oversight

Potential Terrorist Attacks: Additional Actions Needed to Better Prepare Critical Financial Market Participants

Published by the Government Accountability Office on 2003-02-12.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                United States General Accounting Office

GAO             Report to Congressional Requesters




February 2003
                POTENTIAL
                TERRORIST
                ATTACKS
                Additional Actions
                Needed to Better
                Prepare Critical
                Financial Market
                Participants




GAO-03-251
                a
                                               February 2003


                                               POTENTIAL TERRORIST ATTACKS

                                               Additional Actions Needed to Better
Highlights of GAO-03-251, a report to
Congressional Requesters
                                               Prepare Critical Financial Market
                                               Participants


September 11 exposed the                       The September 11 attacks severely disrupted U.S. financial markets,
vulnerability of U.S. financial                resulting in the longest closure of the stock markets since the 1930s and
markets to wide-scale disasters.               severe settlement difficulties in the government securities market. While
Because the markets are vital to               exchange and clearing organization facilities were largely undamaged,
the nation’s economy, GAO                      critical broker–dealers and bank participants had facilities and
assessed (1) the effects of the
attacks on market participants’
                                               telecommunications connections damaged or destroyed. These firms and
facilities and telecommunications              infrastructure providers made heroic and sometimes ad hoc and innovative
and how prepared participants                  efforts to restore operations. However, the attacks revealed that many of
were for attacks at that time, (2)             these organizations’ business continuity plans (BCP) had not been designed
physical and information security              to address wide-scale events.
and business continuity plans
market participants had in place               GAO reviewed 15 organizations that perform trading or clearing and found
after the attacks, and (3) regulatory          that since the attacks, these organizations had improved their physical and
efforts to improve preparedness                information security measures and BCPs to reduce the risk of disruption
and oversight of market                        from future attacks. However, many of the organizations still had limitations
participants’ risk reduction efforts.          in their preparedness that increased their risk of being disrupted. For
                                               example, 9 organizations had not developed BCP procedures to ensure that
GAO recommends that the                        staff capable of conducting their critical operations would be available if an
Chairman, SEC, work with industry              attack incapacitated personnel at their primary sites. Ten were also at
to                                             greater risk for being disrupted by wide-scale events because 4 organizations
•   develop goals and strategies               had no backup facilities and 6 had facilities located between 2 to 10 miles
    to resume trading in securities            from their primary sites.
    markets,
•   determine sound business                   The financial regulators have begun to jointly develop recovery goals and
    continuity practices needed to             business continuity practices for organizations important for clearing;
    meet these goals,                          however, regulators have not developed strategies and practices for
•   identify organizations critical            exchanges, key broker-dealers, and banks to ensure that trading can resume
    to market operations and
    ensure they implement sound
                                               in a timely manner in future disasters. Individually, SEC has reviewed
    business continuity practices,             exchange and clearing organization risk reduction efforts, but had not
    and                                        generally reviewed broker-dealers’ efforts. The bank regulators that oversee
•   test strategies to resume                  the major banks had guidance on information security and business
    trading.                                   continuity and reported examining banks’ risk reduction measures annually.

In addition, the report contains
recommendations to improve
SEC’s oversight of information
technology issues.




www.gao.gov/cgi-bin/getrpt?GAO-03-251.

To view the full report, including the scope
and methodology, click on the link above.
For more information, contact Davi M.
D’Agostino (202) 512-8678 or
dagostinod@gao.gov.
Contents



Transmittal Letter                                                                                     1


Executive Summary                                                                                      4
                         Purpose                                                                       4
                         Results in Brief                                                              5
                         Principal Findings                                                           10
                         Recommendations                                                              17
                         Agency Comments and GAO Evaluation                                           17


Chapter 1                                                                                             19
                         Various Organizations Participate in Stock and Options Markets               19
Introduction             Government Securities and Money Market Instruments Are Traded
                           Differently from Stocks                                                    21
                         Payment Systems Processors Transfer Funds for Financial Markets
                           and Other Transactions                                                     23
                         Certain Market Participants Are Critical to Overall Functioning of
                           the Securities Markets                                                     23
                         Various Regulators Oversee Securities Market Participants, but
                           Approaches and Regulatory Goals Vary                                       24
                         Telecommunications and Information Technology Are Vital to
                           Securities Markets                                                         25
                         Financial Organizations Manage Operations Risks by Protecting
                           Physical and Information Security and Business Continuity
                           Planning                                                                   26
                         Objectives, Scope, and Methodology                                           26


Chapter 2                                                                                             30
                         Attacks Caused Extensive Damage and Loss of Life and Created
September 11 Attacks       Difficult Conditions That Impeded Recovery Efforts                         30
Severely Disrupted       Damage from Attacks Significantly Disrupted Telecommunications
                           and Power                                                                  38
U.S. Financial Markets   Attacks Severely Affected Financial Markets but Heroic Efforts
                           Were Made to Restore Operations                                            45
                         Disruptions in Government Securities and Money Markets Severely
                           Affected Clearance and Settlement, Liquidity, and Trade
                           Volumes                                                                    49
                         Impact of Attacks on the Banking and Payments Systems Was Less
                           Severe                                                                     54




                         Page i                                    GAO-03-251 Potential Terrorist Attacks
                            Contents




                            Attacks Revealed Limitations in Financial Market Participants’
                              Business Continuity Capabilities                                           56
                            Observations                                                                 58


Chapter 3                                                                                                59
                            In Climate of Increasing Risk, Organizations Often Have to Choose
Financial Market               How to Best Use Resources                                                 59
Participants Have           All Financial Market Organizations Were Taking Steps to Reduce the
                               Risks of Operations Disruptions                                           63
Taken Actions to            Some Financial Organizations Had Preparedness Limitations That
Reduce Risks of                Increased Their Risk of an Operations Disruption                          64
Disruption, but Some        Observations                                                                 68
Limitations Remain

Chapter 4                                                                                                69
                            Regulators Are Developing Recovery Goals and Sound Business
Financial Market              Continuity Practices for Clearing Functions but Not for Trading
Regulators Lack               Activities                                                                 70
                            Program, Staff, and Resource Issues Hamper SEC Oversight of
Recovery Goals for            Market Participants’ Operations Risks                                      74
Trading and Could           Bank Regulators Have Authority to Oversee Operational Risk                   83
Strengthen Their            Conclusions                                                                  85
                            Recommendations                                                              88
Operations Risk             Agency Comments and Our Evaluation                                           89
Oversight

Appendixes
              Appendix I:   Telecommunications Providers and Others Cooperated to
                            Overcome Damage to Telecommunications Infrastructure                         91
                            The Terrorist Attacks Extensively Damaged Local
                              Telecommunications Infrastructure                                          91
                            Telecommunications Carriers and Government Agencies Worked
                              Together to Overcome Challenges                                            94
             Appendix II:   Regulator and Market Participants Are Working to Improve
                            Crisis Response and Telecommunications Resiliency                            98
                            New Organizations Will Increase the Extent to Which Critical
                              Infrastructure Protection Efforts Address the Financial
                              Sector                                                                     98




                            Page ii                                   GAO-03-251 Potential Terrorist Attacks
                          Contents




                          Regulators and Market Participants Are Acting to Improve
                            Crisis Response                                                            99
                          Numerous Initiatives Are Under Way to Strengthen the Resiliency of
                            Local Telecommunications Services                                        101
          Appendix III:   Comments from Federal Reserve System                                       109
          Appendix IV:    Comments from the Securities and Exchange Commission                       110
           Appendix V:    GAO Contacts and Staff Acknowledgments                                     112
                          GAO Contacts                                                               112
                          Acknowledgments                                                            112



Figures                   Figure 1: Clearance and Settlement Process for Stocks                        21
                          Figure 2: Buildings Destroyed or Damaged on September 11,
                                     2001                                                              31
                          Figure 3: Geographic Extent of Damage and Debris from Attacks in
                                     Lower Manhattan                                                   33
                          Figure 4: Damage to Buildings from Attacks and Resulting
                                     Debris                                                            34
                          Figure 5: Dust and Debris Resulting from Attack                              35
                          Figure 6: Lower Manhattan Area Subject to Access Restrictions
                                     Following September 11, 2001, Attacks                             37
                          Figure 7: Damage to Verizon Central Office at 140 West Street                39
                          Figure 8: Area Served by Verizon 140 West Street Central Office              41
                          Figure 9: Verizon Used Temporary Cabling Solutions at 140 West
                                     Street                                                            44
                          Figure 10: Failed Transactions in the Government Securities
                                     Markets During September 2001                                     51
                          Figure 11: Cash Purchases of Government Securities and Repo
                                     Market Activity During September 2001                             52
                          Figure 12: Intervals between Most Recent SEC ARP Examinations
                                     of Critical Exchanges and Clearing Organizations                  80
                          Figure 13: Verizon Overcame Major Challenges During 140 West
                                     Street Restoration Efforts                                       96
                          Figure 14: The SFTI Network Provides Redundant Connections                 106




                          Page iii                                  GAO-03-251 Potential Terrorist Attacks
Contents




Abbreviations

Amex    American Stock Exchange
ARP     Automation Review Policy
BCP     Business continuity plan
BNet    Business Network of Emergency Resources
BONY    Bank of New York
CHIPS   Clearing House Inter-bank Payments System
DOITT   Department of Information Technology and
        Telecommunications
ECN     Electronic communications network
FBIIC   Financial and Banking Information Infrastructure Committee
FCC     Federal Communications Commission
FISCAM Federal Information System Controls Audit Manual
FRBNY   Federal Reserve Bank of New York
GETS    Government Emergency Telecommunications Service
GLBA    Gramm-Leach-Bliley Act
GSCC    Government Securities Clearing Corporation
IDB     Inter-dealer Broker
MARC    Mutual Aid and Restoration Consortium
NCS     National Communications System
NRIC    National Reliability and Interoperability Council
NSCC    National Securities Clearing Corporation
NYSE    New York Stock Exchange
OCC     Office of the Comptroller of the Currency
OCIE    Office of Compliance, Inspections, and Examinations
PBX     Private Branch Exchange
SEC     Securities and Exchange Commission
SFTI    Secure Financial Transaction Infrastructure
SIA     Securities Industry Association
SIAC    Securities Industry Automation Corporation
SONET   Synchronous optical network
SRO     Self-regulatory organization
TSP    Telecommunications Service Priority




 This is a work of the U.S. Government and is not subject to copyright protection in the
 United States. It may be reproduced and distributed in its entirety without further
 permission from GAO. It may contain copyrighted graphics, images or other materials.
 Permission from the copyright holder may be necessary should you wish to reproduce
 copyrighted materials separately from GAO’s product.




Page iv                                             GAO-03-251 Potential Terrorist Attacks
A
United States General Accounting Office
Washington, D.C. 20548



           February 12, 2003                                                                                           T
                                                                                                                       ransmL
                                                                                                                            ta
                                                                                                                             ileter




           Congressional Requesters:

           This report presents the results of the review you requested on the preparations that financial
           markets have made since the September 11, 2001, terrorist attacks to protect themselves from
           physical and electronic attacks and to develop business continuity plans for recovering rapidly and
           resuming operations if damage occurs. The massive destruction caused by the attacks on the World
           Trade Center and the resulting loss of life, facilities, telecommunications, and power significantly
           affected U.S. financial markets. The markets reopened within days despite enormous obstacles, but
           the attacks also exposed the vulnerability of the financial markets to disruption by such events. In
           conducting this work, we assessed:

           1. the effects of the attacks on the facilities and telecommunications services of participants in the
              stock and option markets, the markets for government securities and money market instruments,
              and the banking and payments systems and how prepared market participants were for the
              attacks at that time;

           2. the physical and information security and business continuity measures 15 exchanges, clearing
              organizations, electronic communication networks, and payment system processors had in place
              after the attacks to reduce the risk of operations disruptions in the future; and

           3. the financial regulators’ oversight of market participants’ efforts to reduce their operations risks
              and regulatory efforts under way to better prepare the markets for future attacks.

           This report contains recommendations to the Chairman, Securities and Exchange Commission (SEC)
           designed to better ensure that U.S. securities markets are better prepared to recover from future
           disasters. This report also contains recommendations to improve SEC’s oversight of information
           technology issues.




                                      Page 1                                      GAO-03-251 Potential Terrorist Attacks
As we agreed with your office, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days from the
date of this letter. We will then send copies to the Secretary, Treasury; the
Chairman, SEC; the Chairman, Federal Reserve; and the Comptroller of the
Currency; and others who request them. In addition, this report will also be
available at no cost on our Web site at http//www.gao.gov.




Davi M. D’Agostino
Director, Financial Markets
 and Community Investment




Robert F. Dacey
Director, Information Security




Linda Koontz
Director, Information Management




Keith Rhodes
Chief Technologist
Director, Center for Technology
 and Engineering



Page 2                                      GAO-03-251 Potential Terrorist Attacks
List of Congressional Requesters

The Honorable W.J. "Billy" Tauzin, Chairman
The Honorable John D. Dingell, Ranking Minority Member
Committee on Energy and Commerce
House of Representatives

The Honorable Fred Upton, Chairman
The Honorable Edward J. Markey, Ranking Minority Member
Subcommittee on Telecommunications and the Internet
Committee on Energy and Commerce
House of Representatives

The Honorable Cliff Stearns, Chairman
The Honorable Edolphus Towns, Ranking Minority Member
Subcommittee on Commerce, Trade, and Consumer Protection
Committee on Energy and Commerce
House of Representatives




Page 3                                 GAO-03-251 Potential Terrorist Attacks
Executive Summary



Purpose      The massive destruction caused by the September 11, 2001, terrorist
             attacks on the World Trade Center and the resulting loss of life, facilities,
             telecommunications, and power significantly affected U.S. financial
             markets, which were concentrated in lower Manhattan. Despite enormous
             obstacles, the markets for stocks, options, government securities, and
             money market instruments all had reopened by the following week, but the
             attacks also exposed the vulnerability of the financial markets to disruption
             by such events.1 Because the markets are vital to the nation’s economy,
             congressional requesters asked GAO to review preparations that financial
             markets have made since the attacks to protect themselves from physical
             and electronic attacks and the business continuity plans (BCP) that
             describe the resources and procedures they would use to recover and
             resume operations if damage occurs. GAO assessed (1) the effects of the
             attacks on the facilities and telecommunications services of participants in
             the stock and option markets, the markets for government securities and
             money market instruments, and the banking and payment systems and how
             prepared market participants were for the attacks at that time; (2) the
             physical and information security and business continuity measures 15
             market organizations had in place after the attacks to reduce the risk of
             operations disruptions in the future; and (3) joint regulatory efforts to
             better prepare the markets for future attacks and individual financial
             regulators’ oversight of market participants’ efforts to reduce their
             operations risks.

             In performing its work, GAO reviewed regulatory and industry documents
             and studies and interviewed staff from broker-dealer and bank participants,
             regulators, infrastructure providers, industry associations, and others to
             determine the impact of the attacks and the preparedness of market
             participants at the time. To determine security and business continuity
             measures that 15 financial market organizations had in place to prevent and
             recover from disruptions in the future, GAO reviewed physical and
             electronic security measures, and BCP capabilities between February and
             June 2002 at 15 financial market organizations that perform trading and
             clearing functions, including 7 exchanges, 3 clearing and trade processing
             organizations, 3 electronic communications networks (ECN), and 2
             payment system processors. 2 Stock and stock options exchanges match

             1
              Money markets instruments include federal funds, Treasury bills, commercial paper, and
             repurchase agreements.
             2
             For simplicity, this report will refer to NASDAQ as an exchange.




             Page 4                                             GAO-03-251 Potential Terrorist Attacks
                   Executive Summary




                   orders from buyers and sellers to execute trades. Broker-dealers send these
                   orders to the exchanges on behalf of individual investors or large
                   institutional clients. Clearing organizations process trading information to
                   ensure that buyers receive their securities and sellers receive their
                   payments. ECNs provide alternative venues for trading securities. Payment
                   system processors that transmit large dollar payments among banks are
                   crucial to the basic functioning of the U.S. economy and financial markets.
                   Banks also maintain accounts to pay for or receive payments from
                   securities transactions for broker-dealers or their customers and, as
                   custodians, maintain accounts for securities owned by their customers. For
                   purposes of its analysis, GAO categorized 7 of the 15 organizations
                   reviewed as more important than others on the basis of whether viable
                   immediate substitutes existed for their products or services or whether the
                   functions they performed were critical to the overall markets' ability to
                   function.3 GAO relied on documentation and descriptions provided by
                   market participants and regulators and reviews conducted by other
                   organizations. When feasible, GAO also directly observed controls in place
                   for physical security and business continuity at the organizations assessed.
                   GAO did not test these controls by attempting to gain unauthorized entry or
                   access to market participants’ facilities or information systems. In
                   assessing the organizations’ physical and electronic security and BCPs,
                   GAO used criteria that were generally accepted by government or industry,
                   including that used to review federal organizations’ information systems.4
                   GAO performed its work in various U.S. cities from November 2001
                   through October 2002.



Results in Brief   The financial markets were able to recover within days despite significant
                   damage to the World Trade Center area, but the September 11, 2001,
                   terrorist attacks also revealed that financial market participants would
                   have to improve their business continuity capabilities. The attacks resulted


                   3
                    For example, some exchanges transmit information on all executed trades or establish
                   prices used by other exchanges. Also, clearing organizations or payment system processors
                   are essential to overall market functioning because they often may be the only organizations
                   that perform these functions.
                   4
                    This guidance included the Federal Information System Controls Audit Manual, Volume
                   I: Financial Statement Audits GAO/AIMD-12.19.6 (Washington, D.C.: Jan. 1999); the
                   Federal Financial Institutions Examination Council’s FFIEC Information Systems
                   Handbook: Volume 1, (Washington, D.C.: 1996); and the Business Continuity Institute’s
                   Business Guide to Continuity Management (Worcester, United Kingdom: Jan. 19, 2001).




                   Page 5                                              GAO-03-251 Potential Terrorist Attacks
Executive Summary




in significant loss of life and extensive physical damage, including to the
telecommunications and power infrastructure, and physical access to the
financial district was severely restricted for several days. Although the
exchanges and clearing organizations largely escaped direct damage,
trading did not resume on the stock and options markets because of
damage to telecommunications, the lack of physical access to the affected
area, and the loss of facilities and personnel by many broker-dealers,
including firms representing 40 percent of normal market trading volume,
and other financial institutions such as mutual funds and insurance
companies that participated in these markets. Displaced firms and
infrastructure providers made heroic efforts sometimes involving ad hoc
and innovative solutions to recreate operations at new locations and
restore needed telecommunications connections. Rather than trade
without these significant firms and risk operational difficulties in the
unstable conditions, regulators and market participants chose to conduct
telecommunications testing over the weekend and the securities exchanges
reopened on Monday, September 17, 2001, at record volumes. However, if
any of the key exchanges or clearing organizations had been physically
damaged, the markets would not have been able to open as quickly.

The markets for government securities and money market instruments
were also significantly disrupted by the loss of key broker-dealer facilities
and connectivity and processing difficulties that the Bank of New York, one
of the two clearing banks for these markets, and its customers
experienced. To prevent organizations from defaulting on their obligations
and creating a widespread solvency crisis, the Federal Reserve provided
over $323 billion in funding to banks over the period from September 11 to
September 14, 2001. Government securities trading resumed within 2 days
but at much lower levels than normal and problems in settling some trades
persisted for weeks. The impact of the attacks on the banking and payment
systems was less severe because most banks’ and payment processors’
operations were located outside of the affected area.

Regulators and market participants have acknowledged that the attacks
revealed the need to improve business continuity capabilities to address
future disasters. At the time of the attacks, some market participants
lacked backup facilities to which they could relocate their operations;
others had backup facilities but they were located too close to their
primary sites and were also inaccessible. Some organizations’ backup sites
were not large enough or did not have the equipment or software needed
for critical operations. Many organizations also found that the
arrangements they had made for backup telecommunications service were



Page 6                                      GAO-03-251 Potential Terrorist Attacks
Executive Summary




inadequate. Financial institutions’ plans had also called for their staff to
assemble at designated locations or to proceed to their backup sites; but
some organizations could not locate their staff, and some organizations’
personnel had difficulty reaching alternative operating locations.

Although the 15 exchanges, clearing organizations, ECNs, and payment
system processors that GAO reviewed had implemented various physical
and information security measures and business continuity capabilities
since the attacks, some organizations continued to have limitations in their
preparations that increased the risk of their operations being disrupted by
future disasters. Because hostile entities have openly threatened to directly
attack participants in the U.S. financial markets in the future, the need for
these organizations to be prepared has increased. However, reducing the
risk of an operations disruption can require organizations to make trade-
offs between implementing additional measures to protect their facilities
and systems or using their resources to expand their business continuity
capabilities. For example, an organization whose primary site is located in
a highly trafficked, public area may have limited ability to reduce all of its
physical security risks but could mitigate these risks by having a separately
staffed backup facility or cross-training staff.

The 15 organizations GAO reviewed, including the 7 organizations whose
ability to operate could be critical to the markets, have taken steps such as
installing physical barriers around their facilities to prevent physical
damage and using passwords or firewall software to limit access to
information systems to prevent disruptions from electronic attacks. All 15
organizations had developed BCPs, including some that had established
backup facilities hundreds of miles from their primary sites, that addressed
procedures for restoring operations after a disaster. However, 9 of the 15
organizations, including 2 GAO considered critical to the functioning of the
financial markets, had limitations in their protection and recovery
measures, which increased the risk of their operations being disrupted.
Although federal information systems standards and other guidance
recommend having backup personnel, these 9 organizations had not
developed business continuity procedures for ensuring that staff capable of
conducting their critical operations would be available if an attack
incapacitated personnel at their primary sites. At least 8 of the 9
organizations had physical vulnerabilities such as inability to control
vehicular traffic around their facilities. Although most organizations had
backup facilities as standards recommend, 10 of the 15 organizations,
including 4 of the critical ones, faced increased risk of being unable to
operate after a wide-scale disruption because they either lacked backup



Page 7                                       GAO-03-251 Potential Terrorist Attacks
Executive Summary




facilities or had facilities within 2 to 10 miles of their primary site. Finally,
although many of the 15 organizations had attempted to reduce their risks
by testing their risk reduction measures, GAO found that few organizations
had tested their physical security measures, and about half had tested their
business continuity capabilities and key information systems protections.

Although banking and securities regulators have begun to take steps to
prevent future disasters from causing widespread settlement and payment
defaults, they have not taken important actions that would better ensure
that trading in critical U.S. financial markets could resume in a fair and
orderly way after a major disaster.5 The three regulators for major market
participants, the Federal Reserve, the Office of the Comptroller of the
Currency (OCC), and the Securities and Exchange Commission (SEC) are
working jointly with market participants to develop recovery goals and
sound business continuity practices that will apply to a limited number of
financial market organizations to ensure that these entities can clear and
settle transactions and meet their financial obligations after future
disasters. Although heroic efforts allowed the markets to recover after the
September 11 attacks, future attacks could directly target critical financial
market organizations and close the markets for an extended period.
However, the regulators’ recovery goals and sound practices would only
apply to clearing activities and do not extend to organizations’ trading
activities or to the stock exchanges. Regulators told GAO that their efforts
focus on clearing activities because clearing problems would pose the
greatest risk to the markets and because one trading organization could
replace another that was unable to operate in future disasters. However,
without identifying specific recovery goals and sound business continuity
practices for trading organizations, the appropriate exchanges, broker-
dealers, and banks needed for trading to occur may not take all necessary
steps to be operational. The regulators also had not developed complete
strategies that identify where trading could be resumed or which
organizations would have to be ready to conduct trading if a major
exchange or multiple broker-dealers were unlikely to be operational for an
extended period. SEC has proposed one strategy for resuming trading, but
it does not include all securities, and it has not been fully tested.




5
 For additional discussion of how the financial markets are being addressed as part of U.S.
efforts to protect critical infrastructure, see U.S. General Accounting Office, Critical
Infrastructure Protection: Efforts of Financial Services Sector to Address Cyber Threats,
GAO-03-173 (Washington D.C.: Jan. 30, 2003).




Page 8                                              GAO-03-251 Potential Terrorist Attacks
Executive Summary




Individually, SEC, the Federal Reserve, and OCC have overseen operations
risks in the past, but these efforts had not comprehensively addressed risks
for all of the entities they regulate. Despite the importance of ensuring that
the exchanges and clearing organizations are operational, SEC uses a
voluntary program—the Automation Review Policy (ARP) program—to
oversee how these organizations reduce risks to their operations. Under
ARP, SEC staff have reviewed important risks at these institutions and
spurred operations improvements. However, although SEC issued a rule
requiring ECNs with sufficient trading volume to comply with the full range
of ARP practices, they have not issued a similar rule to require the other 22
exchanges and clearing organizations subject to ARP to comply. However,
GAO has found that some organizations, including critical organizations,
have resisted developing recommended backup facilities or making other
important improvements to address weaknesses SEC staff identified.
Having a rule similar to that issued for the ECNs could provide SEC with
flexible but specific regulatory authority to require all the organizations
subject to ARP to take prudent actions when deemed necessary. The ARP
program has had difficulties in maintaining experienced, qualified staff and
lacks the resources to conduct examinations frequently. In addition,
although the disruptions at key broker-dealers severely affected the
markets’ ability to resume trading after the attacks, the securities laws do
not generally contain specific requirements applicable to such firms, and
SEC’s reviews therefore did not generally examine the extent to which
broker-dealers had reduced their operations risks with regard to physical
and information system security and BCP measures.

The Federal Reserve and OCC are tasked with overseeing the safety and
soundness of banks’ operations and had issued and were updating
guidance that covered information system security and business continuity
planning. Staff from these regulators told GAO that they conduct annual
examinations of the largest entities they oversee and that they reviewed
information security in all examinations and business continuity during
most examinations, but the reviews did not generally assess banks’
protections against terrorist attacks. GAO did not review bank
examinations to independently determine the frequency and extensiveness
of these regulators’ reviews.

This report includes recommendations to SEC intended to ensure that the
financial markets are better able to recover and resume operations in the
event of a future disaster and to improve their individual oversight of
operations risks. In commenting on a draft of this report, SEC agreed with
the goals of our recommendations.



Page 9                                      GAO-03-251 Potential Terrorist Attacks
                              Executive Summary




Principal Findings

September 2001 Attacks        The September 2001 terrorist attacks and the subsequent collapse of the
Significantly Affected U.S.   twin World Trade Center towers damaged more than 400 structures across
                              a 16-acre area, and claimed almost 2,800 lives. Financial services industry
Financial Markets and
                              employees accounted for about 74 percent of the victims. Dust and debris
Demonstrated the Need for     blanketed the area, creating difficult and hazardous conditions that
Improvements in BCPs          complicated recovery efforts. Many financial organizations lost
                              telecommunications service when the 7 World Trade Center building also
                              collapsed and debris struck a major Verizon central switching office that
                              served approximately 34,000 businesses and residences.6 Over 13,000
                              customers also lost power. To accommodate the rescue and recovery
                              efforts and maintain order, pedestrian and vehicle access to the area
                              encompassing the financial district was restricted through September 13,
                              2001.

