial Services Information Sharing and 
Analysis Center (FS/ISAC), a mechanism to gather, analyze, and share 
information on threats, incidents, and vulnerabilities faced by the 
financial sector. The council also has been participating in 
educational and outreach efforts in conjunction with the Financial and 
Banking Information Infrastructure Committee, which coordinates 
critical infrastructure protection among federal financial regulators.

Steps Are Under Way to Meet Challenge of Improving the Resiliency of 
Telecommunications:

The September 2001 terrorist attacks highlighted the critical 
importance of resilient telecommunications services for the continued 
operation of U.S. financial markets. The resulting damage disrupted 
telecommunications service to thousands of businesses and residences, 
and some firms learned that their services were not as robust as they 
believed prior to that event. Since 2001 terrorist attacks, 
telecommunications groups and carriers and financial market 
participants have worked to improve the resiliency and the 
recoverability of telecommunications services in the event of future 
disruptions.

September 2001 Attacks Highlighted Financial Sector Dependence on 
Telecommunications Services and Challenges of Maintaining Diverse 
Systems:

As we described in our 2003 report, the 2001 terrorist attacks resulted 
in significant damage to telecommunications facilities, lines, and 
equipment. The loss of telecommunications service as well as damage to 
power and transportation infrastructure delayed the reopening of the 
markets. Much of the disruption to voice and data communications 
services throughout lower Manhattan--including the financial district-
-occurred when one of the buildings in the World Trade Center complex 
collapsed into an adjacent Verizon communications center at 140 West 
Street, which served as a major local communications hub within the 
public network. Approximately 34,000 businesses and residences in the 
surrounding area lost services.[Footnote 10] The loss of this facility 
also resulted in disruptions to customers in other service areas 
because other telecommunications carriers had equipment colocated in 
140 West Street that linked their networks to Verizon and considerable 
amounts of telecommunications traffic that originated and terminated in 
other areas also passed through this location. AT&T's local network 
service in lower Manhattan was also significantly disrupted following 
the attacks.

The attacks also highlighted the difficulties of ensuring that the 
telecommunications services required to support critical financial 
market operations could withstand the effects of network disruptions. 
One of the primary ways that users of telecommunications services try 
to ensure that their services will not be disrupted is to use diverse 
telecommunications facilities to support their needs, including 
diversely routed lines and circuits. These steps are necessary to 
ensure that damage to any single point in one communications path does 
not cause all services to fail. However, ensuring that 
telecommunication service carriers actually maintain diverse 
telecommunications services is a long-standing financial industry 
concern. For example, a December 1997 report prepared by the 
President's National Security Telecommunications Advisory Committee 
(NSTAC) noted, "despite assurances about diverse networks from the 
carriers, a consistent concern among the financial services industry 
was the trustworthiness of their telecommunications diversity 
arrangements."[Footnote 11]

The ongoing operation and maintenance of network facilities can itself 
pose a challenge to ensuring diversity of services. To improve the 
reliability and efficiency of their networks, telecommunications 
carriers can change the physical network facilities they use to route 
circuits in a process they call "grooming." This process can result in 
a loss of diversity over time, however, if diverse services are 
rerouted onto or through the same facilities. For example, as our 2003 
report noted, many financial firms that thought they had achieved 
telecommunications service diversity still experienced service 
disruptions as a result of the September 2001 attacks. Some of these 
firms indicated that although they were assured that their 
communications circuits flowed through physically diverse paths, at the 
time they first acquired those services, their service providers 
rerouted some circuits over time without their knowledge, eliminating 
the assurance of diversity and leaving the firms more vulnerable to 
disruption.[Footnote 12]

However, an NSTAC 2004 report noted that carriers would have to follow 
labor-intensive, manual processes to ensure route diversity and monitor 
that condition on an ongoing basis.[Footnote 13] NSTAC also reported 
that guaranteeing that circuit routes would not be changed could 
actually make an organization's service less reliable because their 
circuits could lose the benefit of networking technologies that 
automatically reroute circuits in the event of facility failures.

New Private Telecommunications Network Created for Financial Market 
Participants:

Responding to the challenges of maintaining diversity, one financial 
market participant has acted to improve the resiliency of the 
telecommunications services supporting the financial industry. In 
January 2003, the Securities Industry Automation Corporation (SIAC) 
began operating its own private network, known as the Secure Financial 
Transaction Infrastructure (SFTI), to provide more reliable and 
"survivable" private communications services linking exchanges, 
clearing organizations, and other financial market 
participants.[Footnote 14] The information that travels on this network 
includes orders to buy and sell stocks on the New York and American 
stock exchanges as well as information needed to clear and settle these 
transactions.

SFTI was designed to overcome several of the challenges in attaining 
continual resiliency in telecommunications services. For example, to 
ensure redundancy and eliminate single points of failure, SFTI employs 
redundant equipment throughout, and carries data traffic over redundant 
fiber-optic rings whose routes are geographically and physically 
diverse. To access the network, users are required to connect to two or 
more of the eight SFTI access nodes located in Boston, Chicago, and the 
New York City metropolitan area. Therefore, if service is disrupted at 
one access node, service can still be obtained through an alternate 
node. Further, users can access SFTI in various ways, including 
obtaining a direct connection to the SFTI access nodes or connecting to 
one of four financial "extranet" service providers that operate their 
own telecommunications networks and also link to the SFTI access 
nodes.[Footnote 15] Some customers may choose to use a combination of 
both approaches.

To further enhance diversity throughout this private network, SIAC has 
contracted for auditable route diversity for the SFTI network. Because 
SIAC manages all SFTI facilities, it can also control all the grooming 
that takes place among the lines within the New York regional segment 
of this network. In addition, SIAC established a remote out-of-region 
network operations center that can manage network operations in the 
event of any disruption to its own New York area-based operations.

The financial industry has responded positively to SFTI since its 
implementation. For example, according to SIAC, financial industry 
associations, including SIA, the Bond Market Association, and the 
Investment Company Institute, which represents mutual funds, have all 
supported use of SFTI for their respective members. Moreover, NYSE, the 
American Stock Exchange, and the Consolidated Tape Authority, which 
oversees the systems that distribute stock quotes and completed trade 
information for the stock exchanges, expect that all of their 
participating member firms will be using SFTI to connect to its trading 
services, as of December 2004. As of June 2004, SIAC has signed up more 
than 600 customers for this network.

Federal and Local Actions Are Under Way to Improve Telecommunications 
Resiliency:

Federal and local government entities have also taken steps to help the 
financial industry in preparing for and recovering from possible future 
disruptions to the telecommunications infrastructure. First, two 
presidential advisory committees have taken steps that may enhance the 
security and continuity of telecommunications services supporting the 
financial industry. The National Reliability and Interoperability 
Council (NRIC), which is a group of telecommunications carrier 
executives that advises the Federal Communications Commission, has 
identified existing and new best practices that, if implemented, could 
help carriers improve the security of their facilities, and improve 
recovery of services after attack or disruptions. NRIC addressed such 
matters as business continuity planning, physical security, emergency 
operations and response, and other operational procedures. Further, 
NSTAC, which had also studied diversity issues, recommended that the 
federal government support research and development activities on 
resiliency, diversity, and alternative technologies.

Additionally, the federal government sought to increase financial 
industry participation in federal programs that could enhance the 
recoverability of disrupted services. Specifically, the Department of 
Homeland Security's (DHS) National Communications System (NCS) promoted 
participation in its Telecommunications Service Priority (TSP) program. 
TSP allows financial market participants to register their key 
telecommunications circuits for priority restoration in the event of a 
crisis.[Footnote 16] Financial market participants are sponsored for 
registration in this program by their regulatory agency. According to 
NCS officials, the financial industry has made greater use of the TSP 
program, as there are now about 4,100 financial organization circuits 
registered in TSP for priority restoration; more than 3,500 of those 
were registered since June 2002. Further, to improve the recoverability 
of SFTI, the Federal Reserve worked with SIAC to ensure that all SFTI 
access lines were registered for TSP priority restoration as those 
circuits were installed.

Federal financial regulators also have been working with carriers to 
more closely examine the diversity challenge and identify potential 
management solutions. In a recently initiated pilot project, the 
Federal Reserve has been working with the Alliance for 
Telecommunications Industry Solutions to examine the diversity of 
circuits supporting Federal Reserve networks.[Footnote 17] The 
project's goal is to develop an efficient, affordable way to document 
and maintain routing diversity using those circuits as a baseline. 
According to Federal Reserve and Treasury officials, this exercise 
could yield a model approach for achieving assured diversity, improve 
the processes required to do so, and provide a better understanding of 
the associated costs.

