oversight

Potential Terrorist Attacks: More Actions Needed to Better Prepare Critical Financial Markets

Published by the Government Accountability Office on 2003-02-12.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                             United States General Accounting Office

GAO                          Testimony
                             Before the House Committee on Financial Services,
                             Subcommittee on Capital Markets, Insurance, and
                             Government Sponsored Enterprises


For Release on Delivery
Expected at 3:00 p.m., EDT
on Wednesday,                POTENTIAL TERRORIST
February 12, 2003

                             ATTACKS

                             More Actions Needed to
                             Better Prepare Critical
                             Financial Markets

                             Statement of Davi M. D’Agostino
                             Director, Financial Markets and
                             Community Investment




GAO-03-468T
                                               February 2003


                                               POTENTIAL TERRORIST ATTACKS

                                               More Actions Needed to Better Prepare
Highlights of GAO-03-468T, a testimony         Critical Financial Markets
before the Subcommittee on Capital
Markets, Insurance, and Government
Sponsored Enterprises, Financial Services
Committee, House of Representatives




The September 11, 2001, terrorist              The September 11, 2001, terrorist attacks severely disrupted U.S. financial
attacks exposed the vulnerability of           markets as the result of the loss of life, damage to buildings, loss of
U.S. financial markets to wide-scale           telecommunications and power, and restrictions on access to the affected
disasters. Because the markets are             area. However, financial market participants were able to recover relatively
vital to the nation’s economy,                 quickly from the terrorist attacks because of market participants’ and
GAO‘s testimony discusses (1) how
the financial markets were directly
                                               infrastructure providers’ heroic efforts and because the securities exchanges
affected by the attacks and how                and clearing organizations largely escaped direct damage.
market participants and
infrastructure providers worked to             The attacks revealed limitations in the business continuity capabilities of
restore trading; (2) the steps taken           some key financial market participants that would need to be addressed to
by 15 important financial market               improve the ability of U.S. markets to withstand such events in the future.
organizations to address physical              GAO’s review of 15 stock exchanges, clearing organizations, electronic
security, electronic security, and             communication networks, and payments system providers between
business continuity planning since             February and June 2002 showed that all were taking steps to implement
the attacks; and (3) the steps the             physical and electronic security measures and had developed business
financial regulators have taken to             continuity plans. However, some organizations still had limitations in one or
ensure that the markets are better
prepared for future disasters.
                                               more of these areas that increased the risk that their operations could be
                                               disrupted by future disasters.

                                               Although the financial regulators have begun efforts to improve the
GAO’s report recommends that the               resiliency of clearance and settlement functions within the financial
SEC Chairman work with industry                markets, they have not fully developed goals, strategies, or sound practices
to                                             to improve the resiliency of trading activities. In addition, the Securities and
•  develop goals and strategies                Exchange Commission’s (SEC) technology and operations risk oversight,
   to resume trading in securities             which is increasingly important, has been hampered by program, staff, and
   markets;                                    resource issues. GAO’s report made recommendations designed to better
•  determine sound business                    prepare the markets to deal with future disasters and to enhance SEC’s
   continuity practices needed to
                                               technology and operations risk oversight capabilities.
   meet these goals;
•  identify organizations critical
   to market operations and
   ensure they implement sound
   business continuity practices;
   and
•  test strategies to resume
   trading.

In addition, the report contains
recommendations to improve
SEC’s oversight of information
technology issues.


www.gao.gov/cgi-bin/getrpt?GAO-03-468T.

To view the full report, including the scope
and methodology, click on the link above.
For more information, contact Davi M.
D'Agostino (202) 512-8678 or
dagostinod@gao.gov.
Mr. Chairman and Members of the Subcommittee:

I appreciate the opportunity to appear before you today to discuss GAO’s
work on how key financial market participants and the financial regulators
are working to improve the resiliency of their operations and the financial
markets in the event of future terrorist attacks.

Today, I will present the findings from our report Potential Terrorist
Attacks: Additional Actions Needed to Better Prepare Critical Financial
Market Participants, GAO-03-414 (Washington, D.C.: Feb. 12, 2003).
Specifically, I will discuss (1) how the September 11, 2001, terrorist
attacks affected the financial markets and the actions market participants
and infrastructure providers took to restore trading; (2) the steps taken by
15 stock exchanges, electronic communication networks (ECN), clearing
organizations, and payment systems providers to address physical and
electronic security and business continuity planning since the attacks; and
(3) the steps financial regulators have taken to ensure that the markets are
better prepared for future disasters.