                              As a result of the extensive damage to the area surrounding the World
                              Trade Center and the need to ensure the health and safety of people
                              affected by the attacks, U.S. financial markets closed on September 11 and
                              took several days to resume operations. If the exchanges and clearing
                              organizations had sustained direct damage, the reopening of the markets
                              would have likely taken longer because some lacked backup operating
                              facilities at the time. However, several key broker-dealers did sustain
                              considerable damage and had to recreate their trading operations at other
                              locations. These firms employed ad hoc and innovative solutions, such as
                              renting out an entire hotel or moving their traders to the trading facilities of
                              a recently purchased subsidiary. However, because these and other firms
                              were unable to operate fully in the days following the attacks, securities
                              regulators, market officials, and other key participants were concerned
                              that insufficient liquidity would exist to conduct fair and orderly trading in
                              the markets. By Friday, September 14, 2001, sufficient telecommunications
                              capabilities to conduct trading had been restored to firms representing only
                              about 60 percent of the normal order volume. After communications lines
                              to the remaining firms were restored and tested, U.S. stock and options
                              exchanges reopened on September 17, 2001, trading record volumes
                              without noticeable difficulties. Full trading of U.S. government securities in


                              6
                              Verizon is the major provider of local telecommunications service in lower Manhattan.




                              Page 10                                           GAO-03-251 Potential Terrorist Attacks
Executive Summary




the United States was resumed within 2 days following the attacks but at
lower-than-normal volumes, and funds transmittal problems at some
institutions persisted for several days. The difficulties experienced by
broker-dealers that trade government securities and the Bank of New York
and its customers also disrupted the markets for short-term debt
instruments that fund the operations of broker-dealers and other firms. To
ensure that firms could meet their settlement obligations, the Federal
Reserve had to provide over $323 billion in liquidity to market participants
by offering discount window loans, purchasing securities from participants
needing funds, and taking other actions. Although some banks in
Manhattan lost telecommunications service or experienced other
disruptions, the U.S. banking system as a whole was not severely affected
because most banks’ facilities were located outside of the World Trade
Center area. Similarly, the primary processors for most of the large-value
payments between banks in the United States—Fedwire and the Clearing
House Inter-bank Payments System—were also able to continue operating
because their primary processing sites were located outside the affected
area.

According to information GAO obtained from broker-dealers, banks,
regulators, industry associations and others, the attacks revealed that
improvements were needed in financial institutions’ business continuity
capabilities to address future disasters. Many financial institutions’ BCPs
addressed limited-scope events such as damage to just one of their
buildings. As a result, many either had not established backup facilities or
had backup facilities located near their primary facilities that were also
destroyed or unusable. Others found that their backup facilities were too
small and not properly equipped to accommodate all of their critical
operations. In addition, some firms learned that the actions they had taken
to ensure continuity of telecommunications service were not adequate. For
example, after relocating their operations, some firms found that their
backup facilities only had connections to the primary sites of organizations
critical to their operations and not to the existing backup locations of other
participants. Others whose facilities were not damaged also had to have
telecommunications restored even though they thought that they had
obtained redundant telecommunications capabilities by contracting with
multiple telecommunications providers or by having their lines routed over
different physical paths. In some cases, disruptions occurred because the
alternative providers routed financial firms’ lines through the same Verizon
switching facility that was damaged by the attacks. Others whose services
had originally used physically diverse paths found that their service
providers had rerouted these lines over time onto identical pathways



Page 11                                     GAO-03-251 Potential Terrorist Attacks
                                Executive Summary




                                without their knowledge. Recovery efforts at financial institutions were
                                also hampered by shortcomings in the human capital component of BCPs.
                                These firms had trouble locating critical personnel in the confusion after
                                the attacks; and, in some cases, their staff had difficulty reaching backup
                                locations as a result of the transportation shutdowns.



Financial Market                All 15 organizations that GAO reviewed, including the 7 critical
Organizations Have Taken        organizations, had taken steps since the attacks to reduce the risk of
                                operations disruptions by implementing measures to prevent physical
Actions to Protect Facilities   damage to their facilities and unauthorized access to their information
and Information Systems         systems and developing business continuity capabilities to recover from
and Resume Operations           disruptions.7 For example, many organizations had installed physical
after Disruptions, but          barriers to minimize damage or prevent unauthorized access by vehicles to
Limitations Remain              their facilities. In addition, the 15 exchanges, clearing organizations, ECNs,
                                and payment system processors used private networks and proprietary
                                message formats that reduced the risk that they would be disrupted by
                                electronic attacks. These organizations had also implemented various
                                information security protections recommended for federal organizations,
                                including hardware or software controls that allow only authorized users to
                                gain system access and monitoring systems to detect attacks or intrusions.
                                All 15 organizations also had developed BCPs addressing how they would
                                continue operations after a disruption. For example, 11 of the 15 had
                                established separate backup facilities, including 3 whose backup facilities
                                were hundreds of miles away.

                                However, 9 of the 15 exchanges, clearing organizations, ECNs, and
                                payment system processors, including 2 organizations critical to the
                                functioning of the markets, had limitations in their risk reduction efforts.
                                These 9 organizations were at greater risk of experiencing an operations
                                disruption if a physical attack on their primary facility left a large
                                percentage of their staff incapacitated because they did not maintain staff
                                outside of their primary facility that could conduct all their critical
                                operations. Eight of these 9 organizations also had physical security
                                vulnerabilities at their primary sites that they either had not or could not
                                mitigate, such as the inability to restrict vehicle movement around their
                                facilities. In addition, 10 of the 15 organizations, including 4 critical
                                organizations, had limitations in their BCPs that increased the risk of their

                                7
                                 This analysis presents the measures these organizations had in place at the time GAO
                                conducted reviews at these entities’ physical locations from February to June 2002.




                                Page 12                                            GAO-03-251 Potential Terrorist Attacks
                             Executive Summary




                             operations being disrupted by a wide-scale disaster. These 10 organizations
                             faced this risk because 4 lacked any backup facilities, and the backup
                             facilities of the other 6 organizations were 2–10 miles from their primary
                             sites—including 4 whose sites were separated by 5 miles or less. Another
                             way that organizations can minimize their operations risk is by testing their
                             physical and information security measures and BCPs, but GAO found that
                             few of these organizations had fully tested all elements. Only 3
                             organizations had tested their physical security measures. Although all 7 of
                             the critical organizations recently had assessed the vulnerabilities of their
                             key trading and clearing systems, only 1 of the other 8 organizations had
                             done so. Five of the critical organizations and 2 of the other 8 had tested
                             their business continuity capabilities.



Securities and Banking       Securities and banking regulators have begun to jointly develop recovery
Regulators Have Not          goals and sound business continuity practices that will apply to market
                             participants that perform clearing functions, but they have not identified
Developed Recovery Goals     recovery goals and practices for resuming trading activities. In August
for Resuming Trading         2002, the Federal Reserve, OCC, SEC and the New York State Banking
Activities and Their         Department jointly issued a white paper seeking industry comment on
Oversight of Operations      sound practices to ensure that organizations that perform critical clearing
Risk Could Be Strengthened   activities be able to promptly recover these functions after a wide-scale,
                             regional disruption.8 These sound practices could require organizations
                             performing these functions to identify the clearing activities they perform
                             to support critical markets, develop plans to recover clearing functions on
                             the same business day, and maintain out-of-region recovery facilities that
                             do not depend on the same labor pool or transportation,
                             telecommunications, water, and power infrastructure. The practices would
                             be applied to clearing organizations, clearing banks, and to the clearing
                             functions of about 15 to 20 active broker-dealers and banks whose
                             transaction volumes, if not promptly cleared and settled, could create
                             liquidity or solvency problems for organizations awaiting payments from
                             them. The regulators are still analyzing the comments that they have
                             received but hoped to issue a final version of the practices in 2003. GAO
                             agrees that taking actions to ensure that clearing functions can be
                             recovered after a disaster is important to the U.S. financial markets and the


                             8
                              Board of Governors of the Federal Reserve, OCC, SEC, Draft Interagency White Paper on
                             Sound Practices to Strengthen the Resilience of the U.S. Financial System, (Washington,
                             D.C.: Aug. 30, 2002). The New York State Banking Department issued the same paper
                             separately.




                             Page 13                                           GAO-03-251 Potential Terrorist Attacks
Executive Summary




economy overall, and that sound business continuity practices, if adopted,
would likely reduce the potential for future disasters to cause broader
financial crises.

However, trading on U.S. financial markets is also a critical economic
function for investing savings, funding daily business operations, and
raising capital for new ventures; but the securities regulators have not
similarly begun efforts to develop recovery goals and business continuity
practices applicable to trading activities in stock, options, and other
financial markets. Regulatory staff told GAO that the white paper’s
practices apply only to clearing activities because such functions are
usually concentrated in single entities for some markets or in very few
organizations for others, and thus pose a greater potential for disruption.
They said the paper does not cover trading activities and organizations that
conduct only trading, such as the securities exchanges, because other
organizations could perform the same functions. Although trading could
likely be moved to other venues if a major exchange was not able to
operate after a disaster, such transfers have not been frequently done and
could be subject to operational problems such as insufficient processing
capacity if not clearly established and tested in advance. Securities
regulators have not developed complete strategies for ensuring that trading
could resume when appropriate. For example, SEC has asked two major
exchanges—New York Stock Exchange and the NASDAQ, which each
trade thousands of securities—to be able to trade each other’s securities as
one strategy for ensuring that trading could resume if either organization
was unable to operate. However, as of December 2002, SEC had not
identified the specific capabilities that these organizations should
implement. For example, NASDAQ staff said that various alternatives are
being proposed for conducting this trading and each would involve varying
amounts of system changes or processing capacity considerations. New
York Stock Exchange staff said they have proposed trading only the top 250
of NASDAQ’s securities, and the others would have to be traded elsewhere.
NASDAQ staff plan to trade all New York Stock Exchange securities. These
strategies have also not been fully tested to ensure that processing can
occur accurately and that each exchange has sufficient capacity.

Although the attacks demonstrated sufficient numbers of broker-dealers
have to be able to recover their trading operations and provide access to
their customers’ cash and securities for markets to resume operating
smoothly and in a timely manner, the regulators have not similarly
developed recovery goals and sound business continuity practices
applicable to these firms’ trading or brokerage activities. With hostile



Page 14                                    GAO-03-251 Potential Terrorist Attacks
                           Executive Summary




                           entities openly targeting U.S. financial markets, setting recovery goals and
                           ensuring that the appropriate organizations have adopted sound business
                           continuity practices would reduce the risk that trading may not be able to
                           resume smoothly or in a timely manner if key market participants are
                           severely damaged.

Regulators’ Oversight of   Although SEC has reviewed operations risk at exchanges and clearing
Operations Risks Had       organizations, its oversight has limitations. In response to operational
Limitations                problems experienced by the markets during the 1980s, SEC created a
                           program in 1989 for addressing operations risk issues, including physical
                           and information security and business continuity planning at securities
                           exchanges and clearing organizations. SEC did not create rules for these
                           organizations to follow but instead issued two ARP statements that
                           provided practices in various information technology and operational areas
                           with which the exchanges and clearing organizations would be expected to
                           comply voluntarily. By analyzing all 10 of the SEC ARP examination reports
                           completed between January 2001 and July 2002, GAO found that SEC ARP
                           staff had reviewed information security in 9 of these examinations and
                           business continuity in 7. SEC ARP staff reviewed physical security and
                           controls at data centers, but they discussed organizations’ overall physical
                           security in only one report. Although none of the 10 reports GAO reviewed
                           discussed how these organizations’ BCPs covered telecommunications
                           resiliency, ARP staff said that all of these operations risk issues would be
                           addressed as part of future reviews.

                           Given the increased threats demonstrated by the September 11 attacks and
                           the need for assurance that key financial market organizations are
                           following sound practices, the importance of SEC’s ARP program oversight
                           has increased. However, currently the program faces several limitations.
                           Although the efforts of SEC’s ARP staff have improved market participant
                           operations, only ECNs are required by rule to comply with ARP policies
                           and exchanges and clearing organizations are expected to comply
                           voluntarily. Although SEC staff said they have been satisfied with the level
                           of these organizations’ compliance, GAO reported in 2001 that some
                           organizations, including critical organizations, had not taken actions to
                           address important weaknesses ARP staff identified. For example, SEC had
                           long-standing concerns that three exchanges lacked backup facilities and
                           that another major exchange had insufficient processing capacity for




                           Page 15                                     GAO-03-251 Potential Terrorist Attacks
                                 Executive Summary




                                 several years.9 GAO analysis of recent ARP reviews indicated that SEC staff
                                 continue to identify significant weaknesses at some organizations. Having a
                                 rule that requires these organizations to engage in practices consistent with
                                 the ARP policies would provide SEC staff with the flexibility to adjust ARP
                                 expectations as technology and industry best practices evolve while
                                 providing specific regulatory authority to require prudent actions when
                                 deemed necessary. The ARP program has also faced resource limitations.
                                 During work conducted as part of a prior GAO review of overall SEC
                                 operations, market participants raised concerns over the inexperience and
                                 insufficient technical expertise of ARP staff that reviewed their
                                 organizations.10 In addition, SEC staff said that the staffing level limits their
                                 ability to conduct more frequent reviews of the organizations subject to
                                 ARP. GAO’s analysis of the frequency of ARP examinations found that an
                                 average of 39 months had passed between the most recent and prior
                                 examinations for the organizations critical to the markets that are subject
                                 to ARP. In contrast, guidance for audits of federal information systems calls
                                 for high-risk systems to be reviewed more frequently.

Operations Risks Not Generally   Lacking specific requirements in the securities laws or SRO rules, SEC and
Reviewed at Broker-Dealers       exchange reviews of broker-dealers have also not generally addressed
                                 operational issues such as physical and information security and BCPs.
                                 Whereas SEC ARP staff review exchanges and clearing organizations, staff
                                 from SEC’s Office of Compliance Inspections and Examinations (OCIE)
                                 conduct examinations of broker-dealers, mutual funds, and other securities
                                 market participants.11 Prior to the September 11 attacks, OCIE staff only
                                 reviewed operational issues at a few broker-dealers that offered on-line
                                 trading. The exchanges, which act as self-regulatory organizations and
                                 conduct their own reviews of their members, and SEC OCIE staff also have
                                 recently begun conducting reviews relating to information security issues
                                 as the result of Gramm-Leach-Bliley Act, which requires financial
                                 institutions to safeguard customer information. The SROs also plan to
                                 review their broker-dealer members’ compliance with rules recently


                                 9
                                  GAO reported on these issues in 2001. See U.S. General Accounting Office, Information
                                 Systems: Opportunities Exist to Strengthen SEC’s Oversight of Capacity and Security,
                                 GAO-01-863 (Washington, D.C.: Jul. 25, 2001).
                                 10
                                  See U.S. General Accounting Office, SEC Operations: Increased Workload Creates
                                 Challenges, GAO-02-302 (Washington, D.C.: Mar. 5, 2002).
                                 11
                                  Other market participants that SEC oversees include investment advisers and transfer
                                 agents.




                                 Page 16                                            GAO-03-251 Potential Terrorist Attacks
                                  Executive Summary




                                  submitted for SEC approval, which will require these firms to develop
                                  BCPs.

Bank Regulators Report            Because the banking regulators are required to assess the safety and
Overseeing Operations Risks but   soundness of bank operations, in 1996, the banking regulators jointly
Not Banks’ Measures Against       developed guidance for their staff and the institutions they oversee relating
Physical Attacks                  to information security and business continuity issues. They intend to issue
                                  more expanded guidance on information security and business continuity
                                  in early 2003. The banking regulators also conduct examinations that
                                  address operational issues as part of their regular cycle of annual reviews.
                                  Staff from the Federal Reserve and OCC, which oversee the majority of the
                                  largest institutions, indicated that they examine information security at all
                                  banks and business continuity during most examinations. They also said
                                  that their examiners or bank internal auditors review banks’ physical
                                  security, but these reviews were not generally focused on the extent to
                                  which institutions have protected themselves from terrorist or other
                                  physical attacks. GAO did not review bank examinations to independently
                                  determine the frequency and extensiveness of these regulators reviews.



Recommendations                   This report includes recommendations to the Chairman, SEC, to work with
                                  industry to develop goals and strategies to resume trading in securities
                                  markets; determine sound business continuity practices that organizations
                                  would need to follow to meet these goals; identify the organizations,
                                  including broker-dealers, that would likely need to operate for the markets
                                  to resume trading and ensure that these organizations implement sound
                                  business continuity practices that, at a minimum, allow investors to readily
                                  access their cash and securities; and test trading resumption strategies to
                                  better ensure their success. The report also recommends that SEC improve
                                  its oversight of operations risk by issuing a rule to require exchanges and
                                  clearing organizations to engage in practices consistent with its ARP
                                  program and expand the resources dedicated to the ARP program.



Agency Comments and               GAO requested comments on a draft of this report from the heads, or their
                                  designees, of the Federal Reserve, OCC, Treasury, and SEC. The Federal
GAO Evaluation                    Reserve and SEC provided written comments, which appear in appendixes
                                  III and IV, respectively. The Federal Reserve, OCC, and SEC also provided
                                  technical comments, which were incorporated as appropriate. SEC
                                  generally agreed with the report and the goals of its recommendations. The
                                  SEC staff’s letter agreed that the financial markets should be prepared to



                                  Page 17                                     GAO-03-251 Potential Terrorist Attacks
Executive Summary




resume trading in a timely, fair, and orderly fashion following a
catastrophe, which is the goal of GAO’s recommendations that SEC work
with the industry to develop business continuity goals, strategies, and
practices. SEC’s letter expressed a concern that this recommendation
expects SEC to ensure that broker-dealers implement business continuity
practices that would allow trading activities to resume after a disaster. The
SEC staff noted that, although broker-dealers are required to be able to
ensure that any completed trades are cleared and settled and that
customers have access to the funds and securities in their accounts as soon
as is physically possible, these firms are not required to conduct trading or
provide liquidity to markets. Instead, this is a business decision on the part
of these firms’ management. As a result, SEC’s letter stated that the BCP
expectations for these firms must reflect these considerations.

GAO agreed that the business continuity practices that SEC develops in
conjunction with market participants should reflect these considerations.
As SEC works with the exchanges and other market participants to develop
goals and strategies for recovering from various disaster scenarios, GAO’s
recommendations envision that these strategies will have to take into
account the business continuity capabilities implemented by broker-
dealers that normally provide significant order flow and liquidity to the
markets. To the extent that many of these major broker-dealers may be
unable to conduct their normal volume trading in the event of some
potential disasters without extended delays, SEC would need to develop
strategies that would allow U.S. securities markets to resume trading when
appropriate through other broker-dealers that are less affected by the
disaster, such as regional firms. To ensure that such trading is orderly and
fair to all investors, broker-dealers’ business continuity practices should at
least be adequate to allow prompt transfers of customer funds and
securities to other firms so that the customers of firms unable to resume
trading are not disadvantaged. In response to GAO’s recommendations
relating to ARP, the SEC staff’s letter states that they will continue to assess
whether rulemaking is appropriate and will consider recommending to the
Chairman that ARP staffing and resources be expanded if the agency’s
funding is increased.




Page 18                                       GAO-03-251 Potential Terrorist Attacks
Chapter 1

Introduction                                                                                                          Chapte1
                                                                                                                            r




                        Thousands of market participants are involved in trading stocks, options,
                        government bonds, and other financial products in the United States. These
                        participants include exchanges at which orders to buy and sell are
                        executed, broker-dealers who present those orders on behalf of their
                        customers, clearing organizations that ensure that ownership is
                        transferred, and banks that process payments for securities transactions.
                        Although many organizations are active in the financial markets, some
                        organizations, such as the major exchanges, clearing firms, and large
                        broker-dealers are more important for the overall market’s ability to
                        function because they offer unique products or perform vital services. The
                        participants in these markets are overseen by various federal securities and
                        banking regulators whose regulatory missions vary. Financial markets also
                        rely heavily on information technology systems and extensive and
                        sophisticated communications networks. As a result, physical and
                        electronic security measures and business continuity planning are critical
                        to maintaining and restoring operations in the event of a disaster or attack.



Various Organizations   Customer orders for stocks and options, including those from individual
                        investors and from institutions such as mutual funds, are usually executed
Participate in Stock    at one of the many exchanges located around the United States.1 Currently,
and Options Markets     stocks are traded on at least eight exchanges, including the New York
                        Stock Exchange (NYSE), the American Stock Exchange, and the NASDAQ.2
                        Securities options are traded at five exchanges, including the Chicago
                        Board Options Exchange and the Pacific Stock Exchange. Trading on the
                        stock exchanges usually begins when customers’ orders are routed to the
                        exchange floor either by telephone or through electronic systems to
                        specialist brokers. These brokers facilitate trading in specific stocks by
                        matching orders to buy and sell. For stocks traded on NASDAQ, customers’
                        orders are routed for execution to the various brokers who act as market
                        makers by posting price quotes at which they are willing to buy or sell
                        particular securities on that market’s electronic quotation system. Some
                        stocks traded on NASDAQ can be quoted by just a single broker making a
                        market for that security, but others have hundreds of brokers acting as


                        1
                         Securities options are contracts that provide the right for the purchaser to buy or sell a
                        specified quantity of a security at a specified price at a future date.
                        2
                         Although currently operating as a market operated by an association of dealers, NASDAQ is
                        seeking to become registered with SEC as a national securities exchange, and for simplicity,
                        we will refer to it as an exchange in this report.




                        Page 19                                               GAO-03-251 Potential Terrorist Attacks
Chapter 1
Introduction




market makers in a particular security by buying and selling shares from
their own inventories. Orders for options are often executed on the floors
of an exchange in an open-outcry pit in which the representatives of
sometimes hundreds of brokers buy and sell options contracts on behalf of
their customers.

The orders executed on the various markets usually come from broker-
dealers. Individual and institutional investors open accounts with these
firms and, for a per-transaction commission or an annual fee, the broker-
dealer buys and sells stocks, bonds, options, and other securities on the
customers’ behalf. Employees of these firms may provide specific
investment advice or develop investment plans for investors. Although
some firms only offer brokerage services and route customer orders to
other firms or exchanges for execution, some also act as dealers and fill
customer orders to buy or sell shares from their own inventory.

In addition to the exchanges, customers’ orders can also be executed on
electronic communications networks (ECN), which match their customers’
buy and sell orders to those submitted by their other customers. The
various ECNs specialize in providing different services to their customers
such as rapid executions or anonymous trading for large orders.

After a securities trade is executed, the ownership of the security must be
transferred and payment must be exchanged between the buyer and the
seller. This process is known as clearance and settlement. Figure 1
illustrates the clearance and settlement process and the various
participants, including broker-dealers, the clearing organization for stocks
(the National Securities Clearing Corporation or NSCC), and the
Depository Trust Company (which maintains records of ownership for the
bulk of the securities traded in the United States).




Page 20                                    GAO-03-251 Potential Terrorist Attacks
                                         Chapter 1
                                         Introduction




Figure 1: Clearance and Settlement Process for Stocks




                                         The Options Clearing Corporation plays a similar role in clearing and
                                         settling securities options transactions. After options trades are executed,
                                         the broker-dealers on either side of the trade compare trade details with
                                         each other, and the clearing organization and payments are exchanged on
                                         T+1.

                                         Banks also participate in U.S. securities markets in various ways. Some
                                         banks act as clearing banks by maintaining accounts for broker-dealers and
                                         accepting and making payments for these firms. Some banks also act as
                                         custodians of securities by maintaining custody of securities owned by
                                         other financial institutions or individuals.



Government Securities                    The market for the U.S. government securities issued by the Department of
                                         the Treasury (Treasury) is one of the largest markets in the world. These
and Money Market                         securities include Treasury bills, notes, and bonds of varying maturities.
Instruments Are                          Trading in government securities does not take place on organized
                                         exchanges. Instead, these securities are traded in an “over-the-counter”
Traded Differently                       market and are carried out by telephone calls between buying and selling
from Stocks                              dealers. To facilitate this trading, a small number of specialized firms,
                                         known as inter-dealer brokers (IDB) act as intermediaries and arrange
                                         trades in Treasury securities between other broker-dealers. The use of the
                                         IDBs allows other broker-dealers to maintain anonymity in their trading




                                         Page 21                                     GAO-03-251 Potential Terrorist Attacks
Chapter 1
Introduction




activity, which reduces the likelihood that they will obtain disadvantageous
prices when buying or selling large amounts of securities.

Trades between the IDBs and other broker-dealers are submitted for
clearance and settled at the Government Securities Clearing Corporation
(GSCC). After trade details are compared on the night of the trade date,
GSCC provides settlement instructions to the broker-dealers and their
clearing banks. Settlement with these banks and the clearing organization’s
bank typically occurs one business day after the trade (T+1) with
ownership of securities bought and sold transferred either on the books of
clearing banks or the books of the Federal Reserve through its Fedwire
Securities Transfer System. Two banks, JPMorgan Chase and the Bank of
New York, provide clearing and settlement services for many major broker-
dealers in the government securities market.

Many of the same participants in the government securities markets are
also active in the markets for money market instruments. These are short-
term instruments that include federal funds,3 foreign exchange
transactions, and commercial paper. Commercial paper issuances are debt
obligations issued by banks, corporations, and other borrowers to obtain
financing for 1 to 270 days. Another type of money market instrument
widely used for short-term financing is the repurchase agreement or repo,
in which a party seeking financing sells securities, typically government
securities, to another party while simultaneously agreeing to buy them
back at a future date, such as overnight or some other set term. The seller
obtains the use of the funds exchanged for the securities, and the buyer
earns a return on their funds when the securities are repurchased at a
higher price than originally sold. Active participants in the repo market
include the Federal Reserve, which uses repos in the conduct of monetary
policy, and large holders of government securities, such as foreign central
banks or pension funds, which use repos to obtain additional investment
income. Broker-dealers are active users of repos for financing their daily
operations. To facilitate this market, the IDBs often match buyers and
sellers of repos; and the funds involved are exchanged between the
government securities clearing organization and the clearing banks of
market participants. According to data reported by the Federal Reserve,
repo transactions valued at over $1 trillion occur daily in the United States.



3
 Federal funds are balances deposited by commercial banks at Federal Reserve Banks to
meet reserve requirements. These amounts can be lent among banks.




Page 22                                           GAO-03-251 Potential Terrorist Attacks
                      Chapter 1
                      Introduction




Payment Systems       Payments for corporate and government securities transactions, as well as
                      for business and consumer transactions, are transferred by payment
Processors Transfer   system processors. One of these processors is the Federal Reserve, which
Funds for Financial   owns and operates the Fedwire Funds Transfer System. Fedwire connects
                      9,500 depository institutions and electronically transfers large dollar value
Markets and Other     payments associated with financial market and other commercial activities
Transactions          in the United States. Fedwire is generally the system used to transfer
                      payments for securities between the banks used by the clearing
                      organization and market participants. Another large dollar transfer system
                      is the Clearing House Inter-bank Payments System (CHIPS). CHIPS is a
                      system for payment transfers, particularly for those U.S. dollar payments
                      relating to foreign exchange and other transactions between banks in the
                      United States and in other countries.



