Chapter 5

Business Continuity Planning

25 min read Series 24 — General Securities Principal

BCP Regulatory Requirements

FINRA Rule 4370 requires every member firm to create and maintain a Business Continuity Plan (BCP) reasonably designed to enable the firm to meet its existing obligations to customers in the event of an emergency or significant business disruption. The rule was adopted in the aftermath of the September 11, 2001 attacks, which demonstrated the devastating impact that catastrophic events can have on the financial industry's ability to serve customers and maintain market operations.

The BCP must be tailored to the firm's size, business model, and the specific risks it faces. A large carrying broker-dealer with multiple offices and complex clearing operations requires a far more elaborate BCP than a small introducing firm with a handful of representatives. However, all firms must address certain core elements mandated by FINRA, and all firms must review and update their BCP at least annually.

Required BCP Elements

Under FINRA Rule 4370, the BCP must address at a minimum the following ten elements:

  1. Data backup and recovery: Procedures for backing up essential data and records, including the geographic location of backup facilities and the frequency of data backup. Firms should maintain backup copies of essential records at a location separate from the primary site.
  2. Mission-critical systems: Identification of all mission-critical systems, including order-taking, order entry, execution, trade comparison, allocation, clearance and settlement, customer account access, and delivery of funds and securities. Plans for maintaining or restoring these systems within established timeframes.
  3. Financial and operational assessments: Procedures for assessing the firm's ability to continue operating in the aftermath of a disruption, including assessment of the firm's net capital position and ability to meet customer obligations.
  4. Alternate communications between customers and the firm: Methods by which customers can communicate with the firm during a disruption, including alternate phone numbers, websites, and email addresses.
  5. Alternate communications between the firm and its employees: Communication chains and alternate contact methods for reaching employees during an emergency.
  6. Alternate physical location: Identification of an alternate physical location from which the firm can conduct business if the primary location is unavailable.
  7. Critical business constituents, banks, and counter-party impact: Assessment of how disruptions affecting the firm's clearing firm, banks, or other critical business partners would impact the firm's operations.
  8. Regulatory reporting: Procedures for filing FOCUS reports, TRACE reports, and other required regulatory filings during a disruption.
  9. Communications with regulators: Procedures for contacting FINRA, the SEC, and other regulators during an emergency, including the FINRA emergency contact number.
  10. How the firm will ensure customers' prompt access to their funds and securities: Specific procedures for ensuring that customers can access their accounts, transfer assets, and receive funds during a disruption.

Exam Tip

The BCP must be reviewed and updated at least annually, and more frequently when there are material changes to the firm's operations, personnel, or risk profile. The firm must also disclose a summary of its BCP to customers at account opening and post it on its website (if one exists). The exam may test whether firms must provide the actual BCP to customers (they do not; only a summary).

Disaster Recovery and Testing

A BCP is only effective if it works when needed. Firms must test their business continuity plans to ensure that backup systems, alternate locations, communication procedures, and recovery processes actually function as intended. While FINRA does not prescribe specific testing requirements for all firms, regulators expect firms to conduct periodic testing appropriate to their size and complexity.

Types of BCP Testing

  • Tabletop exercises: Senior management and key personnel walk through various disruption scenarios and discuss how the BCP would be activated and executed. These exercises identify gaps in planning without actually disrupting operations.
  • Functional testing: Individual components of the BCP are tested, such as switching to backup data systems, activating alternate communication channels, or relocating operations to an alternate site.
  • Full-scale simulations: The firm simulates a complete disruption and activates the entire BCP, testing all systems, communications, and recovery procedures simultaneously. Full-scale testing is the most comprehensive but also the most disruptive and expensive.

Emergency Contact Information

FINRA requires each member to report emergency contact information through the FINRA Contact System (FCS). This includes two designated emergency contact persons who can be reached during an emergency. The firm must update this information within 17 business days of any change and must review the information quarterly to ensure it remains current.

Key Takeaway

BCP testing should be proportionate to the firm's business. Large firms with complex operations should conduct more frequent and comprehensive testing. All firms should at minimum conduct annual tabletop exercises and document the results, including any identified gaps and remediation plans.

