The Importance of a Business Continuity Plan – A Lesson from Hurricane Sandy
By Matthew Hilsenrad, Director of Disaster Recovery, Abacus Group LLC
It’s becoming a faded memory, but only seven years ago the financial capital of the world – New York City – was nearly brought to its knees by Mother Nature. Hurricane Sandy flooded the NYC subways and tunnels, blacking out most of Lower Manhattan. The New York Stock Exchange and Nasdaqdata were closed for two days. The storm cost New York State a staggering $32 billion, New York City $19 billion and the U.S. economy an estimated $65 billion.
In the storm’s aftermath, the financial services industry scrambled to recover. Many firms and institutions came to the quick realization that they had not been prepared for the business disruptions. Many began to plan for the next potential crisis.
Today, with so much at risk, every financial firm should have a working Business Continuity Plan (BCP) in place. Surprisingly, many still do not. And, while some firms have plans, they rely too much on each department to produce its own strategy, neglecting to take into account the needs of the entire firm.
One of the most important lessons learned from Sandy is the importance of geographic data diversity. In the ensuing years, some firms have opened new cloud data centers, always considering proximity to a secondary site so that clients are prepared for any regional disaster scenario. Each data center should be located on different power grids and with alternate connectivity providers (not to mention outside of known flood zones).
Sandy also taught many of us the value of proactively moving essential client services to a secondary site ahead of a predicted major event. Firms with this type of disaster recovery strategy were able to work through the storm, for the most part uninterrupted. After the storm, some firms did a thorough assessment of their BCPs, which led to further action to protect clients from future events. For instance, one firm had a secondary site near Philadelphia, which for some clients was less than 100 miles from the firm’s primary site. Following Sandy, the firm moved all of its client data from its onsite offices to more dispersed data centers. Within a year, the firm started planning out a migration project which moved the secondary site to a location 1,500 miles from the primary data center.
In rewriting a BCP, it is helpful to memorialize a set of best practices. Before you compose your BCP, be mindful of any regulatory requirements (SEC, CFTC, FINRA, GDPR or the California Privacy Act). Be prepared to share your BCP with investors, prime brokers or other financial entities – if you don’t have a BCP, they may demand one or take their business elsewhere.
Additionally:
- Make sure your plan is “holistic” – covering the entire firm. Make sure it is not “compartmentalized,” where one department doesn’t know what the other is planning.
- Your plan must be reviewed and approved by senior management (including boards of directors). Ultimately, they are legally responsible to clients as well as regulators.
- The BCP should combine both business and technology needs. It should also be accessible to all employees.
- The BCP should identify and include key services (connectivity, voice, email, data, applications,
- etc.) and vendors, with their contact information.
- Ensure that the BCP is reviewed on an annual basis, including documentation of all testing done since the last update.
- Work with your in-house IT staff or managed service provider to “stress test” your system and prepare for large scale outages like Sandy. Identify business critical workflows and include them during tests.
- Have a strategy to deal with office inaccessibility (where users work remotely). If possible, include multiple methods to access your data during a disaster scenario.
- Schedule a BCP day annually, ensure that your users are familiar with working remotely. Document takeaways and provide feedback to your IT staff on what worked and what didn’t.
- Finally, don’t leave your testing until the end of the year.
No one can predict the future with certainty, but you can be certain that disasters will happen – not only natural disasters but human-inspired events like a cyber attack. A flexible, up-to-date and well-tested Business Continuity Plan can give you confidence that your firm will survive anything that Mother Nature or the Internet throws at you.
About the Author
Matthew Hilsenrad is the Director of Disaster Recovery at Abacus Group, a global firm that provides outsourced IT services and cloud hosting solutions to the alternative investment industry. Matt oversees Abacus’ disaster recovery services, including management of a Zerto replication platform, process planning, and coordination of all DR testing. He has over 20 years of experience in IT services and a bachelor’s degree from the University of Buffalo.