Certain Market        Although thousands of entities are active in the U.S. securities markets,
                      certain key participants are critical to the ability of the markets to function.
Participants Are      Although multiple markets exist for trading stocks or stock options, some
Critical to Overall   are more important than others as a result of the products they offer or the
                      functions they perform. For example, an exchange that attracts the greatest
Functioning of the    trading volume may act as a price setter for the securities it offers, and the
Securities Markets    prices for trades that occur on that exchange are then used as the basis for
                      trades in other markets that offer those same securities. On June 8, 2001,
                      when a software malfunction halted trading on NYSE, the regional
                      exchanges also suspended trading although their systems were not
                      affected. Other market participants are critical to overall market
                      functioning because they consolidate and distribute price quotations or
                      information on executed trades. Markets also cannot function without the
                      activities performed by the clearing organizations; and in some cases, only
                      one clearing organization exists for particular products.

                      In contrast, disruptions at other participants may have less severe impacts
                      on the ability of the markets to function. For example, many of the options
                      traded on the Chicago Board Options Exchange are also traded on other
                      U.S. options markets. Thus if this exchange was not operational, investors
                      would still be able to trade these options on the other markets, although
                      certain proprietary products, such as options on selected indexes, might be
                      unavailable temporarily.

                      Other participants may be critical to the overall functioning of the markets
                      only in the aggregate. Investors can choose to use any one of thousands of



                      Page 23                                       GAO-03-251 Potential Terrorist Attacks
                        Chapter 1
                        Introduction




                        broker-dealers registered in the United States. If one of these firms is
                        unable to operate, its customers may be inconvenienced or unable to trade,
                        but the impact on the markets as a whole may just be a lower level of
                        liquidity or reduced price competitiveness. But a small number of large
                        broker-dealers account for sizeable portions of the daily trading volume on
                        many exchanges and if several of these large firms are unable to operate,
                        the markets might not have sufficient trading volume to function in an
                        orderly or fair way.



Various Regulators      Several federal organizations oversee the various securities market
                        participants. The Securities and Exchange Commission (SEC) regulates the
Oversee Securities      stock and options exchanges and the clearing organizations for those
Market Participants,    products. In addition, SEC regulates the broker-dealers that trade on these
                        markets and other participants, such as mutual funds, which are active
but Approaches and      investors. The exchanges also have responsibilities as self-regulatory
Regulatory Goals Vary   organizations (SRO) for ensuring that their participants comply with the
                        securities laws and the exchanges’ own rules.

                        SEC or one of the depository institution regulators oversees participants in
                        the government securities market, but Treasury also plays a role. Treasury
                        issues rules pertaining to that market, but SEC or the bank regulators are
                        responsible for conducting examinations to ensure that these rules are
                        followed.

                        Several federal organizations have regulatory responsibilities over banks
                        and other depository institutions, including those active in the securities
                        markets. The Federal Reserve oversees bank holding companies and state-
                        chartered banks that are members of the Federal Reserve System. The
                        Office of the Comptroller of the Currency (OCC) examines nationally
                        chartered banks.4

                        Securities and banking regulators have different regulatory missions and
                        focus on different aspects of the operations of the entities they oversee.
                        Because banks accept customer deposits and use those funds to lend to
                        borrowers, banking regulators focus on the financial soundness of these
                        institutions to reduce the likelihood that customers will lose their deposits.


                        4
                         Other organizations that oversee depository institutions include the Federal Deposit
                        Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union
                        Administration.




                        Page 24                                             GAO-03-251 Potential Terrorist Attacks
                          Chapter 1
                          Introduction




                          Poor economic conditions or bank mismanagement have periodically led to
                          extensive bank failures and customer losses in the United States. As a
                          result, banking and the other depository institution regulators issue
                          guidance and conduct examinations over a wide range of financial and
                          operational issues pertaining to these institutions, such as what
                          information security steps these institutions have taken to minimize
                          unauthorized access to their systems and what business continuity
                          capabilities they have.

                          In contrast, securities regulators have a different mission and focus on
                          other aspects of the operations of the entities they oversee. Securities
                          regulation in the United States arose with the goal of protecting investors
                          from abusive practices and ensuring that they were treated fairly. To
                          achieve this, SEC and the exchanges, which act as self regulatory
                          organizations (SRO) to oversee their broker-dealer members, focus
                          primarily on monitoring securities market participants to ensure that the
                          securities laws are not being violated; for example, restricting insider
                          trading or requiring companies issuing securities to completely and
                          accurately disclose their financial condition. As a result, few securities
                          regulations specifically address exchange and broker-dealer operational
                          issues, and securities regulators have largely considered the conduct of
                          such operations to be left to the business decisions of these organizations.



Telecommunications        Information technology and telecommunications are vital to the securities
                          markets and the banking system. Exchanges and markets rely on
and Information           information systems to match orders to buy and sell securities for millions
Technology Are Vital to   of trades. They also use such systems to instantaneously report trade
                          details to market participants in the United States and around the world.
Securities Markets        Information systems also compile and compare trading activity and
                          determine all participants’ settlement obligations. The information
                          exchanged by these information systems is transmitted over various types
                          of telecommunications technology, including fiber optic cable.

                          Broker-dealers also make extensive use of information technology and
                          communications systems. These firms connect not only to the networks of
                          the exchanges and clearing organizations but may also be connected to the
                          thousands of information systems or communications networks operated
                          by their customers, other broker-dealers, banks, and market data vendors.
                          Despite widespread use of information technology to transmit data,
                          securities market participants are also heavily dependent on voice
                          communications. Broker-dealers still use telephones to receive, place, and



                          Page 25                                    GAO-03-251 Potential Terrorist Attacks
                         Chapter 1
                         Introduction




                         confirm orders. Voice or data lines transmit the information for the system
                         that provides instructions for personnel on exchange floors. Fedwire and
                         CHIPS also rely heavily on information technology and communications
                         networks to process payments. Fedwire’s larger bank customers have
                         permanent network connections to computers at each of Fedwire’s data
                         centers, but smaller banks connect via dial-up modem. CHIPS uses fiber-
                         optic networks and mainframe computers to transfer funds among its 54
                         member banks.



Financial                Because financial market participants’ operations could be disrupted by
                         damage to their facilities, systems, or networks, they often invest in
Organizations Manage     physical and information security protection and develop business
Operations Risks by      continuity capabilities to ensure they can recover from such damage. To
                         reduce the risk that facilities and personnel would be harmed by
Protecting Physical      individuals or groups attempting unauthorized entry, sabotage, or other
and Information          criminal acts, market participants invest in physical security measures
Security and Business    such as guards or video monitoring systems. Market participants also
                         invest in information security measures such as firewalls, which reduce the
Continuity Planning      risk of damage from threats such as hackers or computer viruses. Finally,
                         participants invest in business continuity capabilities, such as backup
                         locations, that can further reduce the risk that damage to primary facilities
                         will disrupt an organization’s ability to continue operating.



Objectives, Scope, and   To describe the impact of the September 11, 2001, attacks on the financial
                         markets and the extent to which organizations had been prepared for such
Methodology              events, we reviewed studies of the attacks’ impact by regulators and
                         private organizations. We also obtained documents and interviewed staff
                         from over 30 exchanges, clearing organizations, broker-dealers, banks, and
                         payment system processors, including organizations located in the vicinity
                         of the attacks and elsewhere. We toured damaged facilities and discussed
                         the attacks’ impact on telecommunications and power infrastructure with
                         three telecommunications providers (Verizon, AT&T, and WorldCom) and
                         Con Edison, a power provider. Finally, we discussed the actions taken to
                         stabilize the markets and facilitate their reopening with financial market
                         regulators.

                         To determine how financial market organizations were attempting to
                         reduce the risk that their operations could be disrupted, we selected 15
                         major financial market organizations that included many of the most active



                         Page 26                                     GAO-03-251 Potential Terrorist Attacks
Chapter 1
Introduction




participants, including 7 stock and options exchanges, 3 clearing and
securities processing organizations, 3 ECNs, and 2 payment system
processors. For purposes of our analysis, we also categorized these
organizations into two groups: seven whose ability to operate is critical to
the overall functioning of the financial markets and eight for whom
disruptions in their operations would have a less severe impact on the
overall markets. We made these categorizations by determining whether
viable immediate substitutes existed for the products or services the
organizations offer or whether the functions they perform were critical to
the overall markets' ability to function. To maintain the organizations’
security and the confidentiality of proprietary information, we agreed with
these organizations that we would not discuss how they were affected by
the attacks or how they were addressing their risks through physical and
information security and business continuity efforts in a way that could
identify them. However, to the extent that information about these
organizations is already publicly known, we sometimes name them in the
report.

To determine what steps these 15 organizations were taking to reduce the
risks to their operations from physical attacks, we conducted on-site
“walkthroughs” of these organizations’ primary facilities, reviewed their
security policies and procedures, and met with key officials responsible for
physical security to discuss these policies and procedures. We compared
these policies and procedures to 52 standards developed by the
Department of Justice for federal buildings.5 Based on these standards, we
evaluated these organizations’ physical security efforts across several key
operational elements, including measures taken to secure perimeters,
entryways, and interior areas and whether organizations had conducted
various security planning activities.

To determine what steps these 15 organizations were taking to reduce the
risks to their operations from electronic attacks, we reviewed the security
policies of the organizations we visited and reviewed documentation of
their system and network architectures and configurations. We also


5
 See Department of Justice, Vulnerability Assessment of Federal Facilities, (Washington,
D.C.: June 28, 1995), which presents security standards that were developed following the
bombing of the Murrah Building in Oklahoma City in 1995 and are intended to be used to
assess security at all federal facilities. Under the standards, each facility is to be placed in
five categories, with Level 1 facilities having the least need for physical security and Level 5
facilities having the highest need. Based on its risk level, a facility would be expected to
implement increasingly stringent measures in 52 security areas.




Page 27                                                GAO-03-251 Potential Terrorist Attacks
Chapter 1
Introduction




compared their information security measures to those recommended for
federal organizations in the Federal Information System Controls Audit
Manual (FISCAM).6 Using these standards, we attempted to determine
through discussions and document reviews how these organizations had
addressed various key operational elements for information security,
including how they controlled access to their systems and detected
intrusions, what responses they made when such intrusions occurred, and
what assessments of their systems’ vulnerabilities they had performed.

To determine what steps these 15 organizations had taken to ensure they
could resume operations after an attack or other disaster, we discussed
their business continuity plans (BCP) with staff and toured their primary
facilities and the backup facilities they maintained.7 In addition, we
reviewed their BCPs and assessed them against practices recommended
for federal and private-sector organizations, including FISCAM, bank
regulatory guidance, and the practices recommended by the Business
Continuity Institute.8 Comparing these standards with the weaknesses
revealed in some financial market participants’ recovery efforts after the
September 2001 attacks, we determined how these organizations’ BCPs
addressed several key operational elements. Among the operational
elements we considered were the existence and capabilities of backup
facilities, whether the organizations had procedures to ensure the
availability of critical personnel and telecommunications, and whether they
completely tested their plans. In evaluating these organizations’ backup
facilities, we attempted to determine whether these organizations had
backup facilities that would allow them to recover from damage to their
primary sites or from damage or inaccessibility resulting from a wide-scale
disaster. We also met with staff of several major banks and securities firms
to discuss their efforts to improve BCPs. We also reviewed results of a
survey by the NASD—which oversees broker-dealer members of

6
 U.S. General Accounting Office, Federal Information Systems Controls Audit Manual,
Volume I: Financial Statement Audits, GAO/AIMD-12.19.6 (Washington, D.C.: Jan. 1999).
7
 We conduct our reviews of these 15 organizations physical and electronic security
measures and BCP capabilities between February and June 2002. When feasible, we also
directly observed controls in place for physical security and business continuity at the
organizations assessed. We did not test these controls by attempting to gain unauthorized
entry or access to market participants’ facilities or information systems.
8
 This guidance included FISCAM; the Federal Financial Institutions Examination Council’s
Information Systems Handbook: Volume 1 (Washington, D.C.: 1996); and the Business
Continuity Institute’s Business Guide to Continuity Management (Worcester, United
Kingdom: Jan. 19, 2001).




Page 28                                             GAO-03-251 Potential Terrorist Attacks
Chapter 1
Introduction




NASDAQ—that reported on the business continuity capabilities of 120 of
its largest members and a random selection of 150 of approximately 4,000
remaining members.

To assess how the financial regulators were addressing physical security,
electronic security, and business continuity planning at the financial
institutions they oversee, we met with staff from SEC, the Federal Reserve,
OCC, and representatives of the Federal Financial Institutions Examination
Council. In addition, we met with NYSE and NASD staff responsible for
overseeing their members’ compliance with the securities laws. At SEC, we
also collected data on the examinations SEC had conducted of exchanges,
clearing organizations, and ECNs since 1995 and reviewed the examiners’
work program and examination reports for the 10 examinations completed
between July 2000 and August 2002. In addition, we reviewed selected SEC
and NYSE examinations of broker-dealers.

To determine how the financial markets were being addressed as part of
the United States’ critical infrastructure protection efforts, we reviewed
previously completed GAO work, met with staff from Treasury and
representatives of the Financial and Banking Information Infrastructure
Committee (FBIIC), which is undertaking efforts to ensure that critical
assets in the financial sector are protected. We also discussed initiatives to
improve responses to future crises and improve the resiliency of the
financial sector and its critical telecommunications services with
representatives of industry trade groups, including the Bond Market
Association and the Securities Industry Association, as well as regulators,
federal telecommunications officials, telecommunications providers, and
financial market participants. The results of this work are presented in
appendix II.

We conducted our work in various U.S. cities from November 2001 to
October 2002 in accordance with generally accepted government auditing
standards.




Page 29                                     GAO-03-251 Potential Terrorist Attacks
Chapter 2

September 11 Attacks Severely Disrupted U.S.
Financial Markets                                                                                       Chapte2
                                                                                                              r




                       The terrorist attacks on September 11, 2001, resulted in significant loss of
                       life and extensive property and other physical damage, including damage to
                       the telecommunications and power infrastructure serving lower
                       Manhattan. Because many financial market participants were concentrated
                       in the area surrounding the World Trade Center, U.S. financial markets
                       were severely disrupted. Several key broker-dealers experienced extensive
                       damage, and the stock and options markets were closed for the longest
                       period since the 1930s. The markets for government securities and money
                       market instruments were also severely disrupted as several key
                       participants in these markets were directly affected by the attacks.
                       However, financial market participants, infrastructure providers, and
                       regulators made tremendous efforts to successfully reopen these markets
                       within days. Regulators also took various actions to facilitate the reopening
                       of the markets, including granting temporary relief from regulatory
                       reporting and other requirements and providing funds and issuing
                       securities to ensure that financial institutions could fund their operations.
                       The impact on the banking and payments systems was less severe, as the
                       primary operations of most banks and payment systems processors were
                       located outside of the area affected by the attacks, or because they had
                       fully operational backup facilities in other locations. Although many
                       factors affected the ability of the markets to resume operations, the attacks
                       also revealed limitations in many participants’ BCPs for addressing such a
                       widespread disaster. These factors included not having backup facilities
                       that were sufficiently geographically dispersed or comprehensive enough
                       to conduct all critical operations, unanticipated loss of
                       telecommunications service, and difficulties in locating staff and
                       transporting them to new facilities.



Attacks Caused         On September 11, 2001, two commercial jet airplanes were hijacked by
                       terrorists and flown into the twin towers of the World Trade Center. Within
Extensive Damage and   hours, the two towers completely collapsed, resulting in the loss of four
Loss of Life and       other buildings that were part of the World Trade Center complex. As
                       shown in figure 2, the attacks damaged numerous structures in lower
Created Difficult      Manhattan.
Conditions That
Impeded Recovery
Efforts




                       Page 30                                     GAO-03-251 Potential Terrorist Attacks
                                        Chapter 2
                                        September 11 Attacks Severely Disrupted
                                        U.S. Financial Markets




Figure 2: Buildings Destroyed or Damaged on September 11, 2001




                                        The attacks caused extensive property damage. According to estimates by
                                        the Securities Industry Association, the total cost of the property damages
                                        ranges from $24 to $28 billion. According to one estimate, the damage to
                                        structures beyond the immediate World Trade Center area extended across
                                        16 acres. The six World Trade Center buildings that were lost accounted for




                                        Page 31                                   GAO-03-251 Potential Terrorist Attacks
Chapter 2
September 11 Attacks Severely Disrupted
U.S. Financial Markets




over 13 million square feet of office space, valued at $5.2 to $6.7 billion.1
One of these buildings was 7 World Trade Center, which was a 46-story
office building directly to the west of the two towers. It sustained damage
as a result of the attacks, burned for several hours, and collapsed around
5:00 p.m. on September 11, 2001. An additional nine buildings containing
about 15 million square feet of office space were substantially damaged and
were expected to require extensive and lengthy repair before they could be
reoccupied. Sixteen buildings with about 10 million square feet of office
space sustained relatively minor damage and will likely be completely
reoccupied. Finally, another 400 buildings sustained damage primarily to
facades and windows. A study by an insurance industry group estimated
that the total claims for property, life, and other insurance would exceed
$40 billion.2 In comparison, Hurricane Andrew of 1992 caused an
estimated $15.5 billion in similar insurance claims.

The loss of life following the attacks on the World Trade Center was also
devastating with the official death toll for the September 11 attacks
reaching 2,795, as of November 2002. Because of the concentration of
financial market participants in the vicinity of the World Trade Center, a
large percentage of those killed were financial firm employees. Excluding
the 366 members of the police and fire departments and the persons on the
airplanes, the financial industry’s loss represented over 74 percent of the
total civilian casualties in the World Trade Center attacks. Four firms
accounted for about a third of the civilian casualties, and 658 were
employees of one firm—Cantor Fitzgerald, a key participant in the
government securities markets. The loss of life also exacted a heavy
psychological toll on staff that worked in the area, who both witnessed the
tragedy and lost friends or family. Representatives of several organizations
we met with told us that one of the difficulties in the aftermath of the
attacks was addressing the psychological impact of the event on staff. As a
result, individuals attempting to restore operations often had to do so
under emotionally traumatic conditions.



1
The seventh building was a hotel.
2
 According to another study by the Insurance Information Institute, One Hundred Minutes
of Terror That Changed the Global Insurance Industry Forever, the total value of insurance
claims for this event will be about $40 billion. This study estimated that about $2.7 billion, or
6.7 percent of this amount, would be for life insurance claims, and the remaining $37 billion
to be for nonlife insurance claims, which include property damages, business interruption,
and nonaviation liability claims.




Page 32                                                GAO-03-251 Potential Terrorist Attacks
                                        Chapter 2
                                        September 11 Attacks Severely Disrupted
                                        U.S. Financial Markets




                                        The dust and debris from the attacks and the subsequent collapse of the
                                        various World Trade Center structures covered an extensive area of lower
                                        Manhattan, up to a mile beyond the center of the attacks, as shown in figure
                                        3.



Figure 3: Geographic Extent of Damage and Debris from Attacks in Lower Manhattan




                                        Page 33                                    GAO-03-251 Potential Terrorist Attacks
                                         Chapter 2
                                         September 11 Attacks Severely Disrupted
                                         U.S. Financial Markets




                                         Figures 4 and 5 include various photographs that illustrate the damage to
                                         buildings from the towers’ collapse and from the dust and debris that
                                         blanketed the surrounding area.



Figure 4: Damage to Buildings from Attacks and Resulting Debris




                                         Page 34                                   GAO-03-251 Potential Terrorist Attacks
                                          Chapter 2
                                          September 11 Attacks Severely Disrupted
                                          U.S. Financial Markets




Figure 5: Dust and Debris Resulting from Attack




                                          This dust and debris created serious environmental hazards that resulted in
                                          additional damage to other facilities and hampered firms’ ability to restore
                                          operations in the area. For example, firms with major data processing
                                          centers could not operate computer equipment until the dust levels had
                                          been substantially reduced because of the sensitivity of this equipment to
                                          dust contamination. In addition, dust and other hazardous materials made



                                          Page 35                                    GAO-03-251 Potential Terrorist Attacks
Chapter 2
September 11 Attacks Severely Disrupted
U.S. Financial Markets




working conditions in the area difficult and hazardous. According to staff
of one of the infrastructure providers with whom we met, the entire area
near the World Trade Center was covered with a toxic dust that contained
asbestos and other hazardous materials.

Restrictions on physical access to lower Manhattan, put into place after the
attacks, also complicated efforts to restore operations. To facilitate rescue
and recovery efforts and maintain order, the mayor ordered an evacuation
of lower Manhattan, and the New York City Office of Emergency
Management restricted all pedestrian and vehicle access to most of this
area from September 11 through September 13, 2001. During this time,
access to the area was only granted to persons with the appropriate
credentials. Federal and local law enforcement agencies also restricted
access because of the potential for additional attacks and to facilitate
investigations at the World Trade Center site. Figure 6 shows the areas with
access restrictions in the days following the attacks.




Page 36                                     GAO-03-251 Potential Terrorist Attacks
                                         Chapter 2
                                         September 11 Attacks Severely Disrupted
                                         U.S. Financial Markets




Figure 6: Lower Manhattan Area Subject to Access Restrictions Following September 11, 2001, Attacks




                                         Page 37                                       GAO-03-251 Potential Terrorist Attacks
                          Chapter 2
                          September 11 Attacks Severely Disrupted
                          U.S. Financial Markets




                          Some access restrictions were lifted beginning September 14, 2001;
                          however, substantial access restrictions were in place through September
                          18. From September 19, most of the remaining restrictions were to cordon
                          off the area being excavated and provide access for heavy machinery and
                          emergency vehicles.



Damage from Attacks       The September 11 terrorist attacks extensively damaged the
                          telecommunications infrastructure serving lower Manhattan, disrupting
Significantly Disrupted   voice and data communications services throughout the area. (We discuss
Telecommunications        the impact of the attacks on telecommunications infrastructure and
                          telecommunications providers’ recovery efforts in more detail in appendix
and Power                 I of this report.) Most of this damage occurred when 7 World Trade Center,
                          itself heavily damaged by the collapse of the twin towers, collapsed into a
                          major telecommunications center at 140 West Street operated by Verizon,
                          the major telecommunications provider for Manhattan. The collateral
                          damage inflicted on that Verizon central office significantly disrupted local
                          telecommunications services to approximately 34,000 businesses and
                          residences in the surrounding area, including the financial district.3
                          Damage to the facility was compounded when water from broken mains
                          and fire hoses flooded cable vaults located in the basement of the building
                          and shorted out remaining cables that had not been directly cut by damage
                          and debris. As shown in figure 7, the damage to this key facility was
                          extensive.




                          3
                           A central office is a telephone company facility containing the switching equipment linking
                          customers with public voice and data networks within and outside of the local service area.




                          Page 38                                             GAO-03-251 Potential Terrorist Attacks
                                          Chapter 2
                                          September 11 Attacks Severely Disrupted
                                          U.S. Financial Markets




Figure 7: Damage to Verizon Central Office at 140 West Street




                                          Because of the damage to Verizon facilities and equipment, significant
                                          numbers of customers lost telecommunications services for extended
                                          periods. When Verizon’s 140 West Street central office was damaged, about
                                          182,000 voice circuits, more than 1.6 million data circuits, almost 112,000
                                          private branch exchange (PBX) trunks, and more than 11,000 lines serving



                                          Page 39                                    GAO-03-251 Potential Terrorist Attacks
Chapter 2
September 11 Attacks Severely Disrupted
U.S. Financial Markets




Internet service providers were lost.4 As shown in figure 8, this central
office served a large part of lower Manhattan.




4
 A PBX is an automatic telephone switching system that is owned, operated, and located
within a private enterprise. This system switches calls between enterprise users on local
lines while allowing all users to share a certain number of external telephone lines. A PBX
trunk line connects the PBX to the serving telecommunications carrier’s local central office
switch.




Page 40                                             GAO-03-251 Potential Terrorist Attacks
                                          Chapter 2
                                          September 11 Attacks Severely Disrupted
                                          U.S. Financial Markets




Figure 8: Area Served by Verizon 140 West Street Central Office




                                          Page 41                                   GAO-03-251 Potential Terrorist Attacks
Chapter 2
September 11 Attacks Severely Disrupted
U.S. Financial Markets




The attacks also damaged other Verizon facilities and affected customers in
areas beyond that served directly from the Verizon West Street central
office. Three other Verizon switches in the World Trade Center towers and
in 7 World Trade Center were also destroyed in the attacks. Additional
services were disrupted because 140 West Street also served as a transfer
station on the Verizon network for about 2.7 million circuits carrying data
traffic that did not originate or terminate in that serving area, but that
nevertheless passed through that particular physical location. For example,
communications services provided out of the Verizon Broad Street central
office that passed through West Street were also disrupted until new
cabling could be put in place to physically carry those circuits around the
damaged facility. As a result, a total of about 4.4 million Verizon data
circuits had to be restored.

Other telecommunications carriers that serviced customers in the affected
area also experienced damage and service disruptions. For example, in 140
West Street, 30 telecommunications providers had equipment that linked
their networks to Verizon. Other firms lost even more equipment than
Verizon. For example, AT&T lost a key transmission facility that serviced
its customers in lower Manhattan and had been located in one of the World
Trade Center towers.

The attacks also caused major power outages in lower Manhattan. Con
Edison, the local power provider, lost three power substations and more
than 33 miles of cabling; total damage to the power infrastructure was
estimated at $410 million. As a result, more than 13,000 Con Edison
business customers lost power, which required them to either relocate
operations or use alternative power sources such as portable generators.

To restore telecommunications and power, service providers had to
overcome considerable challenges. Access restrictions made this work
more difficult—staff from WorldCom told us that obtaining complete
clearance through the various local, state, and federal officials, including
the National Guard, took about 2 days. In some cases, environmental and
other factors also prevented restoration efforts from beginning. According
to Verizon staff, efforts to assess the damage and begin repairs on 140 West
Street initially were delayed by concerns over the structural integrity of the
damaged facility and other nearby buildings; several times staff had to halt
assessment and repair efforts because government officials ordered
evacuations of the building.




Page 42                                     GAO-03-251 Potential Terrorist Attacks
Chapter 2
September 11 Attacks Severely Disrupted
U.S. Financial Markets




In some cases, infrastructure providers employed innovative solutions to
restore telecommunications and power quickly. For example, these
providers placed both telecommunications and power cables that are
normally underground directly onto the streets and covered them with
temporary plastic barriers. Con Edison repair staff also had tanks of liquid
nitrogen placed on street corners so that their employees could freeze
cables, which makes them easier to cut when making repairs. To work
around the debris that blocked access to 140 West, Verizon staff ran cables
over the ground and around damaged cabling to quickly restore services.
Because of damage to the reinforced vault that previously housed the
cables at Verizon’s facility, a new cable vault was reconstructed on the first
floor, and cables were run up the side of the building to the fifth and eighth
floors, as shown in figure 9.