Cybersecurity Obligations

Cybersecurity has become one of the most critical areas of risk management for broker-dealers. While FINRA has not adopted a single comprehensive cybersecurity rule, the obligation to protect customer information and systems is embedded in multiple regulatory requirements, including FINRA's supervisory rules, SEC Regulation S-P (privacy), SEC Regulation S-ID (identity theft), and the broader obligation to maintain a supervisory system reasonably designed to achieve compliance.

Key Cybersecurity Requirements

  • Information security program: Firms must develop and implement written policies and procedures to protect customer records and information. This includes technical controls (firewalls, encryption, access controls), administrative controls (employee training, vendor management), and physical controls (facility access).
  • Incident response plan: Firms must have a plan for responding to cybersecurity incidents, including detection, containment, eradication, recovery, and post-incident analysis. The plan should include procedures for notifying customers, regulators, and law enforcement when appropriate.
  • Vendor management: Firms must conduct due diligence on third-party vendors who have access to customer data or critical systems, and must contractually require vendors to maintain appropriate security measures.
  • Employee training: All personnel must receive training on cybersecurity risks, including phishing, social engineering, password security, and proper handling of customer data.
  • Access controls: Firms must implement controls to restrict access to systems and data to authorized personnel only, using principles of least privilege and separation of duties.
Cyber Threat Description Key Mitigation
Phishing Fraudulent emails tricking employees into revealing credentials Employee training, email filtering, multi-factor authentication
Ransomware Malware encrypting data and demanding payment Regular backups, endpoint protection, network segmentation
Insider Threats Employees misusing access to data or systems Access controls, monitoring, separation of duties
Account Takeover Unauthorized access to customer accounts Multi-factor authentication, transaction monitoring
Third-Party Breach Compromise through vendor or partner systems Vendor due diligence, contractual requirements, monitoring

Warning

FINRA has made cybersecurity a top examination priority. Firms that suffer data breaches due to inadequate cybersecurity controls face regulatory action, customer lawsuits, reputational damage, and financial losses. Principals must ensure that cybersecurity is addressed as part of the overall supervisory system and that the firm allocates adequate resources to protect customer data and systems.

Customer Notification and Disclosure

Firms are required to provide customers with certain information about their BCP. At account opening, and upon customer request, the firm must provide a written summary of its BCP that addresses how the firm will respond to a significant business disruption and how the customer can access their funds and securities. Many firms satisfy this requirement by including BCP summary information on their website and in their new account documentation.

The BCP disclosure must address the following: how quickly the firm expects to resume business operations after a disruption, which services may be affected and for how long, how customers can access their accounts during a disruption, and how the firm will communicate with customers about the status of their accounts. The disclosure should be written in plain language that customers can understand.

Deep Dive Pandemic Planning Considerations

The COVID-19 pandemic highlighted the importance of comprehensive BCP planning that extends beyond traditional disaster scenarios. Key lessons and considerations include:

  • Remote work readiness: Firms must have the technological infrastructure to support large-scale remote work, including secure VPN access, remote monitoring capabilities, and collaboration tools
  • Communication systems: Traditional phone systems may be insufficient during extended disruptions; firms need redundant communication channels
  • Supervisory challenges: Remote work environments require adapted supervisory procedures, including remote monitoring of trading activity, electronic communication surveillance, and compliance testing
  • Vendor resilience: Firms must assess whether their critical vendors can also maintain operations during a pandemic or extended disruption
  • Mental health and employee welfare: Extended disruptions create stress and burnout that can affect employee judgment and compliance

FINRA issued guidance during the pandemic emphasizing that firms must maintain effective supervision and compliance monitoring regardless of where employees work. The traditional model of in-office supervision must be supplemented with technology-based monitoring when personnel are working remotely.

Check Your Understanding

Test your knowledge of business continuity planning. Select the best answer for each question.

1. How often must a firm review and update its Business Continuity Plan?

2. Which of the following is NOT one of the required elements of a BCP under FINRA Rule 4370?

3. What information must a firm provide to customers regarding its BCP?

4. How many emergency contact persons must a firm designate through the FINRA Contact System?

5. Which cybersecurity control is MOST effective against phishing attacks?