Finally, New York City officials have enhanced their ability to monitor 
and coordinate infrastructure recovery efforts with local carriers. 
City officials recently revised their Mutual Aid Restoration Consortium 
(MARC) agreement, which governs monitoring and coordination of 
restoration actions between telecommunications carriers and city 
officials in the event of service outages. City officials invoked this 
agreement in the aftermath of the September 2001 attacks to ensure that 
essential city government offices and operations would have adequate 
telecommunications service and to aid coordination of infrastructure 
recovery efforts by carriers operating in the city. More recently, the 
MARC agreement proved effective during the August 2003 blackout, in 
which teleconferences were used to identify and communicate urgent 
diesel fuel needs of carriers and to coordinate other critical 
assistance to share power generators and network facilities. Lessons 
learned from such incidents have been addressed in the revised MARC 
agreement.

Telecommunications Carriers Are Also Taking Action to Improve 
Infrastructure Resiliency:

Telecommunications carriers are also acting to improve the resiliency 
of their networks. First, those carriers rebuilding facilities that 
were damaged or lost in the attacks have been replacing these 
facilities with designs that provide greater diversity to their 
infrastructure in lower Manhattan. For example, to avoid single points 
of failure in its network, Verizon redesigned its network to minimize 
circuits that only pass through a switching facility on their way to 
other termination points. This should reduce the potential for service 
in one area to be lost when damage occurs to facilities in other areas. 
In addition, Verizon has also used more resilient and physically 
diverse fiber optic systems within lower Manhattan, which also may 
provide alternate network access capabilities at strategic locations. 
Similarly, as part of its own restoration effort, AT&T officials said 
they rebuilt two central office facilities at more geographically 
diverse locations and upgraded their fiber-optic networks.

Telecommunication carriers also reported that they were improving their 
own business continuity plans to better ensure their ability to recover 
after a disaster. For example, officials at both Verizon and MCI said 
they had reexamined their continuity plans and developed new recovery 
strategies to improve their continuity capabilities. In addition, 
officials at AT&T informed us that they were continuing to conduct 
quarterly network disaster recovery tests at different locations 
throughout the United States that simulate the recovery of damaged 
switching facilities.

Finally, telecommunications carriers have tried to increase 
telecommunications resiliency by offering additional services to their 
customers, including financial market participants. As we described in 
our 2003 report, carriers offer various services that can improve the 
reliability and recoverability of existing 
telecommunications.[Footnote 18] For example, carriers offer fiber-
optic networks to provide more reliable access to public networks; 
services to redirect their switched telecommunications services, such 
as voice calls, to another business location; and alterative network 
connectivity solutions such as high bandwidth, point-to-point radio 
connectivity to another location or network node.

Federal Financial Regulators Took Actions to Improve the Readiness of 
Securities Markets, but Further Actions Needed:

Since our 2003 report, federal financial regulators, including SEC, 
have identified vulnerabilities, participated in tests and exercises, 
and developed recovery goals and business continuity guidelines to 
improve the preparedness of securities markets for terrorist attacks 
and other disasters. For example, banking and securities regulators 
have issued joint guidance providing recovery goals for market 
participants that perform critical clearance and settlement activities. 
Partly in response to a recommendation in our 2003 report, SEC also has 
issued guidance providing goals for trading activities to resume on 
securities exchanges. However, SEC has not developed a complete 
assessment of securities markets readiness to resume trading after 
major disruptions, which increases the risk that the reopening of the 
markets could be delayed.

Financial Regulators Participated in Exercises, Information Sharing, 
and Conducting Examinations of Financial Sector Readiness:

Since our 2003 report, federal financial regulators have participated 
in exercises that assess readiness for potential disasters. For 
example, Treasury, the Federal Reserve, SEC, and the Commodity Futures 
Trading Commission have taken part in several disaster recovery 
exercises sponsored by DHS, including the TOPOFF exercises, which 
simulated physical attacks, and the Livewire exercise, which simulated 
a cyber attack. In addition, as part of the Financial and Banking 
Information Infrastructure Committee, the federal financial regulators 
have conducted an analysis of financial sector vulnerabilities, 
including those involving dependencies on other critical 
infrastructures, such as telecommunications and power.

Financial regulators have also been involved in various information 
sharing efforts. For example, Treasury has also supported and promoted 
the FS/ISAC, which as described earlier gathers, analyzes, and shares 
information on threats, incidents, and vulnerabilities faced by the 
financial sector. In 2004, Treasury provided additional funding to FS/
ISAC to allow it, among other things, to expand its membership and 
services to even the smallest financial institutions, such as community 
banks. Treasury has also been involved, along with the Federal Deposit 
Insurance Corporation, in conducting educational outreach events in 
various cities on sound business continuity practices. Treasury is also 
working with DHS to continue developing "Chicago First," an emergency 
preparedness program designed to coordinate activities among financial 
sector participants and federal, state, and local government officials. 
Treasury is promoting this program as a model for other cities to 
implement.

Banking and securities regulators have also taken steps since our 2003 
report to assess the efforts of banks and securities firms to withstand 
and recover from disasters. For instance, in March 2003 the Federal 
Financial Institutions Examination Council (FFIEC), which issues joint 
regulatory and examination guidance used by financial regulators in 
overseeing financial institution such as banks and credit unions, 
issued a Business Continuity Planning Booklet that provided updated 
guidance and examination procedures on this topic.[Footnote 19] In the 
booklet, FFIEC requires depository institutions to develop business 
continuity plans that will effectively minimize service disruptions and 
financial loss, test the plans at least annually, and subject the plans 
to independent audit and review. In addition, it asks institutions to 
consider in their planning the potential for wide-area disasters and 
the resulting loss or inaccessibility of staff, as well as the extent 
to which their institution is dependent upon other financial system 
participants and service providers. According to one financial 
regulator responsible for conducting examinations based on these 
guidelines, an informal analysis showed that larger financial 
institutions were doing better than smaller ones in meeting the 
guidelines. As a result, officials at that regulator said they had 
begun developing guidance to help smaller institutions better meet the 
business continuity guidelines.

SEC has also conducted examinations of broker-dealers that included 
reviews of information security and business continuity efforts. For 
example, SEC's Office of Compliance Inspections and Examinations (OCIE) 
administers SEC's inspection program for broker-dealers, including 
monitoring broker-dealers' compliance with Regulation SP, which deals 
with the privacy of consumer financial information.[Footnote 20] As 
part of their review of broker-dealers' ability to protect consumer 
information, OCIE staff review those organizations' information 
security capabilities. In addition, since our 2003 report, OCIE has 
begun incorporating into its broker-dealer examinations the business 
continuity practices presented by federal financial regulators in an 
interagency paper (described in the following paragraph).

Financial Regulators Developed Business Continuity Guidelines for 
Clearing and Settlement:

Federal financial regulators also have jointly focused on continuity 
issues to reduce the risk of disruption for the financial markets from 
terrorist attacks or other disasters. In April of 2003, securities and 
banking regulators issued the Interagency Paper on Sound Practices to 
Strengthen the Resilience of the U.S. Financial System.[Footnote 21] 
Issued by SEC, the Federal Reserve, and the OCC, this interagency paper 
identifies business continuity practices that core clearing and 
settlement organizations and firms that play a significant clearing or 
settlement role in critical financial markets are expected to follow. 
Core organizations include clearing organizations responsible for 
securities and other financial products and payment system processors. 
In addition to these organizations, the interagency paper also applies 
to financial institutions, including banks and broker-dealers, which 
conduct significant amounts of trading and clearing activities. If 
these firms were unable clear and settle the outstanding trades that 
they or their customers conducted, they could create payment problems 
for other participants in the markets.[Footnote 22] By proposing that 
these organizations and firms follow the practices identified in the 
interagency paper, regulators expect to minimize the immediate systemic 
effects of a wide-scale disruption--by setting goals for key payment 
and settlement systems to resume operation promptly following a wide-
scale disaster, and for major participants in those systems to recover 
sufficiently to complete pending transactions.