Page 43                                     GAO-03-251 Potential Terrorist Attacks
                                         Chapter 2
                                         September 11 Attacks Severely Disrupted
                                         U.S. Financial Markets




Figure 9: Verizon Used Temporary Cabling Solutions at 140 West Street




                                         Page 44                                   GAO-03-251 Potential Terrorist Attacks
                            Chapter 2
                            September 11 Attacks Severely Disrupted
                            U.S. Financial Markets




Attacks Severely            Although the facilities of the stock and options exchanges and clearing
                            organizations in lower Manhattan were largely undamaged by the attacks,
Affected Financial          many market participants were affected by the loss of telecommunications
Markets but Heroic          and lack of access to lower Manhattan. As a result, many firms, including
                            some of the broker-dealers responsible for significant portions of the
Efforts Were Made to        overall securities market trading activity, were forced to relocate
Restore Operations          operations to backup facilities and alternative locations. To resume
                            operations, these new facilities had to be prepared for trading and provided
                            with sufficient telecommunications capacity. Some firms had to have
                            telecommunications restored although they thought they had redundant
                            communications services. Regulators and market participants delayed the
                            opening of the stock and options market until September 17, until the key
                            broker-dealers responsible for large amounts of market liquidity were able
                            to operate and telecommunications had been tested.



Most Securities Exchanges   Although several securities exchanges and market support organizations
and Market Support          were located in the vicinity of the attacks, most did not experience direct
                            damage. The NYSE, Depository Trust and Clearing Corporation,5 Securities
Organizations Were Not
                            Industry Automation Corporation (SIAC), International Securities
Directly Damaged            Exchange, and the Island ECN all had important facilities located in close
                            proximity to the World Trade Center, but none of these organizations’
                            facilities were damaged. The American Stock Exchange (Amex) was the
                            only securities exchange that experienced incapacitating damage.6 Amex
                            was several hundred feet from the World Trade Center towers, but
                            sustained mostly broken windows and damage to some offices. However,
                            its drainage and ventilation systems were clogged by dust and debris and
                            the building lost power, telephones, and access to water and steam. The
                            loss of steam and water coupled with the inadequate drainage and
                            ventilation meant that Amex computer systems could not run due to a lack
                            of air conditioning. As a result, the Amex building was not cleared for
                            reoccupation until October 1, 2001, after inspectors had certified the
                            building as structurally sound and power and water had been fully
                            restored. Although the remaining exchanges were not damaged, U.S. stock


                            5
                             The Depository Trust and Clearing Corporation is the holding company for various
                            organizations that conduct clearance and settlement services, including the Depository
                            Trust Company and the National Securities Clearing Corporation.
                            6
                             Several futures exchanges experienced damage, including one whose operations were
                            located in one of the World Trade Center towers.




                            Page 45                                            GAO-03-251 Potential Terrorist Attacks
                               Chapter 2
                               September 11 Attacks Severely Disrupted
                               U.S. Financial Markets




                               and options exchanges nationwide closed the day of the attacks and did not
                               reopen until September 17, 2001. However, regulators and market
                               participants acknowledged that if the major exchanges or clearing
                               organizations had sustained damage, trading in the markets would have
                               likely taken longer to resume.



Damage to Financial            Although most exchanges and market support organizations were not
Institutions’ Facilities and   damaged by the attacks, several key firms with substantial operations in
                               the area sustained significant facilities damage. As a result of this damage
Telecommunications Forced      and the inability to access the area in the days following the attacks, many
Relocations and Made           financial institution participants had to relocate their operations, in some
Recovery Efforts               cases using locations not envisioned by their BCPs. They then faced the
Challenging                    challenge of recreating their key operations and obtaining sufficient
                               telecommunications services at these new locations. For example, one
                               large broker-dealer with headquarters that had been located across from
                               the World Trade Center moved operations to midtown Manhattan, taking
                               over an entire hotel. To resume operations, firms had to obtain computers
                               and establish telecommunications lines in the rooms that were converted
                               to work spaces. Another large broker-dealer whose facilities were damaged
                               by the attacks attempted to reestablish hundreds of direct lines to its major
                               customers after relocating operations to the facilities of a recently
                               purchased broker-dealer subsidiary in New Jersey. The simultaneous
                               relocation of so many firms meant that they also had to establish
                               connections to the new operating locations of other organizations.
                               Although Verizon managers were unable to estimate how much of its
                               restoration work in the days following the attacks specifically addressed
                               such needs, they told us that considerable capacity was added to the New
                               Jersey area to accommodate many of the firms that relocated operations
                               there, including financial firms.

                               Restoring operations often required innovative approaches. According to
                               representatives of the exchanges and other financial institutions we spoke
                               with, throughout the crisis financial firms that are normally highly
                               competitive instead exhibited a high level of cooperation. In some cases,
                               firms offered competitors facilities and office space. For example, traders
                               who normally traded stocks on the Amex floor obtained space on the
                               trading floor of NYSE, and Amex options traders were provided space at
                               the Philadelphia Stock Exchange. In some cases, innovative approaches
                               were used by the exchanges and utilities to restore lost connectivity to
                               their customers. For example, technicians at the Island ECN created virtual
                               private network connections for those users whose services were



                               Page 46                                     GAO-03-251 Potential Terrorist Attacks
Chapter 2
September 11 Attacks Severely Disrupted
U.S. Financial Markets




disrupted.7 Island also made some of its trading applications available to its
customers through the Internet. In another example, SIAC, which
processes trades for NYSE and the American Stock Exchange, worked
closely with its customers to reestablish their connectivity, reconfiguring
customers’ working circuits that had been used for testing or clearing and
settlement activities to instead transmit data to SIAC’s trading systems.

The Bond Market Association, the industry association representing
participants in the government and other debt markets, and the Securities
Industry Association (SIA), which represents participants in the stock
markets, played critical roles in reopening markets. Both associations
helped arrange daily conference calls with market participants and
regulators to address the steps necessary to reopen the markets. At times,
hundreds of financial industry officials were participating in these calls.
These organizations also made recommendations to regulators to provide
some relief to their members so that they could focus on restoring their
operations. For example, the Bond Market Association recommended to its
members that they extend the settlement date for government securities
trades from the day following trade date (T+1) to five days after to help
alleviate some of the difficulties that were occurring in the government
securities markets. Through a series of conference calls with major banks
and market support organizations, SIA was instrumental in helping to
develop an industrywide consensus on how to resolve operational issues
arising from the damage and destruction to lower Manhattan and how to
mitigate operational risk resulting from the destruction of physical (that is,
paper) securities, which some firms had maintained for customers.

SEC also took actions to facilitate the successful reopening of the markets.
To allow market participants to focus primarily on resuming operations,
SEC issued rules to provide market participants temporary relief from
certain regulatory requirements. For example, SEC extended deadlines for
disclosure and reporting requirements, postponed the implementation date
for new reporting requirements, and temporarily waived some capital
regulation requirements. SEC implemented other relief measures targeted
toward stabilizing the reopened markets. For example, SEC relaxed rules
that restrict corporations from repurchasing their own shares of publicly



7
 A virtual private network is a private data network that uses public telecommunication
infrastructure such as the Internet to provide remote users with secure access to an
organization's network.




Page 47                                             GAO-03-251 Potential Terrorist Attacks
                              Chapter 2
                              September 11 Attacks Severely Disrupted
                              U.S. Financial Markets




                              traded stock, and simplified registration requirements for airline and
                              insurance industries so that they could more easily raise capital.



Stock and Options Markets     Partially because of the difficulties experienced by many firms in restoring
Opening Was Delayed until     operations and obtaining adequate telecommunications service, the
                              reopening of the markets was delayed. Although thousands of broker-
Sufficient Connectivity and   dealers may participate in the securities markets, staff at NYSE and
Liquidity Existed             NASDAQ told us that a small number of firms account for the majority of
                              the trading volume on their markets. Many of those firms had critical
                              operations in the area affected by the attacks. For example, 7 of the top 10
                              broker-dealers ranked by capital had substantial operations in the World
                              Trade Center or the World Financial Center, across from the World Trade
                              Center. In the immediate aftermath of the attack, these and other firms
                              were either attempting to restore operations at their existing locations or at
                              new locations. In addition, financial market participant staff and the
                              financial regulators told us that their staffs did not want to return to the
                              affected area too soon to avoid interfering with the rescue and recovery
                              efforts. For example, the SEC Chairman told us that he did not want to
                              send 10,000 to 15,000 workers into lower Manhattan while the recovery
                              efforts were ongoing and living victims were still being uncovered.

                              Because of the considerable efforts required for broker-dealers to restore
                              operations, insufficient liquidity existed to open the markets during the
                              week of the attacks. According to regulators and exchange staff, firms able
                              to trade by Friday, September 14, accounted for only about 60 percent of
                              the market’s normal order flow. As a result, securities regulators, market
                              officials, and other key participants decided that, until more firms were
                              able to operate normally, insufficient liquidity existed in the markets.
                              Opening the markets with some firms but not others was also viewed as
                              unfair to many of the customers of the affected firms. Although
                              institutional clients often have relationships with multiple broker-dealers,
                              smaller customers and individual investors usually do not; thus, they may
                              not have been able to participate in the markets under these
                              circumstances.

                              In addition, connectivity between market participants and exchanges had
                              not been tested. For this reason, it was unclear how well the markets would
                              operate when trading resumed because so many critical
                              telecommunication connections were damaged in the attacks and had been
                              either repaired or replaced. Staff from the exchanges and market
                              participants told us that the ability to conduct connectivity testing prior to



                              Page 48                                     GAO-03-251 Potential Terrorist Attacks
                         Chapter 2
                         September 11 Attacks Severely Disrupted
                         U.S. Financial Markets




                         the markets reopening was important. Many firms experienced technical
                         difficulties in getting the new connections they had obtained to work
                         consistently as telecommunication providers attempted to restore
                         telecommunications service. According to officials at one exchange,
                         restoring connections to its members was difficult because existing or
                         newly restored lines that were initially operational would erratically lose
                         their connectivity throughout the week following September 11.
                         Representatives of the exchanges and financial regulators with whom we
                         met told us that opening the markets but then having to shut them down
                         again because of technical difficulties would have greatly reduced investor
                         confidence.

                         Because of the need to ensure sufficient liquidity and a stable operating
                         environment, market participants and regulators decided to delay the
                         resumption of stock and options trading until Monday, September 17. This
                         delay allowed firms to complete their restoration efforts and use the
                         weekend to test connectivity with the markets and the clearing
                         organizations. As a result of these efforts, the stock and options markets
                         reopened on September 17 and traded record volumes without significant
                         operational difficulties.



Disruptions in           The attacks also severely disrupted the markets for government securities
                         and money market instruments primarily because of the impact on the
Government Securities    broker-dealers that trade in the market and on one of the key banks that
and Money Markets        perform clearing functions for these products. According to regulatory
                         officials, at the time of the attacks, eight of the nine IDBs, which provide
Severely Affected        brokerage services to other dealers in government securities, had
Clearance and            operations that were severely disrupted following the attacks. The most
Settlement, Liquidity,   notable was Cantor Fitzgerald Securities, whose U.S. operations had been
                         located on several of the highest floors of one of the World Trade Center
and Trade Volumes        towers. Because much of the trading in the government securities market
                         occurs early in the day, the attacks and subsequent destruction of the
                         towers created massive difficulties for this market. When these IDBs’
                         facilities were destroyed, the results of trading, including information on
                         which firms had purchased securities and which had sold, also were largely
                         lost. These trades had to be reconstructed from the records of the dealers
                         who had conducted trades with the IDBs that day. In addition, with the loss
                         of their facilities, most of the primary IDBs were not able to communicate
                         with the Government Securities Clearing Corporation (GSCC), which also
                         complicated the clearing and settlement of these trades. Staff from




                         Page 49                                    GAO-03-251 Potential Terrorist Attacks
Chapter 2
September 11 Attacks Severely Disrupted
U.S. Financial Markets




financial market participants told us that reconciling some of these
transactions took weeks, and in some cases, months.

Two banks—the Bank of New York (BONY) and JP Morgan Chase—were
the primary clearing banks for government securities. Clearing banks are
essentially responsible for transferring funds and securities for their dealer
and other customers that purchase or sell government securities. For
trades cleared through GSCC, the clearing organization for these
instruments, instructs its dealer members and the clearing banks as to the
securities and associated payments to be transferred to settle its members’
net trade obligations.

As a result of the attacks, BONY and its customers experienced
telecommunications and other problems that contributed to the disruption
in the government securities market because it was the clearing bank for
many major market participants and because it maintained some of GSCC’s
settlement accounts. BONY had to evacuate four facilities including its
primary telecommunications data center and over 8,300 staff, because they
were located near the World Trade Center.

At several of these facilities, BONY conducted processing activities as part
of clearing and settling government securities transactions on behalf of its
customers and GSCC. The communication lines between BONY and the
Fedwire systems for payment and securities transfers, as well as those
between BONY and its clients, were critical to BONY’s government
securities operations. Over these lines, BONY transmitted data with
instructions to transfer funds and securities from its Federal Reserve
accounts to those of other banks for transactions in government securities
and other instruments. BONY normally accessed its Federal Reserve
accounts from one of the lower Manhattan facilities that had to be
abandoned. In the days following the attacks, BONY had difficulties in
reestablishing its Fedwire connections and processing transactions. In
addition, many BONY customers also had to relocate and had their own
difficulties in establishing connections to the BONY backup site. As a result
of these internal processing problems and inability to communicate with its
customers, BONY had problems determining what amounts should be
transferred on behalf of the clients for whom it performed clearing
services. For example, by September 12, 2001, over $31 billion had been
transferred to BONY’s Federal Reserve account for GSCC, but because
BONY could not access this account, it could not transfer funds to which
its clients were entitled. BONY was not able to establish connectivity with




Page 50                                     GAO-03-251 Potential Terrorist Attacks
Chapter 2
September 11 Attacks Severely Disrupted
U.S. Financial Markets




GSCC and begin receiving and transmitting instructions for payment
transfers until September 14, 2001.

The problems at the IDBs and BONY affected the ability of many
government securities and money markets participants to settle their
trades. Before a trade can be cleared and settled, the counterparties to the
trade and the clearing banks must compare trade details by exchanging
messages to ensure that each is in agreement on the price and amount of
securities traded. To complete settlement, messages then must be
exchanged between the parties to ensure that the funds and ownership of
securities are correctly transferred. If trade information is not correct and
funds and securities are not properly transferred, the trade will be
considered a “fail.” As shown in figure 10, failed transactions increased
dramatically, rising from around $500 million per day to over $450 billion
on September 12, 2001. The level of fails also stayed high for many days
following the attacks, averaging about $100 billion daily through September
28.



Figure 10: Failed Transactions in the Government Securities Markets During
September 2001




The problems in the government securities markets also created liquidity
problems for firms participating in and relying on these markets to fund
their operations. Many firms, including many large broker-dealers, fund



Page 51                                       GAO-03-251 Potential Terrorist Attacks
Chapter 2
September 11 Attacks Severely Disrupted
U.S. Financial Markets




their operations using repurchase agreements, or repos, in which one party
sells government securities to another party and agrees to repurchase
those securities on a future date at a fixed price. Because repos are used
to finance firms’ daily operations, many of these transactions are executed
before 9:00 a.m. As a result, by the time the attacks occurred on September
11, over $500 billion in repos had been transacted. With so many IDB
records destroyed, many of the transactions could not be cleared and
settled, causing many of these transactions to fail. As a result, some firms
that relied on this market as a funding source experienced major funding
shortfalls.

Although trading government securities was officially resumed within 2
days of the attacks, overall trading activity was low for several days. For
example, as shown in figure 11, trading volumes went from around $500
billion on September 10 to as low as $9 billion on September 12, 2001.
Similarly, repo activity fell from almost $900 billion on September 10 to
$145 billion on September 13.



Figure 11: Cash Purchases of Government Securities and Repo Market Activity
During September 2001
1,000   Dollars in billions



 800



 600



 400



 200



    0


        10      11    12      13   14     17     18   19   20    21   24    25   26    27    28
        September

                 Repos
                 Purchases of Government Securities

Source: GSCC.




Page 52                                                    GAO-03-251 Potential Terrorist Attacks
Chapter 2
September 11 Attacks Severely Disrupted
U.S. Financial Markets




The attacks also disrupted the markets for commercial paper, which are
short-term securities issued by financial and other firms to raise funds.
According to clearing organization officials, the majority of commercial
paper redemptions—when the investors that originally purchased the
commercial paper have their principal returned-- that were scheduled to be
redeemed on September 11 and September 12 were not paid until
September 13. Firms that relied on these securities to fund their operations
had to obtain other sources of funding during this period.

The Federal Reserve took several actions to mitigate potential damage to
the financial system resulting from liquidity disruptions in these markets.
Banking regulatory staff told us that the attacks largely resulted in a
funding liquidity problem rather than a solvency crisis for banks. Thus, the
challenge they faced was ensuring that banks had adequate funds to meet
their financial obligations. The settlement problems also prevented broker-
dealers and others from using the repo markets to fund their daily
operations. Soon after the attacks, the Federal Reserve announced that it
would remain open to help banks meet their liquidity needs. Over the next
4 days, the Federal Reserve provided about $323 billion to banks through
various means to overcome the problems resulting from unsettled
government securities trades and financial market dislocations. For
example, from September 11 through September 14, the Federal Reserve
loaned about $91 billion to banks through its discount window, in contrast
to normal lending levels of about $100 million.8 It also conducted securities
purchase transactions and other open market operations of about $189
billion to provide needed funds to illiquid institutions. Had these actions
not been taken, some firms unable to receive payments may not have had
sufficient liquidity to meet their other financial obligations, which could
have produced other defaults and magnified the effects of September 11
into a systemic solvency crisis.

Regulators also took action to address the failed trades resulting from the
attacks. From September 11 through September 13, the Federal Reserve
loaned $22 billion of securities from its portfolio to broker-dealers that
needed securities to complete settlements of failed trades. According to
Federal Reserve staff, the Federal Reserve subsequently reduced
restrictions on its securities lending that led to a sharp increase in


8
 The discount window is the lending mechanism used by the Federal Reserve Banks to lend
funds to depository institutions on a short-term basis to cover temporary liquidity needs or
reserve deficiencies.




Page 53                                             GAO-03-251 Potential Terrorist Attacks
                       Chapter 2
                       September 11 Attacks Severely Disrupted
                       U.S. Financial Markets




                       borrowings at the end of September 2001. Treasury also played a role in
                       easing the failed trades and preventing a potential financial crisis by
                       conducting an unplanned, special issuance of 10-year notes to help address
                       a shortage of notes of this duration in the government securities markets.
                       Market participants typically use these securities as collateral for financing
                       or to meet settlement obligations.

                       To provide dollars needed by foreign institutions, the Federal Reserve also
                       conducted currency swaps with the Bank of Canada, the European Central
                       Bank, and the Bank of England. The swaps involved exchanging dollars for
                       the foreign currencies of these jurisdictions, with agreements to re-
                       exchange amounts later. These temporary arrangements provided funds to
                       settle dollar-denominated obligations of foreign banks whose U.S.
                       operations were affected by the attacks.

                       The Federal Reserve, Federal Deposit Insurance Corporation, OCC, and the
                       Office of Thrift Supervision issued a joint statement after the attacks to
                       advise the institutions they oversee that any temporary declines in capital
                       would be evaluated in light of the institution’s overall financial condition.
                       The Federal Reserve also provided substantial amounts of currency so that
                       banks would be able to meet customer needs.



Impact of Attacks on   With a few exceptions, commercial banks were not as adversely affected as
                       broker- dealers by the attacks. Although some banks had some facilities
the Banking and        and operations in lower Manhattan, they were not nearly as geographically
Payments Systems Was   concentrated as securities market participants. As discussed previously,
                       BONY was one bank with significant operations in the World Trade Center
Less Severe            area, but only a limited number of other large banks had any operations
                       that were affected. According to regulatory officials that oversee national
                       banks, seven of their institutions had operations in the areas affected by
                       the attacks.

                       Most payment system operations continued with minimal disruption. The
                       Federal Reserve Bank of New York (FRBNY) manages the Federal
                       Reserve’s Fedwire securities and payments transfer systems. Although the
                       FRBNY sustained damage to some telecommunications lines, Fedwire
                       continued processing transactions without interruption because the actual
                       facilities that process the transactions are not located in lower Manhattan.
                       However, Federal Reserve officials noted that some banks experienced
                       problems connecting to Fedwire because of the widespread damage to
                       telecommunications systems. Over 30 banks lost connectivity to Fedwire



                       Page 54                                     GAO-03-251 Potential Terrorist Attacks
Chapter 2
September 11 Attacks Severely Disrupted
U.S. Financial Markets




because their data first went to the FRBNY facility in lower Manhattan
before being transmitted to Fedwire’s system’s processing facility outside
the area. However, most were able to reestablish connections through dial-
up backup systems and some began reporting transfer amounts manually
using voice lines. Federal Reserve officials noted that normal volumes for
manually reported transactions were about $200–$400 million daily, but
from September 11 through September 13, 2001, banks conducted about
$151 billion in manually reported transactions. A major private-sector
payments system, CHIPS, also continued to function without operational
disruptions, although 19 of its members temporarily lost connectivity with
CHIPs in the aftermath of the attacks and had to reconnect from backup
facilities.

Retail payments systems, including check clearing and automated clearing
house transactions, generally continued to operate. However, the
grounding of air transportation did complicate and delay some check
clearing, since both the Federal Reserve and private providers rely on
overnight air delivery to transport checks between banks in which they are
deposited and banks from which they are drawn.9 Federal Reserve officials
said they were able to arrange truck transportation between some check
clearing offices until they were able to gain approval for their chartered air
transportation to resume several days later. According to Federal Reserve
staff, transporting checks by ground slowed processing and could not
connect all offices across the country. The staff said that the Federal
Reserve continued to credit the value of deposits to banks even when it
could not present checks and debit the accounts of paying banks. This
additional liquidity —normally less than $1 billion—peaked at over $47
billion on September 13, 2001.




9
 The Expedited Funds Availability Act of 1987, which is implemented through Federal
Reserve Board Regulation CC, requires that banks make funds available for withdrawal
within 2 days when the bank of first deposit and the paying bank are located within the
same Federal Reserve check processing territory and within 5 days when the banks are not
in the same territory. Meeting those deadlines frequently requires air transport of checks.




Page 55                                             GAO-03-251 Potential Terrorist Attacks
                          Chapter 2
                          September 11 Attacks Severely Disrupted
                          U.S. Financial Markets




Attacks Revealed          The terrorist attacks revealed that limits that existed in market
                          participants’ business continuity capabilities at the time of the attacks.
Limitations in            Based on our discussions with market participants, regulators, industry
Financial Market          associations and others, the BCPs of many organizations had been too
                          limited in scope to address the type of disaster that occurred. Instead,
Participants’ Business    BCPs had procedures to address disruptions affecting a single facility such
Continuity Capabilities   as power outages or fires at one building. For example, a 1999 SEC
                          examination report of a large broker-dealer that we reviewed noted that in
                          the event of an emergency this firm’s BCP called for staff to move just one-
                          tenth of a mile to another facility. By not planning for wide-scale events,
                          many organizations had not invested in backup facilities that could
                          accommodate key aspects of their operations, including several of the large
                          broker-dealers with primary operations located near the World Trade
                          Center that had to recreate their trading operations at new locations.
                          Similarly, NYSE and several of the other exchanges did not have backup
                          facilities at the time of the attacks from which they could conduct trading.

                          The attacks also illustrated that some market participants’ backup facilities
                          were too close to their primary operations. For example, although BONY
                          had several backup facilities for critical functions located several miles
                          from the attacks, the bank also backed up some critical processes at
                          facilities that were only blocks away. According to clearing organization
                          and regulatory staff, one of the IDBs with facilities located in one of the
                          destroyed towers of the World Trade Center had depended on backup
                          facilities in the other tower.

                          Additionally, firms’ BCPs did not adequately take into account all necessary
                          equipment and other resources needed to resume operations as completely
                          and rapidly as possible. For example, firms that occupied backup facilities
                          or other temporary space found that they lacked sufficient space for all
                          critical staff or did not have all the equipment needed to conduct their
                          operations. Others found that their backup sites did not have the most
                          current versions of the software and systems that they use, which caused
                          some restoration problems. Some firms had contracted with third-party
                          vendors for facilities and equipment to conduct operations during
                          emergencies, but because so many firms were disrupted by the attacks,
                          some of these facilities were overbooked, and firms had to find other
                          locations in which to resume operations.

                          Organizations also learned that their BCPs would have to better address
                          human capital issues. For example, some firms had difficulties in locating



                          Page 56                                     GAO-03-251 Potential Terrorist Attacks
Chapter 2
September 11 Attacks Severely Disrupted
U.S. Financial Markets




key staff in the confusion after the attacks. Others found that staff were not
able to reach their backup locations as quickly as their plans had
envisioned due to the closure of public transit systems, bridges, and roads.
Other firms had not planned for the effects of the trauma and grief on their
staff and had to provide access to counseling for those that were
overwhelmed by the events.

The attacks also revealed the need to improve some market participants’
business continuity capabilities for telecommunications. According to
broker-dealers and regulator staff with whom we spoke, some firms found
that after relocating their operations, they learned that their backup
locations connected to the primary sites of the organizations critical to
their operations but not to these organizations’ backup sites. Some
financial firms that did not have damaged physical facilities nonetheless
learned that their supporting telecommunications services were not as
diverse and redundant as they expected. Diversity involves establishing
different physical routes in and out of a building, and using different
equipment along those routes if a disaster or other form of interference
adversely affects one route. Redundancy involves having extra capacity
available, generally from more than one source, and also incorporates
aspects of diversity. Therefore, users that rely on telecommunications
services to support important applications try to ensure that those services
use facilities that are diverse and redundant so that no single point in the
communications path can cause all services to fail. Ensuring that carriers
actually maintain physically redundant and diverse telecommunications
services has been a longstanding concern within the financial industry. For
example, the President’s National Security Telecommunications Advisory
Committee in December 1997 reported, “despite assurances about diverse
networks from the carriers, a consistent concern among the financial
services industry was the trustworthiness of their telecommunications
diversity arrangements.”10

This concern was validated following the September 11 attacks when firms
that thought they had achieved redundancy in their communications
systems learned that their network services were still disrupted. According
to regulators and financial market participants with whom we spoke, some
firms that made arrangements with multiple service providers to obtain
redundant service discovered that the lines used by their providers were


10
 The President’s National Security Telecommunications Advisory Committee, Financial
Services Risk Assessment Report (Washington, D.C.: December 1997).




Page 57                                          GAO-03-251 Potential Terrorist Attacks
               Chapter 2
               September 11 Attacks Severely Disrupted
               U.S. Financial Markets




               not diverse because they routed through the same Verizon switching
               facility. Other firms that had mapped out their communications lines to
               ensure that their lines flowed through physically diverse paths at the time
               those services were first acquired found that their service providers had
               rerouted some of those lines over time without their knowledge,
               eliminating that assurance of diversity in the process.