In summary:

The September 11, 2001, terrorist attacks severely disrupted the U.S.
financial markets because of the loss of life, damage to buildings, loss of
telecommunications and power, and restrictions that were placed on
access to the affected area. However, financial market participants were
able to recover relatively quickly from the terrorist attacks, as a result of
market participants’ and infrastructure providers’ heroic efforts and
because the securities exchanges and clearing organizations largely
escaped direct damage. If certain organizations had sustained serious
damage, the markets would probably not have been able to reopen by
September 17, 2001. Market participants and regulators have
acknowledged that the attacks revealed limitations in their business
continuity capabilities and that these limitations would need to be
addressed to improve their ability to recover if such events occurred in the
future. Our review of 15 stock exchanges, ECNs, clearing organizations,
and payments system providers between February and June 2002 showed
that all were taking steps to implement physical and electronic security
measures and had developed business continuity plans. However,
organizations still had limitations in one or more areas that increased the
risk of disruptions to their operations if such disasters occurred in the
future. Although the financial regulators have begun efforts to improve the
resiliency of clearance and settlement functions within the financial
markets, they have not fully developed goals, strategies, or sound

Page 1                                   GAO-03-468T Potential Terrorist Attacks
                       practices to similarly improve the resiliency of trading functions. In
                       addition, the effectiveness of the Securities and Exchange Commission’s
                       (SEC) technology and operations risk oversight efforts—which clearly
                       have increased in importance—have been limited by program, staff, and
                       resource limitations. Some of these issues were also highlighted in a
                       January 2003 report issued by the SEC Inspector General. Our report made
                       recommendations designed to better prepare the markets to deal with
                       future disasters and to enhance SEC’s technology and operations risk
                       oversight capabilities. SEC agreed with the thrust of our
                       recommendations.


                       The September 11, 2001, terrorist attacks had a devastating effect on the
Market Participants    U.S. financial markets with significant loss of life, extensive physical
and Infrastructure     damage, and considerable disruption to the financial district in New York.
                       Damage from the collapse of the World Trade Center buildings caused
Providers Employed     dust and debris to blanket a wide area of lower Manhattan, led to severe
Innovative Solutions   access restrictions to portions of lower Manhattan for days, and destroyed
                       substantial portions of the telecommunications and power infrastructure
to Restore Trading     that served the area. Telecommunications service in lower Manhattan was
                       lost for many customers when debris from the collapse of one the World
                       Trade Center buildings struck a major Verizon central switching office that
                       served approximately 34,000 business and residences. The human impact
                       was especially devastating because about 70 percent of the civilians killed
                       in the attacks worked in the financial services industry, and physical
                       access to the area was severely curtailed through September 13, 2001.
                       Although most stock exchanges and clearing organizations escaped direct
                       damage, the facilities and personnel of several key broker-dealers and
                       other market participants were destroyed or displaced. Market
                       participants and regulators acknowledged that the reopening of the stock
                       and options markets could have been further delayed if any of the
                       exchanges or clearing organizations had sustained serious damage.

                       The stock and options exchanges remained closed as firms, that were
                       displaced by the attacks attempted to reconstruct their operations and
                       reestablish telecommunications with their key customers and other
                       market participants. In the face of enormous obstacles, market
                       participants, infrastructure providers, and the regulators made heroic
                       efforts to restore operations in the markets. Broker-dealers that had their
                       operations disrupted or displaced either relocated their operations to
                       backup facilities or other alternative facilities. These facilities had to be
                       outfitted to accommodate normal trading operations and to have sufficient
                       telecommunications to connect with key customers, clearing and

                       Page 2                                   GAO-03-468T Potential Terrorist Attacks
settlement organizations, and the exchanges and market centers. Some
firms did not have existing backup facilities for their trading operations
and had to create these facilities in the days following the crisis. For
example, one broker-dealer leased a Manhattan hotel to reconstruct its
operations. Firms were not only challenged with reconstructing
connections to their key counterparties but, in some cases, they also had
the additional challenge of connecting with the backup sites of
counterparties that were also displaced by the attacks. The infrastructure
providers also engaged in extraordinary efforts to restore operations. For
example, telecommunications providers ran cables above ground rather
than underground to speed up the restoration of service.

By Friday September 14, 2001, exchange officials had concluded that only
60 percent of normal market trading liquidity had been restored and that it
would not be prudent to trade in such an environment. In addition,
because so many telecommunications circuits had been reestablished,
market participants believed that it would be beneficial to test these
telecommunications circuits prior to reopening the markets. Officials were
concerned that without such testing, the markets could have experienced
operational problems and possibly have to close again, which would have
further shaken investor confidence. The stock and options markets
reopened successfully on Monday, September 17, 2001 and achieved
record trading volumes. Although the government securities markets
reopened within 2 days, activity within those markets was severely
curtailed, as there were serious clearance and settlement difficulties
resulting from disruptions at some of the key participants and at one of the
two banks that clear and settle government securities. Some banks had
important operations in the vicinity of the attacks, but the impact of the
attacks on the banking and payment systems was much less severe.