In the interagency paper, the regulators outline various practices for 
organizations and firms to follow and set goals related to resumption 
of their clearing and settlement activities. First, these organizations 
and firms are expected to identify the clearing and settlement 
activities that they perform in support of critical financial markets. 
They are also expected to determine appropriate recovery and resumption 
objectives for those activities. The regulators state that, at minimum, 
the organizations and firms are expected to be able to recover within 
the same business day.[Footnote 23] To realistically achieve this, the 
regulators expect that these organizations and firms would maintain 
geographically dispersed resources to meet their recovery and 
resumption objectives. Specifically to be consistent with best 
practices, backup facilities for clearing functions should be as far 
away from the primary facility as necessary to avoid being subject to 
the same set of risks as the primary facility. The backup facilities 
also should not rely on the same infrastructure--such as power and 
telecommunications--as the primary facility, and the operation of the 
backup facility should not be impaired by a wide-scale evacuation at, 
or the inaccessibility of staff that service, the primary site. In 
addition, the regulators expect that the organizations and firms would 
engage in routine use or testing of their recovery and resumption 
arrangements.

The regulators also included deadlines for achieving continuity goals 
in the interagency paper. For example, core clearing and settlement 
organizations are expected to implement the practices the paper 
advocates, by the end of 2004. Significant banks and broker-dealers are 
expected to have implemented such practices by April 2006. According to 
banking and securities regulatory officials, they are monitoring the 
progress that organizations and firms are making in meeting these 
deadlines.[Footnote 24]

SEC Set Business Continuity Goals for Securities Trading:

SEC also has provided recovery goals and business continuity best 
practices to exchanges and ECNs that conduct securities trading in the 
United States. In our 2003 report, we recommended that SEC work with 
the industry to develop such goals and sound business continuity 
practices and identify organizations that should follow them. In 
September 2003, SEC issued a policy statement that establishes business 
continuity principles to be followed by the organizations that execute 
trades in securities, including the NYSE, the Nasdaq Stock Market, Inc. 
(NASDAQ), the regional stock exchanges, the options exchanges, and 
ECNs, which match buy and sell orders for securities.[Footnote 25] The 
business continuity principles SEC published include:

* establishing a business continuity plan that anticipates the 
resumption of trading no later than the next business day following a 
wide-scale disruption;

* maintaining geographic diversity between primary and backup sites;

* ensuring the full resiliency of important shared information systems, 
such as market data collection and dissemination systems; and:

* testing the effectiveness of backup arrangements in recovering from 
wide-scale disruptions.

SEC expects the securities markets and ECNs to implement business 
continuity plans reflecting these principles, no later than the end of 
2004. According to SEC staff, they are monitoring the progress of the 
exchanges and ECNs in implementing the policy statement through their 
examinations of these organizations.

In addition to establishing recovery goals, SEC has taken additional 
actions to ensure that sufficient venues for trading would likely be 
available after a major disaster. As we noted in our 2003 report, SEC 
staff have asked NYSE and NASDAQ to be prepared to trade the other's 
securities should one trading floor go down. Officials at both of these 
markets said they have made the necessary system changes and have 
tested their members' ability to trade the other markets' securities. 
SEC officials said that they assessed had the ability of these two 
organizations to provide such backup and were confident that these 
markets had the necessary capacity and systems to do so. If neither 
NYSE nor NASDAQ is able to resume trading, ECNs and regional exchanges 
would have to assume the trading of the stocks that are normally traded 
on those markets. SEC staff said that, based on discussions with ECN 
officials and information obtained from inspections of these entities, 
collectively, the ECNs and regional exchanges have sufficient capacity 
to take on significant additional amounts of trading volume that would 
result from such an event. Although none of the organizations involved-
-NYSE, NASDAQ, ECNs, and regional exchanges--are required to assume 
such additional trading activity, according to SEC staff these 
organizations all have a strong business incentive and competitive 
motivation to do so.

Finally, SEC approved business continuity goals for the broker-dealers 
that conduct trading in U.S. securities markets. In April 2004, SEC 
approved essentially identical rules from NASD and NYSE that require 
their members to develop business continuity plans.[Footnote 26] 
According to these rules, the broker-dealer members of these 
organizations must develop business continuity plans that address 
various elements, including:

* data backup and recovery,

* alternate means of communication with customers,

* alternate physical locations for employees, and:

* consideration of the impacts to critical customers and 
counterparties.

These rules do not require trading firms to actually have plans to 
resume operating or trading activities after a disaster. Instead, if a 
disaster occured and broker-dealers were unable to continue operating, 
the rules require broker-dealers to develop procedures to ensure that 
they promptly could provide customers with access to their funds and 
securities if the broker-dealers were unable to continue business 
operations. These rules appear to respond to our 2003 recommendation 
that SEC work with the securities industry to develop business 
continuity guidelines that, at a minimum, require broker-dealers to 
allow customers to readily access their cash and securities. NYSE 
expected its members to implement its rule by August 5, 2004, and NASD 
expected implementation by September 10, 2004.

SEC Has Not Fully Analyzed Capabilities of Trading Firms to Resume 
Operations:

Although the actions securities and banking regulators have taken will 
likely improve the preparedness of the securities markets to withstand 
future disruptions, SEC has not conducted the comprehensive assessments 
that would allow it to better ensure that trading in the securities 
markets could promptly resume following a wide-scale disaster. 
Preparing for trading activities to resume in a smooth and timely 
manner would appear to be a regulatory goal for SEC, which is 
specifically charged with maintaining fair and orderly markets. 
Furthermore, as previously noted, financial regulators expect markets 
to resume both clearing and trading activities within 1 business day or 
less. In addition, according to Treasury staff responsible for its 
critical infrastructure protection program, ensuring that markets are 
not closed for lengthy periods is important to maintaining investor 
confidence during the uncertainty that accompanies major disasters.

SEC officials said that if the organizations and firms expected to 
adhere to the guidance and best practices in the interagency paper and 
SEC's policy statement did so, U.S. securities markets would be able to 
recover even from an attack or disaster that resulted in wide-scale 
damage or disruption. However, SEC officials explained that they do not 
have specific authority to require broker-dealers to participate in the 
markets to any degree and neither the interagency paper on clearing and 
settlement, the SEC policy statement, nor the NYSE and NASD business 
continuity rules currently require individual broker-dealers to be 
prepared to resume their trading operations following a disaster.

Although the ability to resume trading will also depend on whether 
sufficient numbers of trading firms are willing and able to resume 
operations, concerns persist over the potential readiness and the 
threat of disruption to these firms. As we discussed in our 2003 
report, part of the delay in reopening the trading markets after the 
September 2001 attacks was attributable to the difficulties that some 
broker-dealers faced in recovering their trading operations. As we 
noted previously in this report, some of the key trading firms continue 
to face increase risk that their operations would be disrupted and 
acknowledged that they may not be able to resume trading in some cases. 
Furthermore, in August 2004, DHS announced that intelligence had been 
received that terrorists may have targeted the facilities of individual 
U.S. banks and broker-dealers as well as other financial related 
entities for potential attacks.

Although SEC had taken some steps to assess broker-dealer readiness, it 
had not done a systematic analysis to determine whether sufficient 
numbers of firms would be capable of resuming trading within 
regulators' current expectations. SEC staff said they were aware of 
this risk and had done some informal assessments of where major broker-
dealer facilities are located. The staff also noted that some firms 
could likely use staff located elsewhere in the country or in foreign 
locations to trade on U.S. markets. However, officials at some of the 
key firms we contacted indicated that they did not always have 
sufficient numbers of trained staff elsewhere who could assume their 
U.S. trading activities. One of the officials told us in June 2004 that 
SEC would begin evaluating broker-dealers' trading staff arrangements 
and, where appropriate, ask firms to voluntarily address the risk posed 
by having their trading staff in single locations in the same 
geographic area as other such organizations. One of the officials said 
that SEC did not yet have a time frame in which firms would complete 
such actions and acknowledged that such organizations could have valid 
business reasons for not taking those actions. For example, relocating 
trading staff or spreading them across more than one location can be 
expensive and reduce the efficiency of a firm's operations.

SEC officials also told us that if a wide-scale disaster disrupted 
trading at a number of broker-dealers in one geographic area, firms 
outside that area could step in and conduct trading. Such firms could 
include the regional broker-dealers located around the country. 
However, SEC staff had not conducted a full analysis of the number of 
firms, where they are located, or the amount of trading volume they 
normally handle. These firms also would need sufficient staffing and 
financial resources to support increased trading volumes.