Observations   The attacks demonstrated that the ability of U.S. financial markets to
               remain operational after disasters depends to a great extent on the
               preparedness of not only the exchanges and clearing organizations but also
               the major broker-dealers and banks that participate in these markets. The
               various financial markets were severely affected and the stock and options
               exchanges were closed in the days following the attacks for various
               reasons, including the need to conduct rescue operations. However, the
               markets also remained closed because of the time required for several
               major broker-dealers that normally provide the bulk of the liquidity for
               trading in the stock, options, and government securities markets to become
               operational. Although the attacks were of a nature and magnitude beyond
               that previously imagined, they revealed the need to address limitations in
               the business continuity capabilities of many organizations and to mitigate
               the concentration of critical operations in a limited geographic area. Many
               organizations will have to further assess how vulnerable their operations
               are to disruptions and determine what capabilities they will need to
               increase the likelihood of being able to resume operations after such
               events.




               Page 58                                    GAO-03-251 Potential Terrorist Attacks
Chapter 3

Financial Market Participants Have Taken
Actions to Reduce Risks of Disruption, but
Some Limitations Remain                                                                                  Chapte3
                                                                                                               r




                        Since the attacks, exchanges, clearing organizations, ECNs, and payment
                        system processors implemented various physical and information security
                        measures and business continuity capabilities to reduce the risk that their
                        operations would be disrupted by attacks, but some organizations
                        continued to have limitations in their preparedness that increases their risk
                        of disruption. With threats to the financial markets potentially increasing,
                        organizations must choose how best to use their resources to reduce risks
                        by investing in protection against physical and electronic attacks for
                        facilities, personnel, and information systems and developing capabilities
                        for continuing operations. To reduce the risk of operations disruptions, the
                        15 financial market organizations—including the 7 critical ones—we
                        reviewed in 2002 had taken many steps since the attacks to protect their
                        physical facilities or information systems from attacks and had developed
                        plans for recovering from such disruptions. However, at the time we
                        conducted our review, 9 of the 15 organizations, including 2 we considered
                        critical to the functioning of the financial markets, had not taken steps to
                        ensure that they would have the staff necessary to conduct their critical
                        operations if the staff at their primary site were incapacitated—including 8
                        organizations that also had physical vulnerabilities at their primary sites.
                        Ten of the 15 organizations, including 4 of the critical organizations, also
                        faced increased risk of being unable to operate after a wide-scale
                        disruption because they either lacked backup facilities or had backup
                        facilities near their primary sites. Finally, although many of the 15
                        organizations had attempted to reduce their risks by testing some of their
                        risk reduction measures, only 3 were testing their physical security
                        measures, only 8 had recently assessed the vulnerabilities of their key
                        information systems, and only 7 had fully tested their BCPs.



In Climate of           Faced with varying and potentially increasing threats that could disrupt
                        their operations, organizations must make choices about how to best use
Increasing Risk,        their resources to both protect their facilities and systems and develop
Organizations Often     business continuity capabilities. September 11, 2001, illustrated that such
                        attacks can have a large-scale impact on market participants. Law
Have to Choose How to   enforcement and other government officials are concerned that public and
Best Use Resources      private sectors important to the U.S. economy, including the financial
                        markets, may be increasingly targeted by hostile entities that may have
                        increasing abilities to conduct such attacks. For example, the leader of the
                        al Qaeda organization was quoted as urging that attacks be carried out
                        against the “pillars of the economy” of the United States. Press accounts of
                        captured al Qaeda documents indicated that members of this organization
                        may be increasing their awareness and knowledge of electronic security



                        Page 59                                     GAO-03-251 Potential Terrorist Attacks
Chapter 3
Financial Market Participants Have Taken
Actions to Reduce Risks of Disruption, but
Some Limitations Remain




techniques and how to compromise and damage information networks and
systems, although the extent to which they could successfully conduct
sophisticated attacks has been subject to debate. A recent report on U.S.
foreign relations also notes that some foreign countries are accelerating
their efforts to be able to attack U.S. civilian communications systems and
networks used by institutions important to the U.S. economy, including
those operated by stock exchanges.1

The physical threats that individual organizations could reasonably be
expected to face vary by type and likelihood of occurrence. For example,
events around the world demonstrate that individuals carrying explosive
devices near or inside facilities can be a common threat. More powerful
explosive attacks by vehicle are less common but still have been used to
devastating effect in recent years. Other less likely, but potentially
devastating, physical threats include attacks involving biological or
chemical agents such as the anthrax letter mailings that occurred in the
United States in 2001 and the release of a nerve agent in the Tokyo subway
in 1995.

Faced with the potential for such attacks, organizations can choose to
invest in a range of physical security protection measures to help manage
their risks. The Department of Justice has developed standards that
identify measures for protecting federal buildings from physical threats.2
To reduce the likelihood of incurring damage from individuals or
explosives, organizations can physically secure perimeters by controlling
vehicle movement around a facility, using video monitoring cameras,
increasing lighting, and installing barriers. Organizations can also prevent
unauthorized persons or dangerous devices from entering their facilities by
screening people and objects, restricting lobby access, and only allowing
employees or authorized visitors inside. Organizations could also take
steps to prevent biological or chemical agents from contaminating facilities
by opening and inspecting mail and deliveries off-site. To protect sensitive


1
 U.S.-China Security Review Commission, Report to Congress of the U.S.-China Security
Review Commission: The National Security Implications of the Economic Relationships
Between the United States and China (July 2002).
2
 See Department of Justice, Vulnerability Assessment of Federal Facilities (Washington,
D.C.: Jun. 28, 1995). This document presented security standards to be applied to all federal
facilities. Each facility is to be placed in five categories depending on its level of risk, with
Level 1 facilities having the least need for physical security and Level 5 facilities having the
highest need. Based on its risk level, a facility would be expected to implement increasingly
stringent measures in 52 security areas.




Page 60                                                GAO-03-251 Potential Terrorist Attacks
Chapter 3
Financial Market Participants Have Taken
Actions to Reduce Risks of Disruption, but
Some Limitations Remain




data, equipment, and personnel, organizations can also take steps to secure
facility interiors by using employee and visitor identification systems and
restricting access to critical equipment and utilities such as power and
telecommunications equipment.

Organizations can also reduce the risk of operations disruptions by
investing in measures to protect information systems. Information system
threats include hackers, who are individuals or groups attempting to gain
unauthorized access to networks or systems to steal, alter, or destroy
information. Another threat—known as a denial of service attack—
involves flooding a system with messages that consume its resources and
prevent authorized users from accessing it. Information systems can also
be disrupted by computer viruses that damage data directly or degrade
system performance by taking over system resources. Information security
guidance used for reviews of federal organizations recommend that
organizations develop policies and procedures that cover all major systems
and facilities and outline the duties of those responsible for security.3 To
prevent unauthorized access to networks and information systems,
organizations can identify and authenticate users by using software and
hardware techniques such as passwords, firewalls, and other filtering
devices. Organizations can also use monitoring systems to detect
unauthorized attempts to gain access to networks and information systems
and develop response capabilities for electronic attacks or breaches.

Investing in business continuity capabilities is another way that
organizations can reduce the risk that their operations will be disrupted.
According to guidance used by private organizations and financial
regulators, developing a sound BCP requires organizations to determine
which departments, business units, or functions are critical to operations.4
The organizations should then prepare a BCP that identifies capabilities
that have to be in place, resources required, and procedures to be followed
for the organization to resume operations. Such capabilities can include
backup facilities equipped with the information technology hardware and
software that the organization needs to conduct operations. Alternatively,
organizations can replace physical locations or processes, such as trading


3
 U.S. General Accounting Office, Federal Information System Controls Audit Manual,
GAO/AIMD-12.19.6 (Washington, D.C.: January 1999).
4
 Among the sources we consulted were our own 1999 Federal Information System Controls
Audit Manual (FISCAM), the FFIEC Information Systems Handbook: Volume 1, and the
Business Continuity Institute’s 2001 Business Guide to Continuity Management.




Page 61                                          GAO-03-251 Potential Terrorist Attacks
Chapter 3
Financial Market Participants Have Taken
Actions to Reduce Risks of Disruption, but
Some Limitations Remain




floors, with electronic systems that perform the same core functions. Many
organizations active in the financial markets are critically dependent on
telecommunications services for transmitting the data or voice traffic
necessary to operate. As a result, organizations would have to identify their
critical telecommunications needs and take steps to ensure that services
needed to support critical operations will be available after a disaster.
Finally, BCP guidance such as FISCAM, which provides standards for
audits of federal information systems, also recommends that organizations
have backup staff that can implement BCP procedures. To the extent that
an organization’s ability to resume operations depends on the availability of
staff with specific expertise, the organization has to maintain staff capable
of conducting its critical functions elsewhere.

Given that most organizations have limited resources, effectively managing
the risk of operations disruptions involves making trade-offs between
investing in protection of facilities, personnel, and systems or development
of business continuity capabilities. For example, organizations must weigh
the expected costs of operations disruptions against the expected cost of
implementing security protections, developing facilities, or implementing
other business continuity capabilities to ensure that they would be able to
resume operations after a disaster. Risk management guidance directs
organizations to identify how costly various types of temporary or
extended outages or disruptions would be to parts or all of their
operations. Such costs stem not only from revenues actually lost during the
outage, but also from potential lost income because of damage to the
organization’s reputation stemming from its inability to resume operations.
In addition to estimating the potential costs of disruptions, organizations
are advised to identify potential threats that could cause such disruptions
and estimate the likelihood of these events. By quantifying the costs and
probabilities of occurrence of various disruptions, an organization can then
better evaluate the amount and how to allocate the resources that it should
expend on either implementing particular protection measures or attaining
various business continuity capabilities. For example, an organization
whose primary site is located in a highly trafficked, public area may have
limited ability to reduce all of its physical security risks. However, such an
organization could reduce the risk of its operations being disrupted by
having a backup facility manned by staff capable of supporting its critical
operations or by cross-training other staff.




Page 62                                      GAO-03-251 Potential Terrorist Attacks
                          Chapter 3
                          Financial Market Participants Have Taken
                          Actions to Reduce Risks of Disruption, but
                          Some Limitations Remain




All Financial Market      The 15 exchanges, clearing organizations, ECNs, and payment system
                          processors we reviewed in 2002 had invested in various physical and
Organizations Were        information protections and business continuity capabilities to reduce the
Taking Steps to Reduce    risk that their operations would be disrupted. Each of these 15
                          organizations had implemented physical security measures to protect
the Risks of Operations   facilities and personnel. To establish or increase perimeter security, some
Disruptions               organizations had erected physical barriers around their facilities such as
                          concrete barriers, large flowerpots, or boulders. To reduce the likelihood
                          that its operations would be disrupted by vehicle-borne explosives, one
                          organization had closed off streets adjacent to its building and had guards
                          inspect all vehicles entering the perimeter. Some organizations were also
                          using electronic surveillance to monitor their facilities, with some
                          organizations having 24-hour closed circuit monitoring by armed guards.
                          Others had guards patrolling both the interior and exterior of their facilities
                          on a 24-hour basis. In addition, all of these organizations had taken
                          measures to protect the security of their interiors. For example, the
                          organizations required employee identification, electronic proximity cards,
                          or visitor screening.

                          All 15 organizations had taken measures to reduce the risk that electronic
                          threats would disrupt their operations. The securities markets already use
                          networks and information systems that reduce their vulnerability to
                          external intrusion in several ways. First, the securities exchanges and
                          clearing organizations have established private networks that transmit
                          traffic only to and from their members’ systems, which are therefore more
                          secure than the Internet or public telephone networks. Second, traffic on
                          the exchange and clearing organization networks uses proprietary message
                          protocols or formats, which are less vulnerable to the insertion of
                          malicious messages or computer viruses. Although rendering the securities
                          market networks generally less vulnerable, these features do not
                          completely protect them and the prominence of securities market
                          participants’ role in the U.S. economy means that their networks are more
                          likely to be targeted for electronic attack than some other sectors. The 15
                          organizations we reviewed in 2002 had generally implemented the elements
                          of a sound information security program, including policies and procedures
                          and access controls. Thirteen of the 15 organizations were also using
                          intrusion detection systems, and the remaining 2 had plans to implement or
                          were considering implementing such systems. All 15 of the organizations
                          also had procedures that they would implement in the event of systems
                          breaches, although the comprehensiveness of the incident response
                          procedures varied. For example, 2 organizations’ incident response plans



                          Page 63                                      GAO-03-251 Potential Terrorist Attacks
                          Chapter 3
                          Financial Market Participants Have Taken
                          Actions to Reduce Risks of Disruption, but
                          Some Limitations Remain




                          involved shutting down any breached systems, but lacked documented
                          procedures for taking further actions such as gathering evidence on the
                          source of the breach.

                          Developing business continuity capabilities is another way to reduce the
                          risk of operations disruptions, and all 15 of the organizations we reviewed
                          in 2002 had plans for continuing operations. These plans had a variety of
                          contingency measures to facilitate the resumption of operations. For
                          example, 11 organizations had backup facilities to which their staff could
                          relocate if disruptions occurred at the primary facility. One of these
                          organizations had three fully equipped and staffed facilities that could
                          independently absorb all operations in an emergency or disruption. In
                          some cases, organizations did not have backup facilities that could
                          accommodate their operations but had taken steps to ensure that key
                          business functions could be transferred to other organizations. For
                          example, staff at one exchange that lacked a backup facility said that most
                          of the products it traded were already traded on other exchanges, so
                          trading of those products would continue if its primary site was not
                          available. In addition, this exchange has had discussions with other
                          exchanges about transferring trading of proprietary products to the other
                          exchanges in an emergency situation. These organizations all had
                          inventoried critical telecommunications and had made arrangements to
                          ensure that they would continue to have service if primary lines were
                          damaged.



Some Financial            Although all 15 organizations we reviewed had taken steps to address
                          physical and electronic threats and had BCPs to respond to disruptive
Organizations Had         events, but at the time of our review many had limitations in their
Preparedness              preparedness that increased the risk of an operations disruption. Nine of
                          the 15 organizations, including 2 critical organizations, were at greater risk
Limitations That          of experiencing an operations disruption because their BCPs did not
Increased Their Risk of   address how they would recover if a physical attack on their primary
an Operations             facility left a large percentage of their staff incapacitated. Although 5 of
                          these 9 organizations had backup facilities, they did not maintain staff
Disruption                outside of their primary facility that could conduct all their critical
                          operations. Eight of the 9 organizations also had physical security
                          vulnerabilities at their primary sites that they either had not or could not
                          mitigate. For example, these organizations were unable to control
                          vehicular traffic around their facilities and thus were more exposed to
                          damage than those that did have such controls.




                          Page 64                                      GAO-03-251 Potential Terrorist Attacks
Chapter 3
Financial Market Participants Have Taken
Actions to Reduce Risks of Disruption, but
Some Limitations Remain




Most of the organizations we reviewed also had faced increased risk that
their operations would be disrupted by a wide-scale disaster. As of August
2002, all 7 of the critical organizations we reviewed had backup facilities,
including 3 whose facilities were hundreds of miles from their primary
facilities. For example, 1 organization had two data centers located about
500 miles apart, each capable of conducting the organization’s full scope of
operations in the event that one site failed. The organization also has a
third site that can take over the processing needed for daily operations on a
next-day basis. However, the backup facilities of the other four
organizations were located 2 to 5 miles from their primary sites. If a wide-
scale disaster caused damage or made a region greater than these distances
inaccessible, these 4 organizations would be at greater risk for not being
able to resume operations promptly.

Many of the other 8 organizations also had faced increased risk that their
operations would be disrupted by wide-scale disasters. At the time we
conducted our review, 2 of the 8 organizations had backup facilities that
were hundreds of miles from their primary operations. The remaining 6
organizations faced increased risk of being disrupted by a wide-scale
disaster because 4 lacked backup facilities, while 2 organizations had
backup facilities that were located 4 to 10 miles from their primary
operations facilities.5 Of the 4 organizations that lacked a backup facility,
one had begun constructing a facility near its primary site.

Four of the organizations that lacked regionally dispersed backup facilities
told us that they had begun efforts to become capable of conducting their
operations at locations many miles from their current primary and backup
sites. For example, NYSE has announced that it is exploring the possibility
of creating a second active trading floor some miles from its current
location. In contrast to the backup trading location NYSE built in the
months following the attack, which would only be active should its current
primary facility become unusable, the exchange plans to move the trading
of some securities currently traded at its primary site to this new facility
and have both sites active each trading day. However, if the primary site
were damaged, the new site would be equipped to be capable of conducting
all trading. In December 2002, NYSE staff told us that they were still
evaluating the creation of this second active trading floor.




5
In total, 4 of the 15 organizations had backup sites 5 miles or less from their primary sites.




Page 65                                               GAO-03-251 Potential Terrorist Attacks
                            Chapter 3
                            Financial Market Participants Have Taken
                            Actions to Reduce Risks of Disruption, but
                            Some Limitations Remain




                            For the organizations that lacked backup facilities, cost was the primary
                            obstacle to establishing such capabilities. For example, staff at one
                            organization told us that creating a backup location for its operations
                            would cost about $25 million, or as much as 25 percent of the organization’s
                            total annual revenue. Officials at the 3 organizations without backup sites
                            noted that the products and services they provide to the markets are largely
                            duplicated by other organizations, so their inability to operate would have
                            minimal impact on the overall market’s ability to function.

                            Although cost can be a limiting factor, financial market organizations have
                            some options for creating backup locations that could be cost-effective. At
                            least one of the organizations we reviewed has created the capability of
                            conducting its trading operations at a site that is currently used for
                            administrative functions. By having a dual-use facility, the organization has
                            saved the cost of creating a completely separate backup facility. This
                            option also would seem well suited to broker-dealers, banks, and other
                            financial institutions because they frequently maintain customer service
                            call centers that have large numbers of staff that could potentially be
                            equipped with all or some of the systems and equipment needed for the
                            firm’s trading or clearing activities.



Some Financial Market       Organizations can also minimize operations risk by testing their physical
Organizations Not Fully     and information security measures and business continuity plans, but we
                            found the 15 exchanges, clearing organizations, ECNs, and payment system
Testing Security Measures
                            processors were not fully testing all these areas. In the case of physical
or Business Continuity      security, such assessments can include attempting to infiltrate a building or
Capabilities                other key facility such as a data processing center or assessing the integrity
                            of automated intrusion detection systems. In the case of information
                            security, such assessments can involve attempts to access internal systems
                            or data from outside the organization’s network or by using software
                            programs that identify, probe, and test systems for known vulnerabilities.
                            For both physical and information security, these assessments can be done
                            by the organization’s own staff, its internal auditors, or by outside
                            organizations, such as security or consulting firms.

                            The extent to which the 15 exchanges, clearing organizations, ECNs, and
                            payment system providers that we reviewed had tested their physical
                            security measures varied. Only 3 of the 7 critical financial organizations
                            routinely tested their physical security; the tests included efforts to gain
                            unauthorized access to facilities or smuggle fake weapons into buildings.




                            Page 66                                      GAO-03-251 Potential Terrorist Attacks
Chapter 3
Financial Market Participants Have Taken
Actions to Reduce Risks of Disruption, but
Some Limitations Remain




None of the remaining 8 organizations routinely tested the physical security
of their facilities.

To test their information security measures, all 7 of the critical
organizations had assessed network and systems vulnerabilities. We
considered an organization’s assessment current if it had occurred within
the 2 years prior to our visit, because system changes over time can create
security weaknesses, and advances in hacking tools can create new means
of penetrating systems.6 According to the assessments provided to us by
the 7 critical organizations, all had performed vulnerability assessments of
the information security controls they implemented over some of their key
trading or clearing systems within the last 2 years. However, these tests
were not usually done in these organizations’ operating environment but
instead were done on test systems or during nontrading hours. Seven of the
remaining 8 organizations we reviewed also had not generally had
vulnerability assessments of their key trading or clearing networks
performed with the 2 years prior to our review. However, in the last 2 years,
all 15 organizations had some form of vulnerability assessments performed
for their corporate or administrative systems, which they use to manage
their organization or operate their informational Web sites.

Most of the 7 organizations critical to overall market functioning were
conducting regular tests of their business continuity capabilities. Based on
our review, 5 of the 7 critical organizations had conducted tests of all
systems and procedures critical to business continuity. However, these
tests were not usually done in these organizations’ real-time environments.
Staff at one organization told us that they have not recently conducted live
trading from their backup site because of the risks, expense, and difficulty
involved. Instead, some tested their capabilities by switching over to
alternate facilities for operations simulations on nontrading days. One
organization tested all components critical to their operations separately
and over time, but it had not tested all aspects simultaneously. Of the 8
other financial market organizations we reviewed, only 2 had conducted
regular BCP tests. One organization, however, had an extensive disaster
recovery testing regimen that involved using three different scenarios:
simulating a disaster at the primary site and running its systems and
network from the backup site; simulating a disaster at the backup site and
running the systems and network from the primary site; and running its


6
 We conducted our reviews at the premises of these organizations from February to June
2002.




Page 67                                           GAO-03-251 Potential Terrorist Attacks
               Chapter 3
               Financial Market Participants Have Taken
               Actions to Reduce Risks of Disruption, but
               Some Limitations Remain




               systems and network from the consoles at the backup site with no staff in
               the control room at the primary site.

               Organizations also discovered the benefits of conducting such tests. For
               example, because of lessons learned through testing, one organization
               learned vital information about the capabilities of third-party applications,
               identified the need to configure certain in-house applications to work at the
               recovery site, installed needed peripheral equipment at the backup site,
               placed technical documentation regarding third-party application
               installation procedures at the backup site, and increased instruction on
               how to get to the backup site if normal transportation routes were
               unavailable. An official at this organization told us that with every test, they
               expected to learn something about the performance of their BCP and
               identify ways to improve it.



Observations   The exchanges, clearing organizations, ECNs, and payment system
               providers that we reviewed had all taken various steps to reduce the risk
               that their operations would be disrupted by physical or electronic attacks.
               In general, the organizations we considered more critical to the overall
               ability of the markets to function had implemented the most
               comprehensive physical and information security measures and BCPs.
               However, limitations in some organizations’ preparedness appeared to
               increase the risks that their operations could be disrupted because they
               had physical security vulnerabilities not mitigated with business continuity
               capabilities. The extent to which these organizations had also reduced the
               risk posed by a wide-scale disruption also varied. Because the importance
               of these organizations’ operations to the overall markets varies, regulators
               are faced with the challenge of determining the extent to which these
               organizations should take additional actions to address these limitations to
               reduce risks to the overall markets.




               Page 68                                       GAO-03-251 Potential Terrorist Attacks
Chapter 4

Financial Market Regulators Lack Recovery
Goals for Trading and Could Strengthen Their
Operations Risk Oversight                                                                       Chapte4
                                                                                                      r




               Although banking and securities regulators have begun to take steps to
               prevent future disasters from causing widespread payment defaults, they
               have not taken important actions that would better ensure that trading in
               critical U.S. financial markets could resume smoothly and in a timely
               manner after a major disaster. The three regulators for major market
               participants, the Federal Reserve, OCC, and SEC are working jointly with
               market participants to develop recovery goals and sound business
               continuity practices that will apply to a limited number of financial market
               organizations to ensure that these entities can clear and settle transactions
               and meet their financial obligations after future disasters. However, the
               regulators’ recovery goals and sound practices do not extend to
               organizations’ trading activities or to the stock exchanges. The regulators
               also had not developed complete strategies that identify where trading
               could be resumed or which organizations would have to be ready to
               conduct trading if a major exchange or multiple broker-dealers were
               unlikely to be operational for an extended period. Individually, these three
               regulators have overseen operations risks in the past. SEC has a program—
               the Automation Review Policy (ARP)—for reviewing exchanges and
               clearing organizations efforts to reduce operations risks, but this program
               faces several limitations. Compliance with the program is voluntary, and
               some organizations have not always implemented important ARP
               recommendations. In addition, market participants raised concerns over
               the inexperience and insufficient technical expertise of SEC staff, and the
               resources committed to the program limit the frequency of examinations.
               Lacking specific requirements in the securities laws, SEC has not generally
               examined operations risk measures in place at broker-dealers. The Federal
               Reserve and OCC are tasked with overseeing the safety and soundness of
               banks’ operations and had issued and were updating guidance that covered
               information system security and business continuity planning. They also
               reported annually examining information security and business continuity
               at the entities they oversee, but these reviews did not generally assess
               banks’ measures against physical attacks.




               Page 69                                     GAO-03-251 Potential Terrorist Attacks
                         Chapter 4
                         Financial Market Regulators Lack Recovery
                         Goals for Trading and Could Strengthen
                         Their Operations Risk Oversight




Regulators Are           Treasury and the financial regulators have various initiatives under way to
                         improve the financial markets’ ability to respond to future crises (we
Developing Recovery      discuss these in app. II) and assess how well the critical assets of the
Goals and Sound          financial sector are being protected.1 As part of these initiatives, certain
                         financial market regulators have begun to identify business continuity
Business Continuity      goals for the clearing and settling organizations for government and
Practices for Clearing   corporate securities.2 On August 30, 2002, the Federal Reserve, OCC, SEC,
Functions but Not for    and the New York State Banking Department issued the Draft Interagency
                         White Paper on Sound Practices to Strengthen the Resilience of the U.S.
Trading Activities       Financial System.3 The paper presents sound practices to better ensure
                         that clearance and settlement organizations will be able to resume
                         operations promptly after a wide-scale, regional disruption.4 The paper
                         proposes these organizations adopt certain practices such as

                         • identifying the activities they perform that support these critical
                           markets;

                         • developing plans to recover these activities on the same business day;
                           and


                         1
                          As part of national efforts to address critical infrastructure protection, an interagency
                         group of financial regulators was formed in October 2001. This group—the Financial and
                         Banking Information Infrastructure Committee—includes SEC, the five depository
                         institution regulators, and the regulators for futures, insurance, and government-sponsored
                         enterprises. The group began efforts to identify critical assets in the financial sector,
                         improve communication among regulators, and ensure that financial market organizations
                         receive appropriate priority in telecommunications restoration. We discuss these efforts in
                         more detail in appendix II of this report. A more complete description of the United States’
                         efforts to ensure that its critical infrastructure is protected and how the financial sector has
                         been included is contained in our report Critical Infrastructure Protection: Efforts of
                         Financial Services Sector to Address Cyber Threats, GAO-03-173 (Washington, D.C.: Jan.
                         30, 2003).
                         2
                          These markets include those for federal funds, foreign currencies, commercial paper,
                         government securities, stocks, and mortgage-backed securities.
                         3
                          Board of Governors of the Federal Reserve, OCC, and SEC, Draft Interagency White Paper
                         on Sound Practices to Strengthen the Resilience of the U.S. Financial System (Washington,
                         D.C.: Aug. 30, 2002). The New York State Banking Department also contributed to this paper
                         and issued it separately.
                         4
                          A wide-scale, regional disruption is one that causes a severe disruption of transportation,
                         telecommunications, power, or other critical infrastructure components across a
                         metropolitan or other geographic area and its adjacent communities that are economically
                         integrated with it.




