Wednesday, 28 September 2016
Last updated 4 hours ago
Nov 27 2012 | 10:11am ET
By Eldon Sprickerhoff (CTO, eSentire) and Deborah Prutzman (CEO, The Regulatory Fundamentals Group, LLC) -- In the wake of Hurricane Sandy, a disaster with economic losses topping $50 billion, many firms are eager to enhance their business continuity and disaster plans ahead of future crises. A few weeks ago, Deborah Prutzman, CEO of The Regulatory Fundamentals Group and Eldon Sprickerhoff, CTO of eSentire, hosted a webinar that explored how existing plans stood up against the storm, identified threat trends during and after the storm, and provided insights on how to implement a robust business continuity and disaster recovery plan. Some of key takeaways are outlined below.
Lessons From Sandy
Although Sandy was a serious storm and caused substantial damage, the alternatives industry was lucky. We had advanced warning and could plan ahead, and mandatory evacuations were helpful because they moved staff to locations where they could continue to be in communication.
That being said, a few lessons have become clear. Having a plan on paper is just the first step; it is equally important to test all aspects of the plan. For example, some firms found that home is not necessarily a remote location. If home and office are both impacted by an event, another alternative is called for. Also, many firms realized, in retrospect, that their existing plans were short-sighted, in that they had not considered and planned for a long-term disruption. The loss of electricity for a day is a far different situation than a two week outage. Sandy also showed that timing matters in another respect. A crisis at the month end or year end has different consequences than an interruption in an ordinary week.
From a technology security point of view, like so many disasters, Hurricane Sandy was used as a vector for fraud. Attackers embedded malware into emails under the guise of fake news stories, requests for donations, applications for insurance relief, and password change requests. Over 1,000 domain names containing “relief” or “Sandy” were registered since the storm, many of which were seeking fraudulent donations. Cyber attacks focused on vulnerable systems, such as firm networks as they were switched to and from back-up servers, and also VoIP services.
Given the expected increase in fraudulent activity after any crisis, a basic step is to let employees know in advance about the cyber security risks that exist. On the IT side, it is crucial to make sure to validate your security readiness before switching to a back-up site. Some sites may be operating with out-of-date security patches and anti-virus software. Additionally, cloud service providers may also be affected, so make sure to check your cloud-readiness before going operational. During Sandy many cloud service providers and IT network operation centers were impacted and struggling to cope with the surge in help requests to bring networks back up.
In the end, many firms who spent time and resources developing a comprehensive business continuity and disaster recovery plan over the past few years felt vindicated by their efforts.
Why does one need a plan?
While many regulators, including the SEC and the NFA, require a business continuity and disaster recovery plan, the primary driver for implementing a plan should be protecting your business and your investors.
Prutzman noted that a business continuity and disaster recovery plan serves two primary functions. The first is to take as many issues off the plate of senior management and other employees during a time of crisis as can possibly be removed in advance. Of course you won’t think of every issue, but the more thought you put into constructing a plan, the easier it will be to react in the moment and understand what deserves focus.
The second function is to diffuse knowledge throughout the organization. Disasters cut across an entire firm, and a plan needs to address the whole organization. It is not clear ahead of time who will be available in a time of crisis to make decisions and carry forward the business, so it is important to have a plan that helps staff develop an understanding of who will make decisions (if possible), what the priorities are, what is critical and, equally important, what the firm can stop doing.
How to Plan Ahead
The first step to creating a plan is issue identification and customization -- understanding what drives your business. Your strategy and the kinds of instruments you trade are important. The needs of a high-frequency trading shop are very different from a private equity firm. HFTs needs to think about co-location, latency issues and hot back-up sites. In contrast, private equity firms may not need to make immediate investment decisions, but still need to consider liquidity and lines of credit and communications with portfolio companies. It is equally important to identify your firm’s key stakeholders, meaning the people with whom it is important to communicate with, whether they be investors, regulators, or sources of liquidity. And lastly, third party service providers may be critical, and during Sandy many of these proved to be the weakest link.
The second step is considering the types of disasters that might occur. This requires management to go through scenarios of different types of events. Examples include Sandy, 9/11, and a data breach/cyber attack. Each situation presents unique challenges regarding communications, continuing to run the business, and getting back to normal operations after the incident.
A crucial component of any effective business continuity and disaster recovery plan is periodic testing. This includes ensuring that there are well-documented procedures that can be used and understood in a time of crisis. It is likely, they industry will see an increased focus on testing, both from regulators and investors.
Eldon Sprickerhoff is the founder and chief technology officer of eSentire, Inc. With over 15 years of tactical information security experience, Mr. Sprickerhoff leads both the eSentire security research team, as well as the eSentire customer-facing team that conducts vulnerability assessments. Mr. Sprickerhoff sets the future vision and direction for security technology within the company, defines operational security best practices, and oversees the security posture on behalf of our customers. He holds several security industry certifications and is considered to be a subject matter expert in information security analysis. He holds a Bachelor of Mathematics, Computer Science degree from the University of Waterloo.
Deborah Prutzman is the chief executive officer of The Regulatory Fundamentals Group, a New York-based firm that designs and implements business and risk solutions for alternative asset managers and institutional investors. RFG's senior-led team employs a robust suite of tools, including practical alerts on new and potential industry developments and its powerful RFG Pathfinder® knowledge management platform which simplifies the challenges of operating in a regulated environment.