Regulators also played a key role in restoring market operations. For
example, the Federal Reserve provided over $323 billion in funding to
banks between September 11 and September 14, 2001, to prevent
organizations from defaulting on their obligations and creating a
widespread solvency crisis. SEC also granted regulatory relief to market
participants by extending reporting deadlines and relaxed the rules that
restrict corporations from repurchasing their shares. The Department of
the Treasury also helped to address settlement difficulties in the
government securities markets by conducting a special issuance of 10-year
Treasury notes.




Page 3                                  GAO-03-468T Potential Terrorist Attacks
                        Although financial market participants, regulators, and infrastructure
Attacks Revealed        providers made heroic efforts to restore the functioning of the markets as
Limitations in Market   quickly as they did, the attacks and our review of 15 key financial market
                        organizations—including 7 critical ones—revealed that financial market
Participants’           participants needed to improve their business continuity planning
Preparedness for        capabilities and take other actions to better prepare themselves for
                        potential disasters. At the time of the attacks, some market participants
Wide-scale Disasters,   lacked backup facilities for key aspects of their operations such as trading,
and Some Limitations    while others had backup facilities that were too close to their primary
Remain                  facilities and were thus either inaccessible or also affected by the
                        infrastructure problems in the lower Manhattan area. Some organizations
                        had backup sites that were too small or lacked critical equipment and
                        software. In the midst of the crisis, some organizations also discovered
                        that the arrangements they had made for backup telecommunications
                        service were inadequate. In some cases, firms found that
                        telecommunication lines that they had acquired from different providers
                        had been routed through the same paths or switches and were similarly
                        disabled by the attacks.

                        The 15 stock exchanges, ECNs, clearing organizations, and payment
                        systems we reviewed had implemented various physical and information
                        security measures and business continuity capabilities both before and
                        since the attacks. At the time of our work—February to June 2002—these
                        organizations had taken such steps as installing physical barriers around
                        their facilities to mitigate effects of physical attacks from vehicle-borne
                        explosives and using passwords and firewalls to restrict access to their
                        networks and prevent disruptions from electronic attacks. In addition, all
                        15 of the organizations had developed business continuity plans that had
                        procedures for restoring operations following a disaster; and some
                        organizations had established backup facilities that were located hundreds
                        of miles from their primary operations.

                        Although these organizations have taken steps to reduce the likelihood
                        that their operations would be disrupted by physical or electronic attacks
                        and had also developed plans to recover from such events, we found that
                        some organizations continued to have some limitations that would
                        increase the risk of their operations being impaired by future disasters.
                        This issue is particularly challenging for both market participants and
                        regulators, because addressing security concerns and business continuity
                        capabilities require organizations to assess their overall risk profile and
                        make business decisions based on the trade-offs they are willing to make
                        in conducting their operations. For example, one organization may prefer
                        to invest in excellent physical security, while another may choose to

                        Page 4                                   GAO-03-468T Potential Terrorist Attacks
                       investment less in physical security and more in developing resilient
                       business continuity plans and capabilities.

                       Our review indicated that most of the 15 organizations faced greater risk
                       of operational disruptions because their business continuity plans did not
                       adequately address how they would recover if large portions of their
                       critical staff were incapacitated. Most of the 15 organizations were also at
                       a greater risk of operations disruption from wide-scale disasters, either
                       because they lacked backup facilities or because these facilities were
                       located within a few miles of their primary sites. Few of the organizations
                       had tested their physical security measures, and only about half were
                       testing their information security measures and business continuity plans.


                       Securities and banking regulators have made efforts to examine
Regulators Have        operations risk measures in place at the financial market participants they
Addressed Operations   oversee. SEC has conducted reviews of exchanges, clearing organizations,
                       and ECNs that have generally addressed aspects of these organizations’
Risks but Have Not     physical and information security and business continuity capabilities.
Developed Complete     However, reviews by SEC and the exchanges at broker-dealers generally
                       did not address these areas, although SEC staff said that such risks would
Strategies and         be the subject of future reviews.1 Banking regulators also reported that
Practices to Better    they review such issues in the examinations they conduct at banks.
Assure Recovery of     Regulators also have begun efforts to improve the resiliency of clearing
Trading                and settlement functions for the financial markets. In August 2002, the
                       Federal Reserve, Office of the Comptroller of the Currency, and SEC
                       jointly issued a paper entitled the Draft Interagency White Paper on Sound
                       Practices to Strengthen the Resilience of the U.S. Financial System. 2 This
                       paper sought industry comment on sound business practices to better
                       ensure that clearance and settlement organizations would be able to




                       1
                        In addition to SEC’s oversight, stock and options exchanges act as self-regulatory
                       organizations that oversee their members’ activities.
                       2
                        Board of Governors of the Federal Reserve, Office of the Comptroller of the Currency,
                       Treasury, SEC, Draft Interagency White Paper on Sound Practices to Strengthen the
                       Resilience of the U.S. Financial System (Washington, D.C.: Aug. 30, 2002). The New York
                       State Banking Department issued the same paper separately.