                         Page 70                                                GAO-03-251 Potential Terrorist Attacks
Chapter 4
Financial Market Regulators Lack Recovery
Goals for Trading and Could Strengthen
Their Operations Risk Oversight




• having out-of-region resources sufficient to recover these operations
  that are not dependent on the same labor pool or transportation,
  telecommunications, water, and power.

The regulators plan to apply the sound practices to a limited number of
financial market organizations whose inability to perform certain critical
functions could result in a systemic crisis that threatens the stability of the
financial markets. If these organizations were unable to sufficiently recover
and meet their financial obligations, other market participants could
similarly default on their obligations and create liquidity or credit
problems. According to the white paper, the sound practices apply to “core
clearing and settlement organizations,” which include market utilities that
clear and settle transactions on behalf of market participants and the two
clearing banks in the government securities market.5 In addition, the
regulators expect firms that play significant roles in these critical financial
markets also to comply with sound practices that are somewhat less
rigorous. The white paper indicates that probably 15 to 20 banks and 5 to 10
broker-dealers have volume or value of activity in these markets sufficient
to present a systemic risk if they were unable to recover their clearing
functions and settle all their transactions by the end of the business day.

The regulators also sought comment on the appropriate scope and
application of the white paper, including whether they should address the
duration of disruption that should be planned for, the geographic
concentration of backup sites, and the minimum distance between primary
and backup facilities. After considering the comments they receive, the
regulators intend to issue a final version in 2003 of the white paper that will
present the practices to be adopted by clearance and settlement
organizations for these markets.

Based on our analysis of the comment letters that have been sent to the
regulators as of December 2002, market participants and other
commenters have raised concerns over the feasibility and cost of the
practices advocated by the white paper. The organizations that have
commented on the paper include banks, broker-dealers, industry


5
 In addition to the effort to develop sound practices for the organizations involved in
clearing, the Federal Reserve and SEC issued a paper that discusses and seeks comment on
several potential alternatives for conducting clearing services in these markets. See Board
of Governors of the Federal Reserve and SEC, Interagency White Paper on Structural
Change in the Settlement of Government Securities: Issues and Options (Washington,
D.C.: Aug. 30, 2002).




Page 71                                             GAO-03-251 Potential Terrorist Attacks
Chapter 4
Financial Market Regulators Lack Recovery
Goals for Trading and Could Strengthen
Their Operations Risk Oversight




associations, information technology companies and consultants, and
many of these organizations complimented the regulators for focusing
attention on a critical area. However, many commenters have urged the
regulators to ensure that any practices issued balance the cost of
implementing improved business continuity capabilities against the
likelihood of various types of disruptions occurring. For example, a joint
letter from seven broker-dealers and banks stated that requiring
organizations to make costly changes to meet remote possibilities is not
practical. Other commenters urged regulators not to mandate minimum
distances between primary sites and backup locations for several reasons.
For example, some commenters noted that beyond certain distances, firms
cannot simultaneously process data at both locations, which the regulators
acknowledged could be between 60 to 100 kilometers. Rather than specify
a minimum distance, others stated that the practices should provide
criteria that firms should consider in determining where to locate their
backup facilities. One broker-dealer commented that it had chosen the
locations of its two operating sites to minimize the likelihood that both
would be affected by the same disaster or disruption. It noted that its two
sites were served by separate water treatment plants and power grids and
different telecommunication facilities support each. A third commonly
cited concern was that the regulators should implement the practices as
guidelines, rather than rules. For example, one industry association stated,
“Regulators should not impose prescriptive requirements, unless
absolutely necessary, in order to enhance the firms’ ability to remain
competitive in the global market.”

Ensuring that organizations recover their clearing functions would help
ensure that settlement failures do not create a broader financial crisis, but
regulators have not begun a similar effort to develop recovery goals and
business continuity practices to ensure that trading activities can resume
promptly in various financial markets. Trading activities are important to
the U.S. economy because they facilitate many important economic
functions, including providing means to productively invest savings and
allowing businesses to fund operations. The securities markets also allow
companies to raise capital for new ventures. Ensuring that trading
activities resume in a smooth and timely manner would appear to be a
regulatory goal for SEC, which is specifically charged with maintaining fair
and orderly markets. However, Treasury and SEC staff told us that the
white paper practices would be applied to clearing functions because such
activities are concentrated in single entities for some markets or in very
few organizations for others, and thus pose a greater potential for
disruption. In contrast, they did not include trading activities or



Page 72                                     GAO-03-251 Potential Terrorist Attacks
Chapter 4
Financial Market Regulators Lack Recovery
Goals for Trading and Could Strengthen
Their Operations Risk Oversight




organizations that conduct only trading functions, such as the securities
exchanges, because these activities are performed by many organizations
that could substitute for each other. For example, SEC staff said that if one
of the exchanges was unable to operate, other exchanges or the ECNs
could trade their products. Similarly, they said that individual broker-
dealers are not critical to the markets because others firms can perform
their roles.

 Although regulators have begun to determine which organizations are
critical for accomplishing clearing functions, identifying the organizations
that would have to be ready for trading in U.S. financial markets to resume
within a given period of time is also important. If key market participants
are not identified and do not adopt sound business continuity practices, the
markets may not have sufficient liquidity for fair and orderly trading. For
example, in the past when NYSE experienced operations disruptions, the
regional exchanges usually have also chosen to suspend trading until NYSE
could resume. SEC staff have also previously told us that the regional
exchanges may not have sufficient processing capacity to process the full
volume usually traded on NYSE. If the primary exchanges are not
operational, trading could be transferred to the ECNs, but regulators have
not assessed whether such organizations have sufficient capacity to
conduct such trading or whether other operational issues would hinder
such trading.

SEC has begun efforts to develop a strategy for resuming stock trading for
some exchanges, but the plan is not yet complete and does not address all
exchanges and all securities. To provide some assurance that stock trading
could resume if either NYSE or NASDAQ was unable to operate after a
disaster, SEC has asked these exchanges to take steps to ensure their
information systems can conduct transactions in the securities that the
other organization normally trades. SEC staff told us each organization will
have to ensure that its systems can properly process the varying number of
characters in the symbols that each uses to represent securities. However,
as of December 2002, SEC had not identified the specific capabilities that
the exchanges should implement. For example, NASDAQ staff said that
various alternatives are being proposed for conducting this trading and
each would involve varying amounts of system changes or processing
capacity considerations. In addition, although each exchange trades
thousands of securities, NYSE staff told us that they are proposing to
accommodate only the top 250 securities, and the remainder of NASDAQ’s
securities, which have smaller trading volumes, would have to be traded by
the ECNs or other markets. NASDAQ staff said they planned to trade all



Page 73                                     GAO-03-251 Potential Terrorist Attacks
                          Chapter 4
                          Financial Market Regulators Lack Recovery
                          Goals for Trading and Could Strengthen
                          Their Operations Risk Oversight




                          NYSE securities if necessary. NYSE staff also said that their members have
                          been asked to ensure that the systems used to route orders to NYSE be
                          ready to accept NASDAQ securities by June 2003. Furthermore, although
                          some testing is under way, neither exchange has completely tested its
                          ability to trade the other’s securities. Strategies for other exchanges and
                          products also have not been developed.

                          As noted in chapter 2 of this report, trading was not resumed in U.S. stock
                          and options markets after the attacks until several key broker-dealers were
                          able to sufficiently recover their operations. Resuming operations after
                          disruptions can be challenging because large broker-dealers’ trading
                          operations can require thousands of staff and telecommunications lines. In
                          some cases, organizations that may not appear critical to the markets in
                          ordinary circumstances could become so if a disaster affects other
                          participants more severely. For example, in the days following the attacks,
                          one of the IDBs that previously had not been one of the most active firms
                          was one of the few firms able to resume trading promptly.



Program, Staff, and       Lacking specific requirements under the securities laws, SEC uses a
                          voluntary program to oversee exchange, clearing organization, and ECN
Resource Issues           information systems operations. U.S. securities laws, rules, and regulations
Hamper SEC Oversight      primarily seek to ensure that investors are protected. For example,
                          securities laws require that companies issuing securities disclose material
of Market Participants’   financial information, and SRO rules require broker-dealers to determine
Operations Risks          the suitability of products before recommending them to their customers.
                          The regulations did not generally contain specific requirements applicable
                          to physical or information system security measures or business continuity
                          capabilities. However, as part of its charge to ensure fair and orderly
                          markets and to address information system and operational problems
                          experienced by some markets during the 1980s, SEC created a voluntary
                          program—ARP—that covered information technology issues at the
                          exchanges, clearing organizations and, eventually, ECNs.6 SEC’s 1989 ARP
                          statement called for the exchanges and clearing organizations to establish


                          6
                           Initially applied only to exchanges and clearing organizations, SEC extended these ARP
                          guidance expectations under a rule issued in 1998 to any ECN that accounted for more than
                          20 percent of the trading volume of a particular security; as of September 2002, SEC staff
                          reported that 10 ECNs were subject to all the ARP expectations. Other ECNs must comply
                          with a varying number of the ARP expectations, such as submitting systems change
                          notifications to SEC, depending on their trading volume.




                          Page 74                                            GAO-03-251 Potential Terrorist Attacks
                            Chapter 4
                            Financial Market Regulators Lack Recovery
                            Goals for Trading and Could Strengthen
                            Their Operations Risk Oversight




                            comprehensive planning and assessment programs to test system
                            capacities, develop contingency protocols and backup facilities,
                            periodically assess the vulnerability of their information systems to
                            external or internal threats, and report the results to SEC. SEC issued an
                            additional ARP statement in 1991 that called for exchanges and clearing
                            organizations to obtain independent reviews—done by external
                            organizations or internal auditors—of their general controls in several
                            information system areas.



SEC ARP Reviews Address     SEC’s ARP staff conducted examinations of exchanges, clearing
Some Operations Risks but   organizations, and ECNs that addressed their information security and
                            business continuity. The examinations are based on ARP policy statements
Some Key
                            that cover information system security, business continuity planning, and
Recommendations Not         physical security at data and information systems centers, but do not
Addressed                   address how organizations should protect their entire operations from
                            physical attacks. SEC’s ARP program staff explained that they analyze the
                            risks faced by each organization to determine which are the most
                            important to review. As a result, the staff is not expected to review every
                            issue specific to the information systems or operations of each exchange,
                            clearing organization, and ECN during each examination. We found that
                            SEC ARP staff were reviewing important operations risks at the
                            organizations they examined. Based on our review of the 10 most recent
                            ARP examinations completed between January 2001 and July 2002, 9
                            covered information system security policies and procedures, and 7
                            examinations covered business continuity planning.7 Only one
                            examination—done after the September 11, 2001, attacks—included
                            descriptions of the overall physical security improvements. SEC ARP staff
                            told us that telecommunications resiliency was a part of normal
                            examinations, but none of the examination reports we reviewed
                            specifically discussed these organizations’ business continuity measures
                            for ensuring that their telecommunications services would be available
                            after disasters. However, ARP staff said that all of these operations risk
                            issues would be addressed as part of future reviews.

                            Although SEC’s voluntary ARP program provides some assurance that
                            securities markets are being operated soundly, some of the organizations
                            subject to ARP have not taken action on some important

                            7
                             The 10 examinations covered 9 organizations reviewed once and an organization reviewed
                            twice during this period.




                            Page 75                                           GAO-03-251 Potential Terrorist Attacks
Chapter 4
Financial Market Regulators Lack Recovery
Goals for Trading and Could Strengthen
Their Operations Risk Oversight




recommendations. Since its inception, ARP program staff
recommendations have prompted numerous improvements in the
operations of exchanges, clearing organizations, and ECNs. ARP staff also
reviewed exchange and clearing organization readiness for the Year 2000
date change and decimal trading, and market participants implemented
both industrywide initiatives successfully. However, because the ARP
program was not implemented under SEC’s rulemaking authority,
compliance with the ARP guidance is voluntary. Although SEC staff said
that they were satisfied with the cooperation they received from the
organizations covered by the ARP program, in some cases, organizations
did not take actions to correct significant weaknesses ARP staff identified.8
For example, as we reported in 2001, three organizations had not
established backup facilities, which SEC ARP staff had raised as significant
weaknesses. Our report noted, “Securities trading in the United States
could be severely limited if a terrorist attack or a natural disaster damaged
one of these exchange’s trading floor.” In addition, for years, SEC’s ARP
staff raised concerns and made recommendations relating to inadequacies
in NASDAQ’s capacity planning efforts, and NASDAQ’s weaknesses in this
area delayed the entire industry’s transition to decimal pricing for several
months.9 NASDAQ staff told us they have implemented systems with
sufficient capacity, and SEC staff said they are continuing to monitor the
performance of these systems. We also reported that exchanges and
clearing organizations sometimes failed to submit notifications to SEC
regarding systems changes and outages as expected under the ARP policy
statement, and we again saw this issue being cited in 2 of 10 recent ARP
examination reports we reviewed.

ARP staff continue to find significant operational weaknesses at the
organizations they oversee. In the 10 examinations we reviewed, SEC staff
found weaknesses at all 9 organizations and made 74 recommendations for
improvement. We compared these weaknesses to the operational elements
we used in our analysis of financial market organizations (as discussed in
ch. 3 of this report).10 Our analysis showed that the ARP staff made at least
22 recommendations to address significant weaknesses in the 9
organizations’ physical or information system security or business


8
 U.S. General Accounting Office, Information Systems: Opportunities Exist to Strengthen
SEC’s Oversight of Capacity and Security, GAO-01-863 (Washington, D.C.: Jul. 25, 2001).
9
 See U.S. General Accounting Office, Securities Pricing: Trading Volumes and NASD
System Limitations Led to Decimal-Trading Delay, GGD/AIMD-00-319 (Washington, D.C.:
Sept. 20, 2000).




Page 76                                           GAO-03-251 Potential Terrorist Attacks
Chapter 4
Financial Market Regulators Lack Recovery
Goals for Trading and Could Strengthen
Their Operations Risk Oversight




continuity planning efforts—including 10 recommendations to address
significant weaknesses at organizations critical to the functioning of the
markets. For example, in an examination conducted in 2000, ARP staff
found that personnel at one exchange did not have consistent information
system security practices across the organization and lacked a centrally
administered, consolidated information system security policy.11 In
addition, although SEC recommends that organizations subject to ARP
have vulnerability assessments performed on their information systems,
ARP staff found that this exchange had not assessed its information
systems. In three other reviews, the ARP staff found that the organizations
had not complied with ARP policy expectations to fully test their
contingency plans. ARP staff noted other significant weaknesses, including
inadequate BCPs or backup facilities. ARP staff said that they considered
all the recommendations they make to be significant, including the 74
recommendations made in these 10 reports. These recommendations will
remain open until the next time the ARP staff review the organization and
can assess whether they have been acted upon.

Because the ARP program was established through a policy statement and
compliance is voluntary, SEC lacks specific rules that it can use to gain
improved responsiveness to recommendations to the exchanges and
clearing organizations subject to APP. SEC staff explained that they chose
not to use a rule to implement ARP because rules can become obsolete and
having voluntary guidance provides them with flexibility. SEC staff also
told us that an organization’s failure to follow ARP expectations could
represent a violation of the general requirement that exchanges maintain
the ability to operate, and therefore they could take action under that
authority. However, they noted that the use of such authority is rare.
However, SEC has issued a rule requiring the most active ECNs to comply
with all the ARP program’s standards. In 1998, SEC issued a regulation that
subjected alternative trading systems such as ECNs to increased regulatory
scrutiny because of their increasing importance to U.S. securities markets.
Included in this regulation was a rule that required ECNs whose trading
volumes exceeded certain thresholds to comply with the same practices as



10
   For our analysis, we classified the weaknesses that SEC identified as significant when the
organization had not implemented adequate procedures or capabilities in the key elements
we used to evaluate the 15 organizations included in this report, as discussed in chapter 3.
11
 This exchange was not among the organizations we considered critical to the functioning
of the markets in our analysis.




Page 77                                              GAO-03-251 Potential Terrorist Attacks
                                 Chapter 4
                                 Financial Market Regulators Lack Recovery
                                 Goals for Trading and Could Strengthen
                                 Their Operations Risk Oversight




                                 those contained in the ARP policy statements.12 In its explanation of the
                                 regulation, SEC noted that its ARP guidelines are intended to ensure that
                                 short-term cost cutting by registered exchanges does not jeopardize the
                                 operation of the securities markets, and therefore it was extending these
                                 requirements to the ECNs because of their potential to disrupt the
                                 securities markets.

                                 We previously recommended that SEC develop formal criteria for assessing
                                 exchange and clearing organization cooperation with the ARP program and
                                 perform an assessment to determine whether the voluntary status of the
                                 ARP program is appropriate.13 Although they were generally satisfied with
                                 the level of cooperation, SEC staff told us that they were reviewing the
                                 extent to which exchanges and clearing organizations complied with the
                                 ARP program and planned to submit the analysis to SEC commissioners in
                                 2003. In addition to possibly changing the status of the program for the 22
                                 exchanges and clearing organizations subject to ARP, SEC staff also told us
                                 that they were considering the need to extend the ARP program to those
                                 broker-dealers for whom it would be appropriate to adopt the sound
                                 business continuity practices that will result from the joint regulatory white
                                 paper.

SEC ARP Program Faces            Limited resources and challenges in retaining experienced ARP staff have
Resource and Staff Limitations   affected SEC’s ability to oversee an increasing number of organizations and
                                 more technically complex market operations. Along with industrywide
                                 initiatives discussed earlier, ARP staff workload has expanded to cover 32
                                 organizations with more complex technology and communications
                                 networks. However, SEC has problems retaining qualified staff, and market
                                 participants have raised concerns about the experience and expertise of
                                 ARP staff. As SEC has experienced considerable staff losses overall, the
                                 ARP program also has had high turnover. As of October 2002, ARP had 10
                                 staff, but SEC staff told us that staff levels had fluctuated and had been as
                                 low as 4 in some years.14 As a result, some ARP program staff had limited
                                 experience, with 4 of the 10 current staff having less than 3.5 years’
                                 experience, including 3 with less than 2 years’ experience. During our work
                                 on SEC resource issues in 2001, market participants and former SEC staff

                                 12
                                  SEC, Regulation of Exchanges and Alternative Trading Systems: Final Rules, Release
                                 No. 34-40760 (Dec. 8 1998).
                                 13
                                      GAO-01-863.
                                 14
                                      GAO-01-863.




                                 Page 78                                          GAO-03-251 Potential Terrorist Attacks
Chapter 4
Financial Market Regulators Lack Recovery
Goals for Trading and Could Strengthen
Their Operations Risk Oversight




raised concerns that the level of resources and staff expertise SEC has
committed to review technology issues is inadequate to address
complexmarket participant operations.15 For example, officials from
several market participants we interviewed in 2001 told us that high
turnover resulted in inexperienced SEC staff, who lacked in-depth
knowledge, doing reviews of their organizations. SEC staff told us that they
continue to emphasize training for their staff to ensure that they have the
proper expertise to conduct effective reviews.

Resource limitations also affect the frequency of ARP reviews. With current
staffing levels, SEC staff said that they are able to conduct examinations of
only about 7 of the 32 organizations they oversee as part of the ARP
program each year.16 Although standards for federal organizations’
information systems require security reviews to be performed at least once
every 3 years, these standards recommend that reviews of high-risk
systems or those undergoing significant systems modifications be done
more frequently.17 Although our analysis of SEC ARP examination data
found that SEC had conducted recent reviews of almost all the
organizations we considered critical to the financial markets, long periods
of time often elapsed between ARP examinations of these organizations.18
Between September 1999 and September 2002, SEC examined 6 of the 7
critical organizations under its purview.19 However, as shown in figure 12,



15
   U.S. General Accounting Office, SEC Operations: Increased Workload Creates Challenges,
GAO-02-302 (Washington, D.C.: Mar. 5, 2002).
16
 In addition to examinations, the SEC ARP staff also monitor the organizations subject to
ARP by conducting a risk analysis of each organization each year, reviewing internal and
external audits performed of these organizations’ systems, and receiving notices of systems
changes and systems outages from these organizations.
17
 Office of Management and Budget, Appendix III to OMB Circular A-130: Security of
Federal Automated Information Resources.
18
 Of the 7 organizations that we considered critical to the overall functioning of the markets
for purposes of chapter 3, 5 are subject to the ARP program. Because of the way they are
organized, these 5 organizations actually are 7 distinct entities that the SEC ARP staff
reviews separately. SEC staff agreed that these organizations were important to the
markets.
19
  SEC ARP staff told us that they had not reviewed one organization since 1994 because its
operations, although critical to the markets, had not presented issues that warranted a high-
risk desigation. However, they said they planned to conduct a review of this organization
within the next 6 months.




Page 79                                              GAO-03-251 Potential Terrorist Attacks
                                         Chapter 4
                                         Financial Market Regulators Lack Recovery
                                         Goals for Trading and Could Strengthen
                                         Their Operations Risk Oversight




                                          the intervals between the most recent examinations exceeded 3 years for 5
                                         of the 7 critical organizations, including an organization that was not
                                         reviewed during this period.



Figure 12: Intervals between Most Recent SEC ARP Examinations of Critical Exchanges and Clearing Organizations




                                         Our analysis of ARP report data showed that the intervals between reviews
                                         of critical organizations averaged 39 months, with the shortest interval
                                         being 12 months and the longest 72 months. Since September 1999, the SEC
                                         ARP staff had reviewed 7 of the 8 less critical exchanges, clearing
                                         organizations, and ECNs that we visited during this review. However, SEC
                                         staff told us that the ARP program also may be tasked with reviewing the



                                         Page 80                                      GAO-03-251 Potential Terrorist Attacks
                                 Chapter 4
                                 Financial Market Regulators Lack Recovery
                                 Goals for Trading and Could Strengthen
                                 Their Operations Risk Oversight




                                 extent to which broker-dealers important to clearing and trading in U.S.
                                 securities markets are adhering to sound business continuity practices.
                                 Such an expansion in the ARP program staff’s workload would likely
                                 further reduce the ability of the SEC staff to frequently review all the
                                 important organizations under its authority.

Increased Appropriations Could   The potential increase in SEC’s appropriations could provide the agency an
Provide SEC an Opportunity to    opportunity to increase the level and quality of the resources it has
Improve ARP Program              committed to the ARP program. The Sarbanes-Oxley Act of 2002, which
Resources                        mandated various accounting reforms, also authorized increased
                                 appropriations for SEC for fiscal year 2003.20 Specifically, the act
                                 authorized $776 million in 2003, an increase of about 51 percent over the
                                 nearly $514 million SEC received for fiscal year 2002.21 The act directs SEC
                                 to devote $103 million of the newly authorized amount to personnel and
                                 $108 million to information technology. If appropriated, these additional
                                 funds could allow SEC to increase resources devoted to the ARP program.
                                 Increased staffing levels also could allow SEC to conduct more frequent
                                 examinations and better ensure that significant weaknesses are identified
                                 and addressed in a timely manner. The additional resources could also be
                                 used to increase the technical expertise of its staff, further enhancing SEC’s
                                 ability to review complex information technology issues.



SEC and SROs Generally           SEC and the securities market SROs generally have not examined broker-
Did Not Review Physical          dealers’ physical and information system security and business continuity
                                 efforts, but planned to increase their focus on these issues in the future.
and Information System           SEC’s Office of Compliance Inspections and Examinations (OCIE)
Security and Business            examines broker-dealers, mutual funds, and other securities market
Continuity at Broker-            participants.22 However, for the most part, OCIE examinations focus on
Dealers                          broker-dealers’ compliance with the securities laws and not on physical
                                 and electronic security and business continuity, which these laws do not
                                 generally address. After some broker-dealers that specialized in on-line
                                 trading experienced systems outages, OCIE staff told us that they began
                                 addressing information system capacity, security, and contingency

                                 20
                                      Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (2002).
                                 21
                                  This $514 million includes an original appropriation of $438 million, a $21 million
                                 supplemental appropriation for September 11-related disaster recovery, $25 million to
                                 implement pay parity, and over $30 million in additional supplemental appropriations.
                                 22
                                      SEC also oversees investment advisers and transfer agents.




                                 Page 81                                                 GAO-03-251 Potential Terrorist Attacks
Chapter 4
Financial Market Regulators Lack Recovery
Goals for Trading and Could Strengthen
Their Operations Risk Oversight




capabilities at these firms. SEC predicated its reviews of these issues on
the fact that these firms, as a condition of conducting a securities business,
would need to have sufficient operational capacity to enter, execute, and
settle orders, and deliver funds and securities promptly and accurately. In
addition, the Gramm-Leach-Bliley Act (GLBA) required SEC to establish
standards for the entities it oversees to safeguard the privacy and integrity
of customer information and prevent unauthorized disclosure.23 As a result,
in some reviews done since July 2001, OCIE staff discussed the controls
and policies that firms have implemented to protect customer information
from unauthorized access. However, SEC OCIE staff acknowledged that
their expertise in these areas is limited. OCIE staff told us that few of the
approximately 600 examiners they employ had information technology
backgrounds. During the work we conducted for our report on SEC’s
staffing and workload, staff at several broker-dealers told us that the SEC
staff that review their firms lacked adequate technology expertise.24

SROs also generally have not addressed these issues at broker-dealers.
Under U.S. securities laws, exchanges acting as SROs have direct
responsibility for overseeing their broker-dealer members. NYSE and
NASD together oversee the majority of broker-dealers in the United
States.25 According to officials at these two SROs, staff as often as annually
conduct examinations to review adherence with capital requirements and
other securities regulations. However, staff at both organizations
acknowledged that, in the past, their oversight generally did not focus on
how members conducted their operations from physical or information
systems security or business continuity perspectives. Representatives of
the SROs told us they plan to include aspects of these issues in future
reviews. For example, they plan to examine their members’ information
system security to ensure compliance with GLBA customer information
protection provisions.

NYSE and NASD plan to focus on business continuity issues in future
reviews because, in August 2002, both submitted similar rules for SEC



23
     15 U.S.C. §§ 6801, 6805.
24
     GAO-02-302.
25
 The other stock and options exchanges and clearing organizations also have self-
regulatory responsibilities over their members, but generally are only directly responsible
for examining those members not already overseen by another SRO.




Page 82                                              GAO-03-251 Potential Terrorist Attacks
                       Chapter 4
                       Financial Market Regulators Lack Recovery
                       Goals for Trading and Could Strengthen
                       Their Operations Risk Oversight




                       approval that will require all of their members to establish BCPs. The areas
                       the plans are to address include the following:

                       • backup for books and records,

                       • procedures for resuming operations of critical systems,

                       • alternate means for communicating with the members’ staff and their
                         customers, and

                       • regulatory reporting and communications with regulators.

                       NYSE and NASD officials told us that once these rules were adopted, their
                       staff would include these matters in the scope of their examinations after
                       allowing sufficient time for firms to develop the required BCPs.