SEC Took Some Actions to Enhance Its ARP Program but Has Not Addressed 
Other Limitation to Its Effectiveness:

Since our 2003 report, SEC has acted to improve the ARP program, but 
has not addressed other long-standing issues that hamper the 
effectiveness of the program and hinder SEC's oversight. These issues 
include insufficient resources with the appropriate expertise to 
increase the frequency, depth, and comprehensiveness of its 
examinations and the lack of a rule that mandates compliance with the 
ARP program's tenets and examination recommendations. The ARP program 
also appears to have limitations in its ability to oversee information 
security issues. Given the limitations that affected the ARP program 
over time, continued assessment of whether the ARP program's placement 
within SEC's organizational structure might identify options that could 
better assure that it receives the appropriate resources to perform its 
important mission.

SEC Created ARP to Oversee How Exchanges, Clearing Organizations, and 
ECNs Addressed Operations Risks:

SEC created the ARP program in 1989 in response to operational problems 
that markets experienced during the 1980s at exchanges, and clearing 
organizations, and later, ECNs. The program addresses operations risk 
issues at these entities, including physical and information security 
and business continuity. SEC did not create rules for these entities to 
follow but instead issued two ARP statements that provided best 
practices in various information technology and operational areas with 
which the exchanges and clearing organizations would be expected to 
comply voluntarily. As part of the ARP program, these entities (among 
them, some of the critical organizations we reviewed for this report) 
are expected to have the relevant aspects of their operations reviewed 
periodically by independent reviewers, which can include the entities' 
own internal auditors or external organizations, such as accounting 
firms or information security consultants. In addition, SEC's ARP staff 
conduct periodic on-site reviews of these organizations to assess 
selected information technology or operational issues and make 
recommendations for improvements when necessary. During any 
examination, ARP program staff analyze the risks faced by each entity 
to determine which are the most important to review. As a result, ARP 
staff are not expected to review every issue specific to an entity 
during each examination.

SEC Has Taken Steps to Improve ARP Program:

SEC staff said they have made improvements to the ARP program. SEC 
officials said they have placed more emphasis on monitoring the status 
of the recommendations made as result of ARP reviews, with the result 
that they can better determine whether entities within the program 
implement the recommendations. ARP staff meet quarterly with ARP 
management to review the status of and progress on any outstanding ARP 
recommendations. As a result, ARP staff have more frequent contact with 
the entities they examine to obtain information about the status of 
recommended actions. According to these officials, this more frequent 
follow-up lets the exchanges, clearing organizations, and ECNs know 
that they cannot let action on recommendations wait until the next ARP 
review, which can be several years away. ARP officials said that as a 
result of these efforts, they have been able to close outstanding 
recommendations and indicated that the level of cooperation they 
receive from the entities has improved.

SEC staff also said that a recent reorganization within its Division of 
Market Regulation also improved program effectiveness. According to SEC 
staff, in November 2003, SEC merged ARP program staff with other 
Division of Market Regulation staff that conducted surveillance of 
trading in the markets using information systems. While remaining 
within the Division of Market Regulation, this combined group is now 
called the Office of Market Continuity. Although the merger only 
marginally increased the number of staff allocated to the ARP program 
(from 10 to 11 staff and a new Assistant Director), SEC staff said the 
merger gave them access to some additional staff resources and also 
increased the visibility of the ARP program within SEC. These 
additional staff are not examiners but can be used to draft letters and 
research legal issues.

SEC Has Not Addressed Long-standing ARP Program Limitations:

Although it has taken some actions to improve the ARP program, SEC 
still has not addressed weaknesses that have hampered the effectiveness 
of the program, such as making ARP a rule-based program and improving 
ARP's staffing resources and expertise. As we reported in 2001 and 
2003, the entities subject to the ARP program had not always 
implemented or addressed significant ARP staff recommendations, 
including some related to inadequate backup facilities, security 
weaknesses, and inadequate information system processing 
capacity.[Footnote 27] Some of these unaddressed weaknesses later led 
to problems. For example, one organization experienced problems related 
to ensuring adequate processing capacity that delayed the 
implementation of decimal pricing by all securities markets for 3 
months. In another instance, SEC staff raised concerns about the lack 
of a backup operating facility at an entity that had its primary 
facility in the area that would later be affected by the 2001 terrorist 
attacks. In some cases, organizations subject to ARP were also not 
providing the reports of system changes and other events that SEC 
expects to receive under the program. To address this issue, we 
recommended in our 2003 reports that SEC issue a rule that would make 
adherence to tenets of the ARP program and the recommendations of its 
staff mandatory for exchanges and clearing organizations. In contrast, 
ECNs have had to comply with ARP recommendations since 1998, when SEC 
adopted a rule increasing regulatory scrutiny of alternative trading 
systems.[Footnote 28] SEC's Inspector General has also expressed 
similar concerns about compliance with ARP program recommendations. SEC 
officials said they drafted a rule making exchange and clearing 
organization compliance with ARP tenets mandatory but had not yet 
submitted it for review by the SEC Commissioners. SEC staff told us 
that the level of cooperation with recommendations and other 
expectations that they have received from the entities subject to the 
ARP program has improved since the 2001 terrorist attacks. However, 
they acknowledged that without a rule SEC lacks greater assurance that 
these organizations will continue to comply with ARP recommendations, 
particularly key recommendations that could be costly for the entities.

SEC also has not fully addressed the adequacy of resources dedicated to 
the ARP program, another long-standing issue. Our 2001 and 2003 reports 
described how a lack of resources hampered the ability of the ARP 
program to oversee the operations of the entities it reviews.[Footnote 
29] For example we reported that these resource constraints affected 
the ARP program's ability to conduct frequent examinations. In our 2003 
report, we reported that the intervals between ARP examinations had 
exceeded 3 years for five of the seven critical financial market 
organizations that we reviewed, with the other two organizations not 
being reviewed for 6 years or more. According to SEC staff, they have 
developed a tiered examination schedule for the organizations subject 
to ARP. Under this schedule, first-tier organizations, including the 
clearing organizations and most active markets, are to be reviewed 
annually. Second-tier organizations are reviewed based on their risk 
assessment profile under a 3-year inspection cycle, and third-tier 
firms, such as small ECNs are inspected for cause. The SEC staff said 
they have met this schedule thus far.

As a result of these concerns, we recommended in 2003 that SEC expand 
the level of staffing and resources devoted to ARP if sufficient funds 
were available. Although in recent years, SEC's overall resources have 
significantly increased--its funding increased 45 percent in 2003--as 
of May 2004, no significant additional resources had been allocated to 
the ARP program. SEC staff said the recent creation of the Office of 
Market Continuity provided them with access to some additional staff 
resources, as noted earlier, but demands on ARP staff also have grown. 
For example, in our 2003 report, we noted that ARP staff workload had 
expanded to cover entities with more complex technology and 
communications networks. As entities continue to implement new 
technologies and networks, ARP staff workload is likely to increase 
further. In August 2004, staff in SEC's Market Regulation Division said 
they will ask for additional staffing for the ARP program.

The ARP program's ability to obtain and retain staff with sufficient 
technical skills has also been an issue in the past and may have 
affected its ability to effectively oversee information security issues 
at the entities it oversees. In previous reports, we have described 
difficulties SEC has had in retaining qualified and experienced staff 
in its ARP program, as well as concerns of industry officials over ARP 
staff expertise.[Footnote 30] During this review we identified examples 
where ARP staff could benefit from additional technical expertise. For 
example, reviews by internal and external reviewers are a key component 
of the ARP program and SEC officials said they attempt to track all 
significant issues and recommendations to ensure they are addressed. 
However, we found that internal and external reviewers at some of the 
critical organizations we reviewed had identified important actions to 
improve the security of their information systems, but that the 
organizations had not implemented them. In addition, at some of the 
critical organizations, we identified important additional 
opportunities for improvements in information security that had not 
been previously identified by internal or external reviewers or by 
SEC's ARP staff.

One way organizations can help ensure that their various functions 
receive the appropriate level of resources, including staff and 
expertise, is to ensure that those functions are properly aligned 
within the organization's overall structure. Currently, the ARP program 
is located within the Division of Market Regulation and, as such, is a 
small part of a larger division whose primary responsibility is to 
establish and maintain standards for the operation of fair, orderly, 
and efficient markets. As noted previously, SEC recently relocated the 
ARP program within the Division of Market Regulation, and SEC officials 
told us that this move has been beneficial and that they continue to 
assess the impact of the reorganization on the program's effectiveness. 
However this move has not yet resulted in significant additional 
staffing or additional technical expertise specifically dedicated to 
the ARP program. Other possible placements that might prove beneficial 
for the ARP program from a resource and expertise standpoint could 
include placing the ARP program with the other examination staff within 
SEC's Office of Compliance Inspections and Examinations, or combining 
its staff with those having similar technical expertise within SEC's 
Office of Information Technology. Realigning the ARP program within SEC 
could, however, have potential disadvantages. For example, having ARP 
staff within the Division of Market Regulation, as it is now, provides 
valuable expertise and information gathering abilities and allows this 
examination function to be linked with the related policy-making 
function.