                       Page 5                                           GAO-03-468T Potential Terrorist Attacks
resume operations promptly after a wide-scale regional disaster.3 The
regulators indicated that the sound practices would apply to a limited
number of organizations that perform important clearing functions, as well
as to between 15 and 20 banks and broker-dealers that also perform
clearing functions with sizeable market volumes.

The regulators that developed the white paper appropriately focused on
clearing functions to help ensure that settlement failures do not lead to a
broader financial crisis. However, the paper did not similarly address
restoring critical trading activities in the various financial markets. The
regulators that developed the paper believed that clearing functions were
mostly concentrated in single entities for most markets or in a very few
entities for others and thus posed a greater potential for disruption. In
theory, multiple stock exchanges and other organizations that conduct
trading activities could substitute for each other in the event of a crisis.

Nevertheless, trading on the markets for corporate securities, government
securities, and money market instruments is also vitally important to the
economy; and the United States deserves similar assurance that trading
activities also would be able to resume when appropriate—smoothly and
without excessive delay. The U.S. economy has demonstrated that it can
withstand short periods during which markets are not trading. After some
events occur, having markets closed for some limited time could be
appropriate to allow emergency and medical relief activities, permit
operations to recover, and reduce market overreaction. However, long
delays in reopening the markets could be harmful to the economy. Without
trading, investors lack the ability to accurately value their securities and
cannot adjust their holdings.

The September 11, attacks demonstrated that the ability of markets to
recover could depend on the extent to which market participants have
made sound investments in business continuity capabilities. Without
clearly identifying strategies for recovery, determining the sound practices
needed to implement these strategies, and identifying the organizations
that could conduct trading under these strategies, the risk that markets
may not be able to resume trading in a fair and orderly fashion and
without excessive delays is increased. Goals and strategies for resuming


3
 A wide-scale disruption is defined as one that causes severe disruptions of transportation,
telecommunications, power, or other critical infrastructure components in a metropolitan
or other geographic area and in adjacent communities economically integrated with the
area.



Page 6                                           GAO-03-468T Potential Terrorist Attacks
                   trading activities could be based on likely disaster scenarios and could
                   identify the organizations that are able to conduct trading in the event that
                   other organizations could not recover within a reasonable time. Goals and
                   strategies, along with guidance on business continuity planning practices,
                   and more effective oversight would (1) provide market participants with
                   the information they need to make better decisions about improving their
                   operations, (2) help regulators develop sound criteria for oversight, and
                   (3) assure investors that trading on U.S. markets could resume smoothly
                   and in a timely manner.

                   SEC has begun developing a strategy for resuming stock trading for some
                   exchanges, but the plan is not yet complete. For example, SEC has asked
                   the New York Stock Exchange (NYSE) and NASDAQ to take steps to
                   ensure that their information systems can conduct transactions in the
                   securities that the other organizations normally trade. However, under this
                   strategy NYSE does not plan to trade all NASDAQ securities, and neither
                   exchange has fully tested its own or its members’ abilities to trade the
                   other exchanges’ securities.


                   Given the increased threats demonstrated by the September 11 attacks and
SEC’s Automation   the need to assure that key financial market organizations are following
Review Policy      sound practices, securities and banking regulators’ oversight programs are
                   important mechanisms to assure that U.S. financial markets are resilient.
Program Could Be   SEC oversees the key clearing organizations and exchanges through its
Strengthened       Automation Review Policy (ARP) program. The ARP program—which also
                   may be used to oversee adherence to the white paper’s sound practices—
                   currently faces several limitations. SEC did not implement this ARP
                   program by rule but instead expected exchanges and clearing
                   organizations to comply with various information technology and
                   operations practices voluntarily. However, under a voluntary program,
                   SEC lacks leverage to assure that market participants implement
                   important recommended improvements. While the program has prompted
                   numerous improvements in market participants’ operations, we have
                   previously reported that some organizations did not establish backup
                   facilities or improve their systems’ capacity when the SEC ARP staff had
                   identified these weaknesses. Moreover, ARP staff continue to find
                   significant operational weaknesses at the organizations they oversee.

                   An ARP program that draws its authority from an issued rule could
                   provide SEC additional assurance that exchanges and clearing
                   organizations adhere to important ARP recommendations and any new
                   guidance developed jointly with other regulators. To preserve the

                   Page 7                                   GAO-03-468T Potential Terrorist Attacks
flexibility that SEC staff considers a strength of the current ARP program,
the rule would not have to mandate specific actions but could