Bank Regulators Have   As part of their mandate to oversee banks’ safety and soundness, the
                       banking regulators, including the Federal Reserve and OCC, issued
Authority to Oversee   guidance that directs depository institutions or banks to address potential
Operational Risk       operations risks with physical and information system security and
                       business continuity measures. The guidance includes recommended steps
                       that banks should take to reduce the risk of operations disruptions from
                       physical or electronic attacks and for recovering from such events with
                       business continuity capabilities. For example, in 1996 these regulators
                       jointly issued a handbook on information systems, which calls for banks to
                       conduct an analysis of their risks and implement measures to reduce
                       them.26 Banks were also to have access controls for their systems and
                       programs. Regarding physical security, the banking regulators expect
                       banks to ensure the safety of assets and to physically protect data centers
                       used for information systems processing. For example, the Federal
                       Reserve’s guidance directs banks to take security steps to protect cash and
                       vaults and ensure that bank facilities are protected from theft. The banking
                       regulators’ joint 1996 handbook discussed measures to secure data centers
                       and information system assets. However, the bank regulators’ guidance did
                       not specifically address measures to protect facilities from terrorist or
                       other physical attacks. Regarding business continuity, the joint handbook
                       expects banks to have plans addressing all critical services and operations

                       26
                        Federal Financial Institutions Examination Council, Information Systems Examination
                       Handbook, Vol. 1 (Washington, D.C.: 1996).




                       Page 83                                         GAO-03-251 Potential Terrorist Attacks
                             Chapter 4
                             Financial Market Regulators Lack Recovery
                             Goals for Trading and Could Strengthen
                             Their Operations Risk Oversight




                             necessary to minimize disruptions in service and financial losses and
                             ensure timely resumption of operations in a disaster. Banks also were to
                             identify the critical components of their telecommunications networks and
                             assess whether they were subject to single points of failure that could
                             occur, for example, by having all lines routed to a single central switching
                             office, and to identify alternate routes and implement redundancy.

                             The Federal Reserve and OCC, in conjunction with the other depository
                             regulators, are also developing expanded guidance on physical and
                             electronic security and business continuity planning. They are planning to
                             issue separate handbooks on information system security and business
                             continuity in early 2003. Bank regulatory staff provided us with a draft of
                             the information system security guidance, which expects banks to have
                             programs that include security policies, access controls, and intrusion
                             monitoring; vulnerability assessments; and incident response capabilities.
                             The draft guidance also covers physical security from an overall facility
                             perspective and suggests that banks use appropriate controls to restrict or
                             prevent unauthorized access and prevent damage from environmental
                             contaminants. Banks will also be instructed to assess their exposure risks
                             for fire and water damage, explosives, or other threats arising from
                             location, building configuration, or neighboring entities. According to bank
                             regulatory staff, they are also currently drafting a separate guidance
                             handbook addressing business continuity issues.



Bank Regulators Reported     Bank regulators reported regularly examining how banks are addressing
Reviewing Operations Risks   physical and information system security and business continuity issues.
                             The Federal Reserve and OCC oversee over 3,100 institutions combined,
but Not Banks’ Measures
                             including the largest U.S. banks, and are required to examine most
Against Physical Attacks     institutions annually. At the end of fiscal year 2002, the Federal Reserve
                             had over 1,200 examiners and OCC over 1,700. As part of these staff, the
                             agencies each had between 70 and 110 examiners that specialized in
                             reviewing information systems issues. Using a risk-based approach, these
                             regulators’ examiners tailor their examinations to the institution’s unique
                             risk profile. As a result, some areas would receive attention every year, but
                             others would be examined only periodically. Staff at the Federal Reserve
                             and OCC told us that their examiners consider how their institutions are
                             managing operations risks and review these when appropriate. For
                             example, Federal Reserve staff told us that under their risk-based
                             examination approach, information security is considered as part of each
                             examination, particularly since regulations implementing section 501(b) of
                             GLBA require that the regulators assess how financial institutions protect



                             Page 84                                     GAO-03-251 Potential Terrorist Attacks
              Chapter 4
              Financial Market Regulators Lack Recovery
              Goals for Trading and Could Strengthen
              Their Operations Risk Oversight




              customer information. They said that the extent to which information
              security is reviewed at each institution can vary, with less detailed reviews
              generally done at institutions not heavily reliant on information technology.
              They also said that business recovery issues were addressed in most
              examinations. Both Federal Reserve and OCC staff told us that physical
              security was considered as part of information security in reviewing
              protections at data centers. Both regulators also expect banks’ internal
              auditors to review physical security for vault and facilities protection.
              However, the focus of these reviews has not generally been on the extent to
              which banks are protected from terrorist or other physical attacks. In light
              of the September 2001 attacks, these regulators stated that their scrutiny of
              physical and information system security and business continuity policies
              and procedures would be reviewed even more extensively in future
              examinations. Because we did not review bank examinations as part of our
              review, we were unable to independently determine how often and how
              extensively these two bank regulatory agencies reviewed information
              security and business continuity at the entities they oversee.



Conclusions   Financial market regulators have begun to develop goals and a strategy for
              resuming operations along with sound business continuity practices for a
              limited number of organizations that conduct clearing functions. The
              business continuity practices that result from this effort will likely address
              several important areas, including geographic separation between primary
              and backup locations and the need to ensure that organizations have
              provisions for separate staff and telecommunications services needed to
              conduct critical operations at backup locations. If successfully
              implemented, these sound practices should better ensure that clearing in
              critical U.S. financial markets could resume and settlement would be
              completed after a disaster, potentially avoiding a harmful systemic crisis.

              However, trading on the markets for corporate securities, government
              securities, and money market instruments is also vitally important to the
              economy, and the United States deserves similar assurance that trading
              activities would also be able to resume when appropriate and without
              excessive delay. The U.S. economy has demonstrated that it can withstand
              short periods during which markets are not trading. After some events
              occur, having markets closed for some time could be appropriate to allow
              for disaster recovery and reduce market overreaction. However, long
              delays in reopening the markets could also be harmful to the economy.
              Without trading, investors lack the ability to accurately value their
              securities and would be unable to adjust their holdings. The attacks



              Page 85                                     GAO-03-251 Potential Terrorist Attacks
Chapter 4
Financial Market Regulators Lack Recovery
Goals for Trading and Could Strengthen
Their Operations Risk Oversight




demonstrated that the ability of markets to recover could depend on the
extent to which market participants have made sound investments in
business continuity capabilities. Without identifying strategies for recovery,
determining the sound practices needed to implement these strategies, and
identifying the organizations that would conduct trading under these
strategies, the risk that markets may not be able to resume trading in a fair
and orderly fashion and without excessive delays is increased. Goals and
strategies for recovering trading activities could be based on likely disaster
scenarios that identify the organizations that could be used to conduct
trading in the event that other organizations were unable to recover within
a reasonable time. These would provide market participants with
information to make better decisions about how to improve their
operations and provide regulators with sound criteria for ensuring that
trading on U.S. markets could resume when appropriate.

Strategies for resuming trading could involve identifying which markets
would assume the trading activities of others or identifying other venues
such as ECNs in which trading could occur. To be viable, these strategies
would also have to identify whether any operational changes at these
organizations would be necessary to allow this trading to occur. Although
SEC has begun efforts to ensure that trading can be transferred between
NYSE and NASDAQ, these efforts are not complete and not all securities
are covered. Because of the risk of operational difficulties resulting from
large-scale transfers of securities trading to organizations that normally do
not conduct such activities, testing the various scenarios would likely
reduce such problems and ensure that the envisioned strategies are viable.

Expanding the organizations that would be required to implement sound
business continuity practices beyond those important for clearing would
better ensure that those organizations needed for the resumption of
smooth and timely trading would have developed the necessary business
continuity capabilities. As discussed in chapter 3, exchanges, clearing
organizations, and ECNs we reviewed had taken many steps to reduce the
risks that they would be disrupted by physical or electronic attacks and
have mitigated risk through business continuity planning. However, some
organizations still had limitations in their business continuity measures
that increased the risk that their operations would be disrupted, including
organizations that might need to trade if the major exchanges were unable
to resume operations. In addition, the attacks demonstrated that
organizations that were not previously considered critical to the markets’
functioning could greatly increase in importance following a disaster.
Therefore, identifying all potential organizations that could become



Page 86                                     GAO-03-251 Potential Terrorist Attacks
Chapter 4
Financial Market Regulators Lack Recovery
Goals for Trading and Could Strengthen
Their Operations Risk Oversight




important to resuming trading and ensuring they implement sound
business practices would increase the likelihood of U.S financial markets
being able to recover from future disasters. Given that the importance of
different organizations to the overall markets varies, any recovery goals
and business continuity practices that are developed could similarly vary
their expectations for different market participants but with the ultimate
goal of better ensuring that organizations take reasonable, prudent steps in
advance of any future disasters. For example, broker-dealers could be
expected to take steps to ensure that their customer records are backed up
frequently and that these backup records are maintained at considerable
distance from the firms’ primary sites. This would allow customers to
transfer their accounts to other broker-dealers if the firm through which
they usually conduct trading is not operational after a major disaster.

Given the increased threats demonstrated by the September 11 attacks and
the need to ensure that key financial market organizations are following
sound practices, securities and banking regulators’ oversight programs are
important mechanisms for ensuring that U.S financial markets are resilient.
However, SEC’s ARP program—which oversees the key clearing
organizations and exchanges and may be used to oversee additional
organizations’ adherence to the white paper on sound practices—currently
faces several limitations. Because it is a voluntary program, SEC lacks
leverage to assure that market participants implement important
recommended improvements. An ARP program that draws its authority
from an issued rule could provide SEC additional assurance that exchanges
and clearing organizations adhere to important ARP recommendations and
any new guidance developed jointly with other regulators. To preserve the
flexibility that SEC staff see as a strength of the current ARP program, the
rule would not have to mandate specific actions but could instead require
that the exchanges and clearing organizations engage in activities
consistent with the practices and tenets of the ARP policy statements. This
would provide SEC staff with the ability to adjust their expectations for the
organizations subject to ARP as technology and industry best practices
evolve while providing clear regulatory authority to require prudent actions
when necessary. SEC already requires ECNs to comply with ARP guidance;
extending the rule to the exchanges and clearing organizations would place
them on similar legal footing.

Additional staff, including those with technology backgrounds, could better
ensure the effectiveness of the ARP program’s oversight. SEC could
conduct more frequent examinations, as envisioned by federal information
technology standards, and more effectively review complex, large-scale



Page 87                                     GAO-03-251 Potential Terrorist Attacks
                  Chapter 4
                  Financial Market Regulators Lack Recovery
                  Goals for Trading and Could Strengthen
                  Their Operations Risk Oversight




                  technology operations in place at the exchanges, ECNs, and clearing
                  organizations. If the ARP program must also begin reviewing the extent to
                  which broker-dealers important to clearing and trading in U.S. securities
                  markets are adhering to sound business continuity practices, additional
                  staff resources would likely be necessary to prevent further erosion in the
                  ability of the SEC staff to oversee all the important organizations under its
                  authority. The increased appropriations authorized in the Sarbanes-Oxley
                  Act, if received, would present SEC a clear opportunity to enhance its
                  technological resources, including the ARP program, without affecting
                  other important initiatives.



Recommendations   So that trading in U.S. financial markets can resume after future
                  disruptions in as timely a manner as appropriate, we recommend that the
                  Chairman, SEC, work with industry to

                  • develop goals and strategies to resume trading in securities;

                  • determine sound business continuity practices that organizations would
                    need to implement to meet these goals;

                  • identify the organizations, including broker-dealers, that would likely
                    need to operate for the markets to resume trading and ensure that these
                    entities implement sound business continuity practices that at a
                    minimum allow investors to readily access their cash and securities; and

                  • test trading resumption strategies to better assure their success.

                  In addition, to improve the effectiveness of the SEC’s ARP program and the
                  preparedness of securities trading and clearing organizations for future
                  disasters, we recommend that the Chairman, SEC, take the following
                  actions:

                  • Issue a rule requiring that the exchanges and clearing organizations
                    engage in activities consistent with the operational practices and other
                    tenets of the ARP program; and

                  • If sufficient funding is available, expand the level of staffing and
                    resources committed to the ARP program.




                  Page 88                                     GAO-03-251 Potential Terrorist Attacks
                      Chapter 4
                      Financial Market Regulators Lack Recovery
                      Goals for Trading and Could Strengthen
                      Their Operations Risk Oversight




Agency Comments and   We requested comments on a draft of this report from the heads, or their
                      designees, of the Federal Reserve, OCC, Treasury, and SEC. The Federal
Our Evaluation        Reserve and SEC provided written comments, which appear in appendixes
                      III and IV, respectively. The Federal Reserve, OCC, and SEC also provided
                      technical comments, which we incorporated as appropriate.

                      SEC generally agreed with the report and the goals of its recommendations.
                      The letter from SEC’s Market Regulation Division Director noted that SEC
                      has been working with market participants to strengthen their resiliency
                      and that the SEC staff agreed that the financial markets should be prepared
                      to resume trading in a timely, fair, and orderly fashion following a
                      catastrophe, which is the goal of our recommendations that SEC work with
                      the industry to develop business continuity goals, strategies, and practices.
                      SEC’s letter expressed a concern that this recommendation expects SEC to
                      ensure that broker-dealers implement business continuity practices that
                      would allow trading activities to resume after a disaster. The SEC staff
                      noted that broker-dealers are not required to conduct trading or provide
                      liquidity to markets. Instead this would be a business decision on the part
                      of these firms. However, SEC’s letter noted that broker-dealers are required
                      to be able to ensure that any completed trades are cleared and settled and
                      that customers have access to the funds and securities in their accounts as
                      soon as is physically possible. SEC’s letter stated that the BCP expectations
                      for these firms must reflect these considerations.

                      We agree with SEC that the business continuity practices they develop with
                      broker-dealers should reflect that the extent to which these firms’ BCPs
                      address trading activities is a business decision on the part of a firm’s
                      management. In addition, SEC would need to take into account the
                      business continuity capabilities implemented by broker-dealers that
                      normally provide significant order flow and liquidity to the markets when it
                      works with the exchanges and other market participants to develop goals
                      and strategies for recovering from various disaster scenarios. To the extent
                      that many of these major broker-dealers may be unable to conduct their
                      normal volume trading in the event of some potential disasters without
                      extended delays, the intent of our recommendation is that SEC develop
                      strategies that would allow U.S. securities markets to resume trading, when
                      appropriate, through other broker-dealers such as regional firms that are
                      less affected by the disaster. However, to ensure that such trading is orderly
                      and fair to all investors, SEC will have to ensure that broker-dealers’
                      business continuity measures at a minimum are adequate to allow prompt




                      Page 89                                     GAO-03-251 Potential Terrorist Attacks
Chapter 4
Financial Market Regulators Lack Recovery
Goals for Trading and Could Strengthen
Their Operations Risk Oversight




transfers of customer funds and securities to other firms so that the
customers of firms unable to resume trading are not disadvantaged.

Regarding our recommendations to ensure that SEC’s ARP program has
sufficient legal authority and resources to be an effective oversight
mechanism over exchanges, clearing organizations, and ECNs, SEC’s
Market Regulation Division Director stated that they will continue to assess
whether rulemaking is appropriate. In addition, the letter stated that, if the
agency receives additional funding, they will consider recommending to
the Chairman that ARP staffing and resources be increased.

SEC’s letter also commented that physical security beyond the protection
of information technology resources was not envisioned as a component of
ARP when the program was initiated. They indicated that they may need
additional resources and expertise to broaden their examinations to
include more on this issue.

In the letter from the Federal Reserve’s Staff Director for Management, he
noted that the Federal Reserve is working to improve the resilience of the
financial system by cooperating with banking and securities regulators to
develop sound practices to reduce the system effects of wide-scale
disruptions. They are also working with the other banking regulators to
expand the guidance for banks on information security and business
continuity.




Page 90                                     GAO-03-251 Potential Terrorist Attacks
Appendix I

Telecommunications Providers and Others                                                                             Appendx
                                                                                                                          ies




Cooperated to Overcome Damage to
Telecommunications Infrastructure                                                                                    Append
                                                                                                                          x
                                                                                                                          Ii




                        The September 11 attacks caused extensive damage to telecommunications
                        infrastructure and resulted in loss of telecommunications services to
                        financial market participants in lower Manhattan. During the days that
                        followed, the affected telecommunications carriers worked together with
                        financial market participants and local government officials to overcome
                        numerous challenges to restore key services and reestablish the
                        connectivity needed to reopen the nation’s equity markets on September
                        17, 2001.



The Terrorist Attacks   The September 11 terrorist attacks extensively damaged the
                        telecommunications infrastructure serving lower Manhattan, disrupting
Extensively Damaged     voice and data communications services throughout the area. The bulk of
Local                   this damage occurred when 7 World Trade Center collapsed into an
                        adjacent building—a major Verizon telecommunications center at 140 West
Telecommunications      Street. Because the Verizon central office was the major local
Infrastructure          communications hub within the public network, the collateral damage to
                        that facility significantly disrupted local telecommunications services to
                        approximately 34,000 businesses and residences in the surrounding area,
                        including the financial district.1

                        Significant numbers of customers lost their telecommunications services
                        for extended periods. When the Verizon central office was damaged, about
                        182,000 voice circuits, more than 1.6 million data circuits, almost 112,000
                        PBX trunks, and more than 11,000 lines serving Internet service providers
                        were lost.2 This central office served a large part of lower Manhattan. (The
                        area served by this facility is shown in fig. 8 in ch. 2.)

                        The attacks also damaged other Verizon facilities and affected customers in
                        areas beyond that served directly from 140 West Street. Three other Verizon
                        switches in the World Trade Center towers and in 7 World Trade Center
                        were also destroyed in the attacks. Additional services were disrupted


                        1
                         A central office is a telephone company facility containing the switching equipment that
                        links served customers to the public voice and data networks within and outside of the local
                        service area.
                        2
                         A PBX (private branch exchange) is an automatic telephone switching system that is
                        owned, operated, and located within a private enterprise. This system switches calls
                        between enterprise users on local lines while allowing all users to share a certain number of
                        external telephone lines. A PBX trunk line connects the PBX to the serving
                        telecommunications carrier’s local central office switch.




                        Page 91                                              GAO-03-251 Potential Terrorist Attacks
Appendix I
Telecommunications Providers and Others
Cooperated to Overcome Damage to
Telecommunications Infrastructure




because 140 West Street also served as a transfer station on the Verizon
network for about 2.7 million circuits carrying data traffic that did not
originate or terminate in that serving area, but that nevertheless passed
through that physical location. For example, communications services
provided out of the Verizon Broad Street central office that passed through
West Street were also disrupted until new cabling could be put in placed to
physically carry those circuits around the damaged facility. As a result,
Verizon had to restore services provided by about 4.4 million Verizon data
circuits in total.

The attacks also damaged the facilities and equipment of other carriers as
well. In the 140 West Street facilities, 30 other telecommunications
providers had equipment linking their networks to the Verizon network.
Allegiance Telecom, Covad Communications, Metromedia Fiber Network,
PaeTec, XO Communications, and Winstar Communications noted the
interdependence of network services and that the cascading effect of the
Verizon network disruptions affected tens of thousands of their customers
according to outage reports filed with the Federal Communications
Commission (FCC). Other local carriers also sustained losses to their own
network facilities. For example, AT&T Local Network Service lost use of
two major network nodes in the World Trade Center complex, as well as
two switches in damaged buildings. Service provided by two other
switches were disrupted when the switches lost power. AT&T also lost use
of the fiber-optic cable that provided its own local service to lower
Manhattan. Overall, AT&T lost equipment and circuits including 200 miles
of fiber-optic cable, more than 33 thousand network trunks, and about
20,000 other telecommunications lines that each carried the equivalent of
24 voice communication channels.3 Focal Communications reported to
FCC that customers served by its switch in lower Manhattan lost service at
about 11:00 p.m. on September 11, 2001, when commercial power to that
switch was lost, and backup power supplies (generator, then battery) were
eventually exhausted before Focal Communications technicians could gain
access to their facilities in order to restore power.

After September 11, some financial firms whose physical facilities were not
damaged learned that telecommunications services still could fail because
their supporting services were not as diverse and redundant as expected.
Diversity involves establishing different physical routes into and out of a


3
 A trunk is a telecommunications line that carries multiple voice or data channels between
two telephone exchange switching systems.




Page 92                                             GAO-03-251 Potential Terrorist Attacks
Appendix I
Telecommunications Providers and Others
Cooperated to Overcome Damage to
Telecommunications Infrastructure




building, and using different equipment along those routes to prevent
failures if a disaster or other form of interference adversely affects one
route. Redundancy involves having extra capacity available, generally from
more than one source, and also incorporates aspects of diversity.
Therefore, users that rely on telecommunications services to support
important applications try to ensure that those services use facilities that
are diverse and redundant so that no single point in the communications
path can cause all services to fail.

After the attacks, some firms that made arrangements with multiple service
providers to obtain redundant service discovered that the lines used by
their providers were not diverse because they routed through the same
Verizon switching facility. Other firms that had mapped out their
communications lines to ensure that their lines flowed through physically
diverse paths at the time those services were first acquired found that their
service providers had rerouted some of those lines over time without their
knowledge, eliminating that assurance of diversity in the process.
Representatives of several banks and broker-dealers with major New York
operations told us that they suffered disruptions to their
telecommunications service despite their belief that they were being served
by diverse carriers, diverse facilities, or both.

Ensuring that carriers actually maintain physically redundant and diverse
telecommunications services has been a long-standing concern within the
financial industry. For example, in December 1997, the President’s National
Security Telecommunications Advisory Committee reported, “despite
assurances about diverse networks from the carriers, a consistent concern
among the financial services industry was the trustworthiness of their
telecommunications diversity arrangements.”4

Obtaining physically diverse telecommunications services and ensuring
that diversity is maintained over time is difficult. First, some customers
incorrectly assume that simply obtaining service from multiple carriers
ensures that they are receiving redundant and diverse services. However, a
competing local carrier may choose to lease or resell the “last mile” circuits
into a customer location from the incumbent local exchange carrier rather




4
 The President’s National Security Telecommunications Advisory Committee, Financial
Services Risk Assessment Report, December 1997.




Page 93                                          GAO-03-251 Potential Terrorist Attacks
                               Appendix I
                               Telecommunications Providers and Others
                               Cooperated to Overcome Damage to
                               Telecommunications Infrastructure




                                than incur the cost to construct its own facilities into a building.5 In New
                               York City for example, providing facilities in a given building and
                               constructing lines from network facilities running through an adjacent
                               street can typically cost a carrier about $150,000. This total does not
                               include the time and cost associated with obtaining a building owner’s
                               permission to locate facilities on premise. Also, where multiple carriers
                               have a network presence in a given property, different carrier circuits could
                               possibly share the same rights-of-way and conduits to enter and exit a
                               building. Moreover, as was learned in the aftermath of September 11,
                               assurances regarding diversity also could lose validity as
                               telecommunications carriers merge or change the paths of circuits over
                               time.



Telecommunications             Telecommunications carriers and government entities collaborated to
                               restore telecommunications after the attacks. Before work could begin to
Carriers and                   restore the connections supporting the financial markets,
Government Agencies            telecommunications providers first had to ensure that government
                               services, including public safety, and health care providers had service.
Worked Together to             Restoring service to all affected organizations required
Overcome Challenges            telecommunications providers to overcome significant challenges,
                               including obtaining access to the affected area and working under
                               hazardous conditions.



Telecommunications             Although regulators and market participants were anxious to reopen the
Carriers Gave First Priority   financial markets, the immediate priority for telecommunications carriers
                               in the aftermath of the attacks was to restore service to the government
to Government and Health
                               and health care sectors in New York City. As required by federal emergency
Care Services                  response protocols, telecommunications carriers’ first priority was to
                               ensure that critical services to city, state, and federal government entities
                               were restored, in particular circuits that had been designated as
                               Telecommunications Service Priority circuits because they supported
                               communications relating to national security and emergency preparedness.
                               Carriers provided new or rerouted communications lines to support public
                               safety and other emergency services personnel in the affected area,


                               5
                                The specific physical segment that connects each residential or business customer to the
                               initial telephone company central office is referred to as the “local loop” or “last mile” in that
                               path.




                               Page 94                                                 GAO-03-251 Potential Terrorist Attacks
                       Appendix I
                       Telecommunications Providers and Others
                       Cooperated to Overcome Damage to
                       Telecommunications Infrastructure




                       including any health care providers or emergency services organizations
                       that lost service.

                       To begin work necessary to resume financial market operations,
                       telecommunications carriers then had to obtain generators and use
                       emergency power to support network operations and to coordinate with
                       financial institutions to facilitate the resumption of stock exchange
                       activities by September 17, 2001. For example, Verizon managers met with
                       representatives of the New York Stock Exchange (NYSE), major brokerage
                       houses, the Securities and Exchange Commission (SEC), and the New York
                       Federal Reserve to plot that restoration effort. They also had to start the
                       extensive switching, cabling, and network electronics restoration
                       activities, conduct broader customer outreach, and, where possible,
                       provide alternative telecommunications services in the affected area.



Telecommunications     Telecommunications carriers faced two overall challenges in restoring
Companies Overcame     connectivity to financial market customers. First, access to lower
                       Manhattan was restricted, with evacuation zones established on September
Numerous Restoration
                       11 and in place for several weeks because of immediate rescue and
Challenges             recovery efforts at the attack site as well as continuing safety and security
                       concerns within the area. Therefore, telecommunications carriers had to
                       coordinate work crew access to the area for restoration activities.
                       WorldCom managers reported to us that the greatest difficulty they
                       encountered during the first few days of the crisis was being unable to
                       determine who was in charge of area access control points and who could
                       approve movement of needed materials. Obtaining complete clearance
                       through the various local, state, and federal officials, including the National
                       Guard, took WorldCom about 2 days. According to Verizon managers,
                       gaining access to the area required their most senior executives to request
                       resolution from the Mayor’s Office.

                       Safety and environmental issues also impeded initial restoration efforts.
                       Specifically, according to Verizon managers, their efforts to assess damage
                       and begin repairs on the 140 West Street facilities were initially delayed by
                       concerns over the structural integrity of the facility and other buildings
                       nearby. Furthermore, in the immediate aftermath of the attacks, firefighters
                       used the Verizon facility to extinguish fires still burning in the area and
                       contributed to the flooding of the facility’s cable vaults. The loss of
                       electrical power in that area also hampered initial restoration efforts. In
                       addition, Verizon’s efforts were delayed because they had to install a new
                       air-pressure system after the existing system was damaged. Verizon needed



                       Page 95                                      GAO-03-251 Potential Terrorist Attacks
Appendix I
Telecommunications Providers and Others
Cooperated to Overcome Damage to
Telecommunications Infrastructure




this system to protect underground circuits in that area from water that
could enter cabling. The time line in figure 13 illustrates major challenges
during restoration efforts at 140 West Street.



Figure 13: Verizon Overcame Major Challenges During 140 West Street Restoration
Efforts




Restoring services from the 140 West Street facility required considerable
effort under difficult conditions. Verizon technicians were unable to access
telecommunications manholes at 140 West Street until 30-foot-high piles of
debris were removed. Because of the debris and extensive damage within
the building, Verizon staff temporarily ran cables over the ground and
around damaged cabling to quickly restore services. Because of damage to
the cable vault, a new cable vault was reconstructed on the first floor, and
cables were run up the side of the building to the fifth and eighth floors.
(See fig. 9 in ch. 2.)