Conclusions:

The securities market organizations we reviewed all had reduced the 
risk that their operations would be disrupted by terrorist attacks or 
other disasters. In addition, financial market participants and 
telecommunications organizations increased the resiliency of the 
critical telecommunications services necessary for the functioning of 
the markets. Further, financial regulators have issued guidance to 
these organizations that, if implemented, should greatly increase the 
ability of the markets to recover. However, as of May 2004, a number of 
the critical financial market organizations and the broker-dealers and 
banks that conduct significant trading activities remained at a greater 
risk of disruption than others from a wide-scale event because they 
lacked certain business continuity capabilities. The ability of U.S. 
financial markets to recover and resume operating in the wake of any 
future attacks or disasters depends upon the extent to which these 
critical market participants augment their business continuity 
capabilities or mitigate existing weaknesses.

One of the lessons learned from the September 2001 attacks was that 
without key broker-dealers able to trade, the markets could not reopen. 
As we noted in our 2003 report, insufficient liquidity existed to open 
the markets during the week of the September 2001 attacks because of 
the considerable efforts required for broker-dealers to restore 
operations. However, SEC currently lacks adequate assurance that the 
actions of organizations that trade in the markets will be sufficient 
to ensure that this important activity can also resume. Although joint 
regulatory guidance addresses organizations' clearing and settlement 
activities, and SEC's own policy statement directs exchanges and ECNs 
to implement sound business continuity practices, the firms that 
conduct trading activities in U.S. markets are not similarly required 
to implement such practices, and SEC officials said they do not have 
specific authority to require broker-dealers to participate in the 
markets to any degree. Nevertheless, SEC has not fully assessed whether 
or not sufficient numbers of firms with staff capable of trading 
securities would to be ready to operate after a wide-scale disaster. 
Similarly, although many other trading firms exist, including regional 
firms with sizeable operations located throughout the United States, 
SEC has not sufficiently analyzed the willingness and capabilities of 
these firms to step up and become the significant providers of 
liquidity necessary for fair and orderly trading to occur in the 
aftermath of a disaster. Once it conducts a more complete analysis of 
the likely readiness of trading firms to resume trading, SEC could use 
the results to identify actions that specific exchanges, clearing 
organizations, or trading firms could take to increase the likelihood 
that trading in the markets could resume when appropriate. Given that 
some disaster and damage impact scenarios are more or less likely than 
others, having SEC weigh the feasibility and costliness of any actions 
that it identifies against the potential benefits and likelihood of 
such scenarios occurring appears warranted.

While SEC has made some enhancements to the ARP program, it has also 
not made key improvements, including those we recommended in our 2003 
report, that could better ensure that it is as credible and as 
effective as possible. Given the importance of the work with which 
SEC's ARP staff are tasked, ensuring that they have a specific rule to 
mandate compliance with ARP program tenets and sufficient staff to 
conduct their oversight appears justified. While SEC has made progress 
in ensuring that exchanges and clearing organizations implement ARP 
staff recommendations, such current voluntary cooperation may not 
always exist in the future, especially when ARP-recommended actions 
would be costly to an organization. The limited resources that SEC has 
devoted to ARP thus far have generally prevented it from conducting 
more frequent examinations and do not appear to have provided it with 
sufficient technical expertise to address important information 
security issues.

While the ARP program was realigned within the Division of Market 
Regulation in November 2003 and SEC staff indicated that they are 
assessing the impact on the program's effectiveness, it is not yet 
clear whether this change will improve the program's ability to obtain 
sufficient additional resources and staff with the necessary expertise. 
Given that the functioning of the markets is critical to our nation's 
economy, taking steps to better ensure that the program used to oversee 
operational and information security issues at these entities has sound 
legal authority and adequate resources and expertise is warranted at 
this time. Such steps would include assessing whether the placement of 
the program within SEC's organizational structure is optimal for 
ensuring that it has adequate resources and staff expertise.

Recommendations for Executive Action:

To provide greater assurance that the critical trading that is 
conducted in U.S. financial markets can resume, in as timely a manner 
as appropriate, after disruptions, we recommend that the Chairman, SEC, 
fully analyze the readiness of the securities markets to recover from 
major disruptions and work with industry and other federal agencies, as 
appropriate, to determine reasonable actions that would increase the 
likelihood that trading in the markets could resume when appropriate.

In addition, to improve the effectiveness of SEC's ARP program, which 
oversees preparedness of securities trading and clearing organizations 
for future disasters, we recommend that the Chairman, SEC, take the 
following three steps to enhance the ARP program's effectiveness:

* Establish a definite time frame for the submission of a rule 
requiring exchanges and clearing organizations to engage in activities 
consistent with the operational practices and other tenets of the ARP 
program;

* Assess the adequacy of ARP staffing in terms of positions and 
technical skill levels, including information security expertise, given 
its mission and workload; and:

* Continue to assess the organizational alignment of the ARP program 
within SEC.

Agency Comments and Our Evaluation:

We requested comments on a draft of this report from the heads, or 
their designees, of the Federal Reserve, OCC, Treasury, and SEC. The 
Federal Reserve and SEC provided written comments, which appear in 
appendixes II and III, respectively. The Federal Reserve, OCC, and SEC 
also provided technical comments, which we incorporated in the report 
as appropriate.

SEC generally agreed with the report and its recommendations. The 
letter from SEC's Chairman noted that SEC has been working actively 
with the trading markets, core clearing organizations, and major market 
participants to strengthen the resiliency of the financial markets. In 
addition, SEC's letter noted that it would be taking specific actions 
in response to our recommendations, including conducting an assessment 
of key broker-dealers' trading staff arrangements and the preparations 
of these firms to resume trading operations following a disaster. SEC 
also indicated that its Market Regulation Division is developing a 
proposed rule that would require exchanges and clearing organizations 
to engage in activities consistent with the operational practices and 
other tenets of the ARP program and that this should be submitted to 
the Commission during the first half of 2005. SEC stated that it is 
also currently assessing the adequacy of staffing and technical skill 
levels within the ARP program and that increased education for its 
staff, hiring new staff, and engaging consultants are all ways that it 
could use to address its needs in this area. Finally, SEC noted that as 
part of the agency's routine strategic planning effort, it will 
continue to assess the organizational alignment of the ARP program 
within SEC. In its letter, the Federal Reserve noted that addressing 
the risks posed by the September 11 attacks continues to be a priority 
for the organization and that it is continuing efforts to improve the 
resiliency of the financial system.

As agreed with your office, unless you publicly announce the contents 
of this report earlier, we plan no further distribution until 30 days 
from the report date. At that time, we will send copies of this report 
to the appropriate congressional committees; the Secretary, Treasury; 
the Chairman, SEC; the Chairman, Federal Reserve; and the Comptroller 
of the Currency; and others who request them. In addition, the report 
will be available at no charge on the GAO Web site at [Hyperlink, 
http://www.gao.gov].

Signed by: 

Davi M. D'Agostino: 
Director, Financial Markets and Community Investment:

Signed by: 

Robert F. Dacey: 
Director, Information Security Issues:

Signed by: 

Linda Koontz: 
Director, Information Management:

Signed by: 

Keith Rhodes: 
Chief Technologist: 
Director, Center for Technology and Engineering:

[End of section]

Appendixes:

Appendix I: Objectives, Scope, and Methodology:

The objective of this report is to describe the progress that financial 
markets participants and regulators have made since our 2003 report in 
reducing the likelihood that terrorist attacks and other disasters 
would disrupt market operations. Specifically, we assessed (1) actions 
that critical securities market organizations and key market 
participants undertook to reduce their vulnerabilities to physical or 
electronic attacks and to improve their business continuity 
capabilities; (2) steps that financial market participants, 
telecommunications industry organizations, and others took to improve 
the resiliency of telecommunications systems and infrastructure; (3) 
financial regulators' efforts to ensure the resiliency of the financial 
markets; and (4) the progress the Securities and Exchange Commission 
(SEC) has made in improving its Automation Review Policy program, which 
oversees security and operations issues at exchanges, clearing 
organizations, and electronic communications networks (ECN). As in our 
previous report, for purposes of our analysis we selected seven 
organizations whose ability to operate is critical to the overall 
functioning of the financial markets. We made these categorizations by 
determining whether viable immediate substitutes existed for the 
products or services the organizations offer or whether the functions 
they perform were critical to the overall markets ability to function. 
To maintain the security and the confidentiality of their proprietary 
information, we agreed with these organizations that we would not 
discuss their efforts to address physical and information security 
risks and ensure business continuity in a way that could identify them.

To assess actions that critical securities market organizations took to 
reduce their vulnerabilities to physical or electronic attacks and to 
improve their business continuity capabilities, we visited their 
facilities, reviewed relevant business continuity policies, and 
interviewed officials at the organizations. Specifically, to determine 
what steps these seven organizations were taking to reduce the risks to 
their operations from physical attacks, we conducted on-site 
"walkthroughs" of their facilities, reviewed their security policies 
and procedures, and met with key officials responsible for physical 
security to discuss these policies and procedures. We compared these 
policies and procedures with 52 standards developed by the Department 
of Justice for federal buildings. Based on these standards, we 
evaluated the physical security efforts across several key operational 
elements, including measures taken to secure perimeters, entryways, and 
interior areas and whether organizations had conducted various security 
planning activities. To identify types of tests an organization can 
perform to monitor the effectiveness of physical security measures in 
place, we reviewed publications and guidance, such as that contained in 
our Executive Guide on Information Security Management[Footnote 31] and 
obtained information from security experts within our office, including 
Office of Special Investigations. We obtained information on the types 
and extent of physical security testing performed by the organizations 
at their primary locations and compared it with the information we 
collected. We also reviewed publications and guidance, such as those 
issued by the Centers for Disease Control and Prevention, Federal 
Emergency Management Administration, and Lawrence Berkeley National 
Laboratory, to identify high-level countermeasures that an organization 
could take to mitigate the CBR threat. For each primary facility, 
through interviews with the organizations' security officials, we 
identified and compared their actions against our listing of 
countermeasures.

To determine what steps these seven organizations were taking to reduce 
the risks to their operations from electronic attacks, we reviewed the 
security policies of the organizations we visited and reviewed 
documentation of their system and network architectures and 
configurations. We also compared their information security measures 
with those recommended for federal organizations in the Federal 
Information System Controls Audit Manual, other federal guidelines and 
standards, and various industry electronic security best practice 
principles. Using these standards, we attempted to determine, through 
discussions and document reviews, how these organizations had addressed 
various key operational elements for information security, including 
how they controlled access to their systems and how they detected 
intrusions, what responses they made when such intrusions occurred, and 
what assessments of their systems' vulnerabilities they had performed.

To determine what steps these seven organizations had taken to ensure 
they could resume operations after an attack or other disaster, we 
discussed their business continuity plans (BCP) with staff and visited 
their facilities. We reviewed their BCPs and assessed them against 
practices recommended for financial organizations, including bank 
regulatory guidance. Among the operational elements we considered were 
the existence and capabilities of backup facilities, whether the 
organizations had procedures to ensure the availability of critical 
personnel and telecommunications, and whether they completely tested 
their plans. In evaluating these organizations' backup facilities, we 
attempted to determine whether these organizations had backup 
facilities that would allow them to recover from damage to their 
primary sites or from damage or inaccessibility, resulting from a wide-
scale disaster. We did not directly observe the operation of these 
backup sites, but relied on documentation, including backup facility 
test results, provided by the organizations. We also discussed the 
business continuity capabilities and improvements made by eight large 
broker dealers and banks that collectively represented a significant 
portion of trading and clearing volume on U.S. securities markets.

To determine the extent to which critical financial market 
organizations reduced the likelihood that their operations might be 
disrupted by future disasters, we also examined the telecommunications 
continuity practices they were following. To identify sound 
telecommunications-related continuity practices, we first reviewed 
business continuity planning guidance published by the Business 
Continuity Institute, the Federal Financial Institutions Examination 
Council, and other continuity planning guidance. Based on our review of 
those materials, we identified five principal practices that 
organizations should follow to plan for the availability of 
telecommunications services that are important to their continuing 
operations. We also discussed our selection of practices for use as 
criteria with a private-sector business continuity expert to affirm 
that our selection of these five practices was an appropriate judgment. 
We then examined the extent to which the critical organizations 
followed these practices by reviewing network documentation, continuity 
plans, and testing reports where available, and discussed with 
organization telecommunications managers their network continuity 
strategies and the practices they followed to mitigate perceived 
continuity risks. We assessed those strategies, practices, and related 
documentation against the five practices we identified.

To determine how financial and telecommunications industry 
organizations, federal and local government entities, and supporting 
telecommunications service providers further improved 
telecommunications service resiliency, including improved 
infrastructure diversity and recoverability, we reviewed reports and 
related documentation prepared by three Presidential Advisory 
Committees--the National Infrastructure Advisory Council, the National 
Security Telecommunications Advisory Council, and the Network 
Reliability and Interoperability Council. These reports and 
documentation evaluated infrastructure interdependencies and network 
diversity challenges, and they identified practices that 
telecommunications carriers and large organizations might follow to 
better prepare for and recover from future network disruptions. We also 
reviewed plans and documentation developed by a critical financial 
organization to implement and operate a private network for the benefit 
of financial market participants. In addition, we met with managers at 
the Board of Governors of the Federal Reserve (the Federal Reserve) and 
the federal National Communications System to obtain data on the use of 
federal national security/emergency preparedness programs by the 
financial industry to improve the recoverability of important 
telecommunications services. We also met with New York City officials 
to review the status of their efforts to reestablish an agreement to 
coordinate and monitor the recovery of local infrastructure in the 
event of future service outages. Finally, we met with managers at three 
large telecommunications carriers to review how they were rebuilding 
local infrastructure in New York City, and steps taken to review and 
revise their own continuity plans.

To assess financial regulators' efforts to ensure the resiliency of the 
financial markets, including the progress SEC has made in improving its 
program for overseeing security and operations issues at exchanges, 
clearing organizations, and ECNs, we reviewed relevant regulations and 
interviewed officials at SEC, the Federal Reserve, Office of the 
Comptroller of the Currency, and the Department of Treasury. We also 
discussed initiatives to improve responses to future crises and improve 
the resiliency of the financial sector and its critical 
telecommunications services with representatives of industry trade 
groups, including the Bond Market Association and the Securities 
Industry Association.

For our reviews, we relied on documentation and descriptions provided 
by market participants and regulators and reviews conducted by other 
organizations. When feasible, we also directly observed controls in 
place for physical security, electronic security, and business 
continuity at the organizations assessed. We did not test these 
controls by attempting to gain unauthorized entry or access to 
facilities or information systems, or directly observe testing of 
business continuity capabilities.

We performed our work from September 2003 through August 2004 in 
accordance with generally accepted government auditing standards.

[End of section]

Appendix II: Role of the Department of Homeland Security:

The Department of Homeland Security (DHS), created to help coordinate 
the efforts of organizations and institutions involved in protecting 
the nation against terrorist attacks, has essentially delegated to 
Treasury this coordinating role within the banking and finance sector. 
In 2002, the Homeland Security Act created DHS, which was given 
responsibility for developing a national plan to protect the nation's 
critical infrastructure. Homeland Security Presidential Directive 7 
(HSPD-7), issued in December 2003, further stated that the Secretary of 
DHS, would be responsible for coordinating the overall national effort 
to enhance the protection of the critical infrastructure of the United 
States.[Footnote 32] HSPD-7 also stated that it is U.S. policy to 
enhance the protection of these critical infrastructures against 
terrorist attacks that could, among other things, damage the private 
sector's capability to ensure the orderly functioning of the economy.

To fulfill these objectives, HSPD-7 directs the Secretary of DHS to 
work closely with other federal departments and agencies, and 
designates specific agencies to coordinate efforts within certain 
sectors. Within the banking and finance sector, Treasury was given 
responsibility for collaborating with all relevant federal, state, and 
local officials, as well as the private sector. To fulfill this 
responsibility, Treasury coordinates with other federal financial 
regulators through the Financial and Banking Information Infrastructure 
Committee (FBIIC), whose members include representatives of the various 
regulators of banks, broker-dealers, futures commission merchants, and 
housing government sponsored enterprises, as well as other related 
organizations.[Footnote 33] Treasury coordinates its collaboration 
with the private sector through the Financial Services Sector 
Coordinating Council (FSSCC), whose members include representatives 
from exchanges, clearing organizations, and banking and securities 
trade associations.

According to Treasury officials, they coordinate with DHS in several 
ways. For example, a FBIIC member attends weekly meetings of DHS's 
Directorate of Information Analysis and Infrastructure Protection 
(IAIP), which identifies and assesses threats and issuing timely 
warnings on those threats. According to Treasury, the FBIIC member at 
those meetings provides input on the needs of the financial sector as 
well as the relevancy for that sector of any identified threats. In 
addition, Treasury has worked with DHS to plan disaster recovery 
exercises, such as the TOPOFF exercises, which simulate physical 
attacks. Treasury is also working with DHS to continue developing 
"Chicago First," an emergency preparedness program designed to 
coordinate activities among financial sector participants and federal, 
state, and local government officials. Treasury is promoting this 
program as a model for other cities to implement. Finally, the 
Secretary of the Treasury, along with the Director of the Office of 
Homeland Security is a member of the Homeland Security Council, which 
ensures the coordination of homeland security activities among 
executive departments and agencies. Representatives of the Homeland 
Security Council, in turn, are members of FBIIC.

According to FSSCC officials, they are interacting with DHS in at least 
two ways. First, DHS has asked FSSCC to prepare an updated version of 
the banking and finance sector's portion of the national strategy for 
critical infrastructure assurance, the first version of which was 
completed in May 2002. FSSCC expected to complete the updated version 
in June 2004. Second, FSSCC representatives have taken part in 
quarterly meetings between DHS and other sector coordinators. According 
to FSSCC officials, this group has produced a matrix outlining the 
responsibilities of the different sectors.

[End of section]

Appendix III: Comments from the Federal Reserve:

BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM:

WASHINGTON, D. C. 20551:

STEPHEN R. MALPHRUS: 
STAFF DIRECTOR FOR MANAGEMENT:

September 10, 2004:

Ms. Davi M. D'Agostino, Director:
Financial Markets and Community Investment: 
U.S. Government Accountability Office:
441 G Street, N.W.: 
Washington, DC 20548:

Dear Ms. D'Agostino:

Thank you for the opportunity to comment on GAO's draft report 
Financial Market Preparedness: Improvements Made, But More Action 
Needed to Prepare for Wide-Scale Disasters. Addressing the risks posed 
by the events of September 11 continues to be a priority for the 
Federal Reserve. As the draft report notes, we are also continuing 
efforts to improve the resilience of the financial system.

Technical comments on the draft report were provided to GAO during a 
recent meeting. We appreciate the efforts of your staff to respond to 
our comments.

Sincerely,

Signed by: 

Stephen R. Malphus: 

[End of section]

Appendix IV: Comments from the Securities and Exchange Commission:

UNITED STATES SECURITIES AND EXCHANGE COMMISSION: 
WASHINGTON, D.C. 20549:

THE CHAIRMAN:

September 16, 2004:

The Honorable David M. Walker: 
Comptroller General of the United States:
Government Accountability Office: 
441 G Street, NW:
Washington, DC 20548:

Dear Mr. Walker:

This letter responds to the request to review and comment on the draft 
report entitled FINANCIAL MARKET PREPAREDNESS: Improvements Made, But 
More Action Needed to Prepare for Wide-Scale Disasters (GAO-04-984).

I appreciate the opportunity to respond to your report and I share the 
GAO's views regarding the importance of emergency preparedness of the 
financial markets. As the report recognizes, we have been working 
actively with the trading markets, core clearing organizations, and the 
major market participants to strengthen their resiliency. I am pleased 
that the GAO finds the markets to have made progress in 
telecommunications resiliency, physical controls, and business 
continuity planning.

The draft report makes four recommendations. The GAO's first 
recommendation is that the SEC should fully analyze the readiness of 
the securities markets to recover from major disruptions and work with 
the industry and other federal agencies, as appropriate, to determine 
reasonable actions that would increase the likelihood that trading in 
the markets would resume when appropriate. Accordingly, I have directed 
the staff to begin an assessment of key broker-dealers' trading staff 
arrangements and their ability to be prepared to resume their trading 
operations following a disaster. This assessment should be completed 
during the first half of 2005.

The GAO's second recommendation is for the SEC to establish a definite 
time frame for the submission of a rule requiring exchanges and 
clearing organizations to engage in activities consistent with the 
operational practices and other tenets of the ARP program. To that end, 
I understand that the Division of Market Regulation ("Division") is 
developing an automation rule proposal and that the proposal will be 
ready for Commission consideration during the first half of 2005.

The GAO's third recommendation is for the SEC to assess the adequacy of 
ARP staffing in terms of positions and technical skill levels, 
including information security expertise, given its mission and 
workload. In this regard, a staffing assessment is currently underway 
in terms of positions. I understand the Division is also in the process 
of performing an assessment of technical skill levels needed, including 
information security expertise. Should this assessment find the need 
for greater information security expertise, or other technical skill 
levels, we would address that through a combination of continuing 
professional education of current staff, hiring new staff with the 
needed expertise, and hiring contractors with the appropriate level of 
expertise. Further, as technical skill levels and focus are constantly 
changing, we will continue to monitor where our resources are most 
needed. To help improve our inspections, we are always looking for new 
skills, standards, and guidelines to use in the information security 
and other IT areas.

Finally, the GAO recommends that the Commission continue to assess the 
organizational alignment of the ARP program within the SEC. In 2003, 
the Commission performed an extensive assessment of the functions, 
duties, and responsibilities of the entire Commission, including the 
ARP program. Based on that assessment, we created the Office of Market 
Continuity in the Division of Market Regulation into which the ARP 
functions were moved. This realignment has helped focus ARP issues, 
such as continuity of operations planning, business continuity 
planning, and market watch, in one office. As part of the Commission's 
routine strategic planning effort, we will continue to assess the 
organizational alignment of the ARP program.

Sincerely,

Signed by: 

William H. Donaldson: 
Chairman: 

[End of section]

Appendix V: GAO Contacts and Staff Acknowledgments:

GAO Contacts:

Davi M. D'Agostino (202) 512-8678 
Cody J. Goebel (202) 512-8678:

Acknowledgments:

In addition to the individuals named above, Edward Alexander, Gerald 
Barnes, Lon Chin, West Coile, Kevin E. Conway, Kirk Daubenspeck, Ramnik 
Dhaliwal, Patrick Dugan, Edward Glagola, Harold Lewis, Thomas Payne, 
Barbara Roesmann, Eugene Stevens, Patrick Ward, Christopher Warweg, and 
Anita Zagraniczny made key contributions to this report.

[End of section]

Related GAO Products:

Critical Infrastructure Protection: Establishing Effective Information 
Sharing with Infrastructure Sectors. 
[Hyperlink, http://www.gao.gov/ cgi-bin/getrpt?GAO-04-699T] 
Washington, D.C.: April 21, 2004.

Securities and Exchange Commission: Preliminary Observations on SEC's 
Spending and Strategic Planning. 
[Hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-03-969T] 
Washington, D.C.: July 23, 2003.

Potential Terrorist Attacks: Additional Actions Needed to Better 
Prepare Critical Financial Market Participants. 
[Hyperlink, http:// www.gao.gov/cgi-bin/getrpt?GAO-03-251] 
Washington, D.C.: February 12, 2003.

Potential Terrorist Attacks: Additional Actions Needed to Better 
Prepare Critical Financial Market Participants. 
[Hyperlink, http:// www.gao.gov/cgi-bin/getrpt?GAO-03-414] 
Washington, D.C.: February 12, 2003.[Footnote 34] 

Critical Infrastructure Protection: Effort of the Financial Services 
Sector to Address Cyber Threats. 
[Hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-03-173] 
Washington, D.C.: January 30, 2003.

SEC Operations: Increased Workload Creates Challenges. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-302] 
Washington, D.C.: March 5, 2002.

A Model of Strategic Human Capital Management. 
[Hyperlink, http:// www.gao.gov/cgi-bin/getrpt?GAO-02-373SP] 
Washington, D.C.: March 15, 2002.

Information Systems: Opportunities Exist to Strengthen SEC's Oversight 
of Capacity and Security. 
[Hyperlink, http://www.gao.gov/cgi-bin/ getrpt?GAO-01-863. 
Washington, D.C.: July 25, 2001.

Homeland Security: Efforts to Improve Information Sharing Need To Be 
Strengthened. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03- 760] 
Washington, D.C.: June 29, 2001.