AT&T’s restoration effort focused on replacing telecommunications
services that were routed through its central office in the World Trade
Center complex, which collapsed on September 11. AT&T supported and
cooperated with Federal Emergency Management Agency and local
authorities to establish emergency communications to the affected areas
and with financial institutions to facilitate resumption of NYSE operations.
AT&T established a temporary mobile central office by deploying tractor-
trailers with necessary equipment to northern New Jersey. AT&T used



Page 96                                      GAO-03-251 Potential Terrorist Attacks
                        Appendix I
                        Telecommunications Providers and Others
                        Cooperated to Overcome Damage to
                        Telecommunications Infrastructure




                        telecommunications lines in the tunnels to New Jersey to link service in
                        Manhattan to that temporary facility.



City Officials Helped   New York City agencies played a key role in the restoration process,
Coordinate Carrier      collaborating with carriers, assisting in prioritizing service recovery
                        requirements, and coordinating restoration efforts among carriers. To
Restoration Efforts     coordinate these efforts, the New York City Department of Information
                        Technology and Telecommunications (DOITT) invoked the City’s Mutual
                        Aid and Restoration Consortium (MARC) agreement. MARC required
                        telecommunications franchisees in New York City to assist in the delivery
                        of alternative voice and data services to essential city government offices
                        and operations in an emergency. DOITT coordinated a series of bridge
                        conference calls that included approximately 20 telecommunications
                        service providers and facilitated communication and coordination of
                        restoration efforts. These twice-daily calls allowed city officials to help set
                        telecommunications restoration priorities and also gave carriers an
                        opportunity to share information and offer assistance. Although not a party
                        to the MARC agreement, wireless communications carriers and staff from
                        the federal National Communications System (NCS), which is responsible
                        for administering federal national security and emergency preparedness
                        telecommunications programs, also participated in these calls.6




                        6
                         NCS, which includes representatives from 22 federal departments and agencies, is
                        responsible for ensuring the availability of telecommunications infrastructure for entities
                        with national security and emergency preparedness responsibilities. Formed in 1962
                        following the communications difficulties during the Cuban Missile Crisis, NCS provides
                        emergency communications for the federal government during all emergencies and
                        international crises.




                        Page 97                                              GAO-03-251 Potential Terrorist Attacks
Appendix II

Regulator and Market Participants Are
Working to Improve Crisis Response and
Telecommunications Resiliency                                                                                       Appendx
                                                                                                                          Ii




                         Financial regulators and market participants have begun efforts to ensure
                         that they are better able to respond to future crises. The financial sector is
                         one of the key sectors being addressed by organizations responsible for
                         ensuring that the nation’s critical infrastructure is protected. In response to
                         some of the problems that occurred after September 11, government and
                         industry are working together to develop plans or put systems into place
                         for accessing affected areas and to improve communication and
                         information flow during crises. In response to difficulties that market
                         participants experienced in the aftermath of the attacks, regulators and
                         market participants are working to ensure that financial market
                         organizations receive appropriate priority for telecommunications
                         restoration and transmission. Market participants and telecommunications
                         providers are also working to facilitate access by critical personnel to
                         affected sites and to improve the resiliency of the telecommunications
                         networks serving financial markets.



New Organizations Will   New organizations have been formed to further address critical
                         infrastructure in the financial sector. In 1998, a Presidential Decision
Increase the Extent to   Directive described a strategy for cooperative efforts by government and
Which Critical           the private sector to protect critical, computer-dependent operations in key
                         sectors of the U.S. economy, including banking and finance. The directive
Infrastructure           designated the Department of the Treasury (Treasury) as the lead agency
Protection Efforts       for the banking and financial sector. Treasury was to work with the private-
Address the Financial    sector and government organizations to develop a plan to assess
                         infrastructure vulnerabilities and develop mitigation strategies for each of
Sector                   the identified vulnerabilities.1 Treasury has taken various actions, including
                         establishing a committee to develop national strategy for the sector and
                         creating a Financial Services Information Sharing and Analysis Center in
                         1999 to share information about threats and incidents and provide access
                         to subject matter expertise and other relevant information.

                         Recently, additional organizations have been created to address threats to
                         the critical assets of the U.S. financial sector. In October 2001, the
                         President’s Critical Infrastructure Protection Board has formed the
                         Financial and Banking Information Infrastructure Committee (FBIIC),
                         which includes the financial regulators responsible for securities, futures,


                         1
                          The other sectors included the nation’s water supply, transportation, emergency and law
                         enforcement services, public health services, electric power, and oil and gas production and
                         storage.




                         Page 98                                             GAO-03-251 Potential Terrorist Attacks
                          Appendix II
                          Regulator and Market Participants Are
                          Working to Improve Crisis Response and
                          Telecommunications Resiliency




                          banking, insurance, and government-sponsored enterprises, to assist the
                          Board in ensuring that critical infrastructure in the financial markets is
                          addressed. FBIIC acts as the lead coordinating organization between the
                          financial services industry and the federal entities leading the effort to
                          protect the critical infrastructure and key assets of the financial services
                          industry. Another new organization consisting of private-sector
                          organizations, the Financial Services Sector Coordinating Council for
                          Critical Infrastructure Protection and Homeland Security, has also been
                          created to coordinate sectorwide activities to improve critical
                          infrastructure protection and homeland security. Its members include
                          representatives from the Securities Industry, Bond Market, and American
                          Bankers Associations, and individual market participants, including the
                          stock exchanges, clearing organizations, broker-dealers, and banks. The
                          status of efforts that address critical infrastructure protection in the
                          financial sector are discussed more fully in our January 2003 report.2



Regulators and Market     In response to some of the problems that occurred in the aftermath of
                          September 11, government and industry are working together to develop
Participants Are Acting   plans or put systems into place for accessing affected areas and improve
to Improve Crisis         communication and information flow during crises. As we described in
                          chapter 2, the terrorist attacks on September 11, 2001, resulted in access
Response                  restrictions over a large area of lower Manhattan. Initially only emergency
                          personnel, law enforcement officials, and other first responders could
                          enter the area. Staff at some market participants experienced difficulties in
                          obtaining access to their facilities. For example, staff at one electronic
                          communication network (ECN) said they could not access their offices
                          because the authorities responsible for controlling access to the area had
                          not heard of their organization. Representatives of some of the firms with
                          whom we met that had offices in the affected area told us that obtaining
                          access was sometimes difficult because different entities, such as the local
                          police or the National Guard, were responsible for controlling access
                          points during the week. Moreover, these entities did not necessarily have
                          identical lists showing which personnel were authorized to enter the area.
                          In addition, the process for gaining authorized access to the area was
                          unclear. In some cases, financial market organization staff told us they
                          relied on personal contacts with governmental officials or the New York
                          Police Department to gain access to their facilities.

                          2
                           U.S. General Accounting Office, Critical Infrastructure Protection: Efforts of Financial
                          Services Sector to Address Cyber Threats, GAO-03-173 (Washington, D.C.: Jan. 30, 2003).




                          Page 99                                             GAO-03-251 Potential Terrorist Attacks
Appendix II
Regulator and Market Participants Are
Working to Improve Crisis Response and
Telecommunications Resiliency




To avoid or mitigate future access difficulties, New York City’s Office of
Emergency Management, the Mayor’s Office, and private-sector
organizations were developing a more structured process to control access
to the city during crises. These organizations are working on a project
started by the Business Network of Emergency Resources (BNET). BNET
is a nonprofit organization based in Buffalo, New York, that has developed
emergency management plans for businesses throughout New York State
to address snowstorms and other emergencies. The members of BNET
developed the Corporate Emergency Access System, which will assist local
businesses in entering restricted areas during emergencies. Under this
system, organizations are to designate essential employees that should
have access to their companies' facilities during emergencies if necessary.
BNET will issue photo identification cards to employees deemed essential
by participating organizations. This initiative is awaiting approval from the
New York City Mayor’s Office.

As a result of some inconsistencies in information dissemination to market
participants in the aftermath of the attacks, financial regulators and some
market participants have several efforts under way to improve
communications during crises. Following the September terrorist attacks,
some financial market participants were unsure of who was in charge and
how the decision-making process would work to reopen the markets in an
appropriate manner. For example one firm reported that it was not initially
made aware of or was unable to participate in specific conference calls that
were coordinated by federal regulators, calls in which decisions were made
on when the markets would reopen. A few firms also reported learning of
decisions via reports televised on CNN.

Since the attacks, market participants have created new mechanisms for
communicating during crises. Securities and Exchange Commission (SEC)
staff noted that having all interested organizations participating in all key
conference calls in which decisions are being made is not possible. SEC
staff told us that they believed that as many of the important market
participants that could be accommodated did participate in the key calls
and major meetings. SEC staff noted that new ways to ensure adequate
information dissemination have been created. For example, in future
events, the Security Industry Association’s (SIA) newly established
command center could facilitate communications between regulators and
market participants. This command center can serve as a central point for
communicating the status of participants and the markets, assist in
coordinating industry response activities, and provide for liaison to and
among city, state, and federal bodies before, during, and after a disaster.



Page 100                                    GAO-03-251 Potential Terrorist Attacks
                            Appendix II
                            Regulator and Market Participants Are
                            Working to Improve Crisis Response and
                            Telecommunications Resiliency




                            SIA officials told us this command center has already been successfully
                            used to coordinate information during a recent power outage in New York
                            City’s financial district.



Numerous Initiatives        Financial regulators, market participants, and telecommunications
                            providers also have efforts under way to improve access to and the
Are Under Way to            resiliency of telecommunications services used by the markets. Financial
Strengthen the              regulators are expanding outreach to financial market participants to enroll
                            them in programs designed to provide priority telecommunications
Resiliency of Local         restoration and service during crises. Telecommunications carriers also are
Telecommunications          increasing customer awareness of services that can improve
Services                    telecommunications reliability and recoverability and improving the
                            physical security of their systems and continuity plans. Additionally,
                            financial market participants are assessing weaknesses in their
                            telecommunications infrastructure and designing and testing new network
                            configurations. Finally, other national and local government plans, such as
                            mutual aid agreements—designed to improve telecommunications
                            recoverability—are under way.



Existing Programs Already   An existing federal program allows financial market participants to receive
Can Be Used to Increase     telecommunications priority in crises. Under the Government Emergency
                            Telecommunications Service (GETS) Program, participating staff receive a
Priority and Access to      card that provides them with a code that can be dialed to increase the
Telecommunications          priority of telephone calls they place during crises. To better ensure that
Services                    critical communication among financial market participants occurs, FBIIC
                            issued an interim policy on the GETS Card Program in July 2002 that
                            outlines how staff from financial institutions can obtain such cards. To
                            qualify for GETS sponsorship, the FBIIC policy states that organizations
                            must perform functions critical to the operation of key financial markets.

                            Another FBIIC telecommunications effort involves the Federal
                            Communications Commission’s (FCC) Telecommunications Service
                            Priority (TSP) Program, which is used to identify and prioritize
                            telecommunication services that support national security or emergency
                            preparedness missions. Under TSP, private-sector organizations, through
                            the sponsorship of a selected group of federal agencies, including SEC and
                            the Federal Reserve, can have some of their key telecommunications
                            circuits added to an inventory maintained by the National Communications




                            Page 101                                   GAO-03-251 Potential Terrorist Attacks
Appendix II
Regulator and Market Participants Are
Working to Improve Crisis Response and
Telecommunications Resiliency




Service (NCS).3 These circuits are then eligible for priority restoration in a
disaster. In the aftermath of the attacks, about 10 financial institutions
obtained prioritized restoration of 81 circuits and provisioning of 81 new
circuits under the TSP program. Although only a small number of financial
firms currently participate in TSP, these firms are responsible for a
substantial percentage of the daily funds transfer activity in the United
States. For example, Federal Reserve staff said that financial institutions
that account for about 90 percent of the total dollar volume of Fedwire and
CHIPS payments, which are used to transfer large dollar-value payments
among banks, have TSP-sponsored circuits. However, FBIIC members have
concluded that other important financial market participants should be
included in TSP. As a result, they have initiated outreach efforts to increase
awareness of TSP and other government programs designed to provide
priority service in emergencies and are currently developing a policy that
will outline the requirements for financial firms to participate in TSP.

September 11 also illustrated that regulators would have to be flexible in
setting telecommunications restoration priorities because the firms that
are critical to the markets after a disaster may not have been previously
identified or categorized as important. For example, staff at one of the few
inter-dealer brokers (IDB) in the government securities markets that was
capable of conducting operations after the attacks, said they had not been
aware of the TSP program and had trouble getting priority provisioning for
additional telecommunications capabilities following the attacks. However,
after the attacks, this firm’s operations became critical to the government
securities market because so few other firms were capable of resuming
operations quickly. This IDB eventually got assistance from the White
House and SEC in obtaining the appropriate priority. Yet, prior to this
event, this firm may not have been considered a strong candidate for TSP
because it had relatively low trading volumes. To address this type of
situation in the future, regulators said that a former Federal Reserve staff
member has been placed on site at NCS, which fields requests for TSP
restoration. This person will act as a liaison with the financial regulators
and NCS.




3
 NCS consists of 22 federal member departments and agencies and is responsible for
ensuring the availability of telecommunications infrastructure for entities with national
security and emergency preparedness responsibilities. Formed in 1962 following the
communications difficulties during the Cuban Missile Crisis, NCS provides emergency
communications for the federal government during all emergencies and international crises.




Page 102                                           GAO-03-251 Potential Terrorist Attacks
                               Appendix II
                               Regulator and Market Participants Are
                               Working to Improve Crisis Response and
                               Telecommunications Resiliency




                               Additional efforts by regulators and market participants are under way.
                               Federal Reserve staff told us that they met in November 2002 with
                               representatives of the National Security Telecommunications Advisory
                               Committee to discuss the reliance of the financial and other critical sectors
                               on telecommunications infrastructure. At this meeting, they discussed
                               concerns over concentration and security issues relating to
                               telecommunications facilities. In December 2002, this group established a
                               working group to identify and assess telecommunication infrastructure
                               issues and Federal Reserve staff told us that the financial sector would
                               work with this group to develop recommendations.



Carriers Offer Services to     Telecommunications carriers are taking steps to improve their customers’
Improve Customer               awareness of services that can improve the reliability and recoverability of
                               existing telecommunications, including the use of fiber-optic networks and
Continuity and Are
                               other approaches that provide more reliable access to public networks, and
Improving Their Continuity     services that help to recover failed connections. While each of these
Plans and Strengthening        services will protect against some outages, they may not have prevented
Local Service Infrastructure   the extensive disruptions that occurred on September 11, 2001. Carriers
                               also offer services that customers can use to redirect their switched
                               telecommunications services, such as voice calls, to another business
                               location, either in response to a crisis or for more general business reasons,
                               such as receiving after-hours calls. On the basis of customer information
                               stored in the carrier’s central office switching system, these services can be
                               used individually or in conjunction with other continuity services to rapidly
                               route communications around failure points in a customer’s
                               communications path. However, because this service primarily protects
                               switched communications services, it would not protect or more rapidly
                               restore services delivered using dedicated, nonswitched communications
                               lines.

                               Telecommunications carriers are also working to improve their basic
                               services in two ways: by improving their continuity planning efforts and by
                               strengthening the reliability of their networks. For example, AT&T had
                               previously made substantial investments in its contingency capability,
                               tested that capability on a quarterly basis, and was able to exercise that
                               capability to process communications traffic within 72 hours of the World
                               Trade Center attacks. Although Verizon reported that it also had plans in
                               place prior to the attacks that aided its recovery efforts, Verizon is actively
                               working to strengthen its internal continuity practices. Verizon is revising
                               its January 1996 Central Office Disaster Recovery Plan based on lessons
                               learned, and, at the same time, developing business unit continuity plans to



                               Page 103                                     GAO-03-251 Potential Terrorist Attacks
                               Appendix II
                               Regulator and Market Participants Are
                               Working to Improve Crisis Response and
                               Telecommunications Resiliency




                               identify critical processes and operation support systems and harden
                               control centers supporting emergency management activities. Verizon
                               contingency managers indicated that this latter effort, which was about 75
                               percent complete in July 2002, would be the basis for developing mission-
                               critical control plans to address relocation contingencies and building
                               plans to address facility-specific evacuation, fire, and rescue situations.
                               These efforts will then feed into Verizon’s regional preparedness plans.

                               Verizon and AT&T are also taking steps to improve the reliability and
                               resiliency of their networks as they rebuild damaged infrastructure. For
                               example, Verizon plans to serve the financial district with more central
                               offices to improve network redundancy and diversity. Verizon also plans to
                               build more fiber-optic rings in its local network and use more modern
                               synchronous optical network (SONET) technology in those networks.4
                               Verizon estimates its total reconstruction costs to be more than $1.4 billion.
                               In support of its long-term restoration effort, AT&T has also upgraded its
                               fiber-optic networks and rebuilt two diverse central office facilities.



Financial Market               Financial market participants are also taking actions to reduce their
Participants Are Also Taking   vulnerability to future telecommunications disruptions. For example, a
                               working group formed by senior telecommunications executives from
Steps to Promote More
                               major financial firms in lower Manhattan has completed an assessment of
Reliable                       weaknesses revealed by the September 11 attacks and outlined ideas for
Telecommunications             making the local telecommunications infrastructure more reliable and
                               resilient to outages.5

                               SIA has also taken the lead in designing and scheduling industrywide
                               testing, so that major financial institutions, exchanges, and industry
                               utilities can simultaneously activate work area recovery and data center
                               recovery plans from alternate sites and gain confidence that their facilities
                               work as envisioned in their plans. SIA currently plans for two phases of
                               testing that focus on backup connectivity between industry participants.
                               Phase 1 testing assumes an outage at the participant’s primary facility.
                               Phase 2 testing assumes that an event has occurred in a specific geographic


                               4
                                Fiber optic cables consist of glass or plastic threads (fibers) that transmit information using
                               light waves.
                               5
                                Building a 21st Century Telecom Infrastructure, Lower Manhattan Telecommunications
                               Users’ Working Group Findings and Recommendations, August 2002.




                               Page 104                                               GAO-03-251 Potential Terrorist Attacks
Appendix II
Regulator and Market Participants Are
Working to Improve Crisis Response and
Telecommunications Resiliency




region causing disruption to supporting infrastructure (e.g.,
telecommunications and electrical power). In phase 1 tests, participants
are required to test communications facilities between their own backup
sites and the primary sites of critical parties. During phase 2 testing, all test
participants with primary data centers and work area sites in designated
geographic regions need to test recovery from backup or alternate sites.6

In addition to these actions, the financial industry has started work on a
more resilient private networking platform that will transmit trading and
clearing information among various market participants. The Securities
Industry Automation Corporation (SIAC), which is a jointly owned
subsidiary of the New York Stock Exchange and American Stock
Exchange, is developing the network platform, known as the Secure
Financial Transaction Infrastructure (SFTI). SFTI is intended to provide a
more reliable and survivable private communications mechanism linking
the exchanges, the clearing organization for securities, and broker-dealers.
Whereas broker-dealers currently connect to SIAC through hundreds of
individual connections, in the future they will connect to SFTI via four
access points, which will be located at switching facilities served by
multiple telecommunications providers. Figure 14 illustrates the
connections among SFTI participants.




6
 Securities Industry Association Business Continuity Planning Committee Industry Testing
Workgroup, “Plan for Industry Testing: Version 1,” September 10, 2002.




Page 105                                           GAO-03-251 Potential Terrorist Attacks
Appendix II
Regulator and Market Participants Are
Working to Improve Crisis Response and
Telecommunications Resiliency




Figure 14: The SFTI Network Provides Redundant Connections




The traffic on SFTI will be transmitted over two high-bandwidth, fiber-optic
rings. To provide physical diversity and promote survivability, two SFTI
network access points would be located in Manhattan and two outside the
New York metropolitan area. In this way, users with more than one
operating location can connect these locations to SFTI at two distinct
points on either of the two SFTI network rings, thus reducing the likelihood
that a disaster would leave such participants unable to transmit trading or
clearing information. SFTI will initially use network facilities provided by
Con Edison Communications because that firm uses different rights-of-way




Page 106                                    GAO-03-251 Potential Terrorist Attacks
                           Appendix II
                           Regulator and Market Participants Are
                           Working to Improve Crisis Response and
                           Telecommunications Resiliency




                           than other carriers in Manhattan.7 SIAC entered into service agreements
                           with Con Edison Communications in September 2002, and planned to begin
                           preliminary network testing in November 2002. After testing is complete,
                           SIAC plans to initiate broader implementation, hoping to have all interested
                           firms on the network within 2 years. SIAC plans to establish additional
                           SFTI access nodes in Boston, Massachusetts, and Chicago, Illinois, to
                           accommodate users in those cities.



Other National and Local   The National Reliability and Interoperability Council (NRIC), a federal
Government Efforts         advisory council to the FCC, is examining ways to strengthen the resilience
                           and recoverability of the nation’s public telecommunications networks in
Intended to Increase
                           light of the September 11 attacks. One NRIC subgroup will report on the
Telecommunications         viability of past or present mutual aid agreements and any additional
Response and Resiliency    perspectives that facilitate effective telecommunications recovery efforts.
                           This subgroup also is preparing a template for mutual aid agreements for
                           carriers, and examining if telecommunications technicians should be
                           recognized as first responders to overcome the sort of access obstacles
                           that hampered initial telecommunications recovery efforts in New York
                           City. Additionally, the NRIC subgroup is examining how to operationally
                           transfer communications traffic from the damaged facilities of one carrier
                           to the facilities of another carrier with operating network capacity.
                           Although such offers were made in September, Verizon was not able to
                           leverage them because carriers did not have systems and processes in
                           place that could facilitate inter-carrier transfers. In addition to these
                           recovery issues, a second NRIC subgroup is assessing physical
                           vulnerabilities and identifying existing and new best practices to both
                           mitigate the effects of physical infrastructure attacks and restore services
                           after such attacks. The NRIC subgroups are scheduled to complete work by
                           March 2003.

                           New York City is leading an effort to enhance cooperation among
                           telecommunications providers. In 1992, New York City established the
                           Mutual Aid and Restoration Consortium (MARC) agreement, which is
                           intended to ensure the continuity of services in the city under all


                           7
                            Con Edison Communications, a wholly owned subsidiary of Consolidated Edison, Inc.,
                           builds and operates its own fiber-optic network providing data communications services
                           and custom network solutions to multiple classes of customers, including
                           telecommunications carriers, corporations, and Internet, cable, wireless, and video
                           companies.




                           Page 107                                           GAO-03-251 Potential Terrorist Attacks
Appendix II
Regulator and Market Participants Are
Working to Improve Crisis Response and
Telecommunications Resiliency




reasonably foreseeable circumstances. Although this agreement expired at
the end of 1998, the New York City Department of Information Technology
and Telecommunications (DOITT) invoked it in the aftermath of the
September 11 attacks to ensure that essential city government offices and
operations would have adequate telecommunications service. DOITT
coordinated a series of conference calls that included approximately 20
telecommunications service providers; these twice-daily calls allowed city
officials to help set telecommunications restoration priorities and also gave
carriers an opportunity to share information and offer assistance.

To ensure this agreement continues to function well, New York City
officials are revising and expanding it. The new MARC agreement will
formalize the roles of the Mayor’s Office and the Office of Emergency
Management and also will explicitly include wireless service providers who
had not been mentioned in the 1992 agreement. Finally, the new draft also
proposes using the Internet to make information more readily available to
all parties.




Page 108                                    GAO-03-251 Potential Terrorist Attacks
Appendix III

Comments from Federal Reserve System                              Appendx
                                                                        iI




               Page 109      GAO-03-251 Potential Terrorist Attacks
Appendix IV

Comments from the Securities and Exchange
Commission                                                         Appendx
                                                                         iIV




              Page 110        GAO-03-251 Potential Terrorist Attacks
Appendix IV
Comments from the Securities and Exchange
Commission




Page 111                                    GAO-03-251 Potential Terrorist Attacks
Appendix V

GAO Contacts and Staff Acknowledgments                                                          Append
                                                                                                     x
                                                                                                     i
                                                                                                     V




GAO Contacts      Davi M. D’Agostino (202) 512-8678
                  Cody J. Goebel (202) 512-8678



Acknowledgments   In addition to the individuals named above, Edward Alexander, Ron Beers,
                  Lon Chin, Kevin Conway, Kirk Daubenspeck, Patrick Dugan, Edward
                  Glagola, Daniel Hoy, Harold Lewis, Marc Molino, Thomas Payne, Robert
                  Pollard, Jean-Paul Reveyoso, Barbara Roesmann, Derald Seid, Keith Slade,
                  Eugene Stevens, Sindy Udell, and Daniel Wexler made key contributions to
                  this report.




(250073)          Page 112                                 GAO-03-251 Potential Terrorist Attacks
GAO’s Mission            The General Accounting Office, the investigative arm of Congress, exists to
                         support Congress in meeting its constitutional responsibilities and to help improve
                         the performance and accountability of the federal government for the American
                         people. GAO examines the use of public funds; evaluates federal programs and
                         policies; and provides analyses, recommendations, and other assistance to help
                         Congress make informed oversight, policy, and funding decisions. GAO’s
                         commitment to good government is reflected in its core values of accountability,
                         integrity, and reliability.


Obtaining Copies of      The fastest and easiest way to obtain copies of GAO documents at no cost is
                         through the Internet. GAO’s Web site (www.gao.gov) contains abstracts and full-
GAO Reports and          text files of current reports and testimony and an expanding archive of older
                         products. The Web site features a search engine to help you locate documents
Testimony                using key words and phrases. You can print these documents in their entirety,
                         including charts and other graphics.
                         Each day, GAO issues a list of newly released reports, testimony, and
                         correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site
                         daily. The list contains links to the full-text document files. To have GAO e-mail this
                         list to you every afternoon, go to www.gao.gov and select “Subscribe to GAO
                         Mailing Lists” under “Order GAO Products” heading.


Order by Mail or Phone   The first copy of each printed report is free. Additional copies are $2 each. A check
                         or money order should be made out to the Superintendent of Documents. GAO
                         also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single
                         address are discounted 25 percent. Orders should be sent to:
                         U.S. General Accounting Office
                         441 G Street NW, Room LM
                         Washington, D.C. 20548
                         To order by Phone:     Voice: (202) 512-6000
                                                TDD: (202) 512-2537
                                                Fax: (202) 512-6061


To Report Fraud,         Contact:
                         Web site: www.gao.gov/fraudnet/fraudnet.htm
Waste, and Abuse in      E-mail: fraudnet@gao.gov
Federal Programs         Automated answering system: (800) 424-5454 or (202) 512-7470



Public Affairs           Jeff Nelligan, Managing Director, NelliganJ@gao.gov (202) 512-4800
                         U.S. General Accounting Office, 441 G Street NW, Room 7149
                         Washington, D.C. 20548
United States                  Presorted Standard
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300
Address Service Requested