Human Capital: A Self-Assessment Checklist for Agency Leaders, Version 
1. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/OCG-00-14G] 
Washington, D.C.: September 2000.

Federal Information System Controls Audit Manual, Volume I: Financial 
Statement Audits. 
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/ AIMD-12.19.6] 
Washington, D.C.: January 1999.

Executive Guide on Information Security Management: Learning from 
Leading Organizations. 
[Hyperlink, http://www.gao.gov/cgi-bin/ getrpt?GAO/AIMD-98-68] 
Washington, D.C.: May 1, 1998. 

(250126):

FOOTNOTES

[1] See GAO, Potential Terrorist Attacks: Additional Actions Needed to 
Better Prepare Critical Financial Market Participants, GAO-03-251 
(Washington, D.C.: Feb. 12, 2003) and Potential Terrorist Attacks: 
Additional Actions Needed to Better Prepare Critical Financial Market 
Participants, GAO-03-414 (Washington, D.C.: Feb. 12, 2003). Because 
these reports provide identical information, for simplicity, we will 
refer to them throughout this report as our 2003 report.

[2] Federal financial regulators have defined a wide-scale disruption 
as one that causes a severe disruption of transportation, 
telecommunications, power, or other critical infrastructure components 
across a metropolitan or other geographic area and its adjacent 
communities that are economically integrated with it; or that results 
in a wide-scale evacuation or inaccessibility of the population within 
normal commuting range of the disruption's origin.

[3] While the Department of Homeland Security is responsible for 
coordinating all efforts to protect the nation against terrorist 
attacks, Homeland Security Presidential Directive 7 (HSPD-7) designates 
the Department of the Treasury as the sector-specific federal agency 
responsible for coordinating such efforts within the banking and 
finance sector. Treasury coordinates with and reports to the Department 
of Homeland Security on its efforts. See appendix II for further 
information.

[4] See Department of Justice, Vulnerability Assessment of Federal 
Facilities (Washington, D.C.: Jun. 28, 1995). This document presented 
security standards to be applied to all federal facilities. Each 
facility is to be place in five categories with Level 1 facilities 
having the least need for physical security and Level 5 facilities 
having the highest need. Based on its risk level, a facility would be 
expected to implement increasingly stringent measures in 52 security 
areas. These measures are more geared to protect against an attack such 
as a vehicle or package bomb rather than an airborne attack.

[5] We discuss these guidelines in more detail later in this report. 

[6] The business continuity guidelines considered are described later 
in this report.

[7] This program is described later in this report. 

[8] This network is described in more detail later in this report.

[9] These guidelines are described in more detail later in this report.

[10] When this Verizon facility was damaged, about 182,000 voice 
circuits, more than 1.6 million data circuits, and more than 11,000 
lines serving Internet service providers were lost. 

[11] The President's National Security Telecommunications Advisory 
Committee, Financial Services Risk Assessment Report, (December 1997), 
p. 38. This committee serves as a presidential advisory group to the 
National Communications System, which, among other things, coordinates 
planning of national security and emergency preparedness communications 
for the federal government. NSTAC is comprised of industry officials 
that advise the U.S. government on policy and technical issues 
regarding emergency communications, information assurance, critical 
infrastructure protection and related concerns.

[12] GAO-03-251, p. 58 and GAO-03-414, p. 57. 

[13] The President's National Security Telecommunications Advisory 
Committee, Financial Services Task Force Report, (April 2004).

[14] SIAC is a jointly owned subsidiary of the New York Stock Exchange 
and the American Stock Exchange. 

[15] A financial extranet is a private network that connect providers 
of financial information and transaction services (such as trading, 
clearing, and settlement) with members that use these services. 

[16] TSP is used to ensure that organizations that conduct activities 
important for national security or emergency preparedness receive 
priority treatment in their use of telecommunications services that can 
be vital to coordinating and responding to crises. These circuits are 
then eligible for priority restoration in a disaster. 

[17] ATIS is an association of telecommunications industry 
professionals that develops technical and operations standards and 
solutions for the communications and related information technologies 
industries. 

[18] GAO-03-251, p. 103 and GAO-03-414, p. 102. 

[19] FFIEC comprises officials from the Federal Reserve, Federal 
Deposit Insurance Corporation, National Credit Union Administration, 
Office of the Comptroller of the Currency, and Office of Thrift 
Supervision. The booklet rescinds and replaces chapter 10 of the 1996 
Information Systems Examination Handbook, Corporate Contingency 
Planning.

[20] 17 C.F.R. 248.

[21] The Board of Governors of the Federal Reserve, the Office of the 
Comptroller of the Currency, and Securities and Exchange Commission, 
Interagency Paper on Sound Practices to Strengthen the Resilience of 
the U.S. Financial System, (Washington, D.C.: April 2003).

[22] Specifically, the interagency paper defines core clearing and 
settlement organizations as either (1) market utilities, such as 
government-sponsored services or industry-owned organizations, whose 
primary purpose is to clear and settle transactions for critical 
markets or transfer large-value wholesale payments; or (2) private-
sector firms that provide clearing and settlement services that are 
integral to a critical market. The paper defines significant firms as 
those that participate (on their own behalf or for their customers) 
with sufficient market share in one or more critical financial markets 
that their failure to settle their own or their customers' material or 
pending transactions by the end of the day could present systemic risk. 
Firms are generally considered significant in a particular critical 
market if they consistently clear or settle at least 5 percent of the 
value of transactions in that market.

[23] To ensure that they can meet the goal of recovering within the 
same business day, the paper notes that core organizations should 
strive to be able to recover within 2 hours of a disruption, with 
significant firms striving to be able to recover within 4 hours. 

[24] In another clearing-related effort, the Federal Reserve, along 
with representatives from clearing banks, securities dealers, trade 
associations, and others formed the Working Group on Government 
Securities Clearance and Settlement. Tasked with assessing alternatives 
for reducing the vulnerability stemming from concentration among 
clearing banks for government securities, this group has proposed that 
a new legal entity could assume the operations if one of the clearing 
banks was unable to operate as the result of financial or legal 
difficulties. However, this proposal, called the NewBank plan, is not 
intended to address operational disruptions and assumes the staff, 
systems, and data of the affected clearing bank remain intact.

[25] U.S. Securities and Exchange Commission, Policy Statement: 
Business Continuity Practices for Trading Markets (Washington, D.C.: 
September 2003).

[26] NYSE Rule 446 and NASD Rule 3510.

[27] GAO-01-863, GAO-03-251, and GAO-03-414. 

[28] Securities and Exchange Commission, Final Rule: Regulation of 
Exchanges and Alternative Trading Systems, Release No. 34-40760 (Dec. 
8, 1998).

[29] GAO-01-863, GAO-03-251, and GAO-03-414. 

[30] See GAO, SEC Operations: Increased Workload Creates Challenges, 
GAO-02-302 (Washington, D.C.: Mar. 5, 2002), GAO-01-863, GAO-03-251, 
and GAO-03-414. 

[31] GAO Executive Guide on Information Security Management: Learning 
from Leading Organizations, GAO/AIMD-98-68, May 1998.

[32] Homeland Security Presidential Directive 7, Critical 
Infrastructure Identification, Prioritization, and Protection 
(Washington, D.C.: Dec. 17, 2003).

[33] These organizations include the Commodity Futures Trading 
Commission, the Conference of State Bank Supervisors, Treasury, the 
Farm Credit Administration, the Federal Deposit Insurance Corporation, 
the Federal Housing Finance Board, the Federal Reserve Bank of New 
York, the Federal Reserve, the Homeland Security Council, the National 
Association of Insurance Commissioners, the National Credit Union 
Administration, the North American Securities Administrators 
Association, the Office of the Comptroller of the Currency, the Office 
of Federal Housing Enterprise Oversight, the Office of Thrift 
Supervision, the Securities and Exchange Commission, and the Securities 
Investor Protection Corporation.

[34] This report contains information identical to GAO-03-251.

GAO's Mission:

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony:

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading.

Order by Mail or Phone:

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:

U.S. Government Accountability Office

441 G Street NW, Room LM

Washington, D.C. 20548:

To order by Phone:

 

Voice: (202) 512-6000:

TDD: (202) 512-2537:

Fax: (202) 512-6061:

To Report Fraud, Waste, and Abuse in Federal Programs:

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470:

Public Affairs:

Jeff Nelligan, managing director,

NelliganJ@gao.gov

(202) 512-4800

U.S. Government Accountability Office,

441 G Street NW, Room 7149

Washington, D.C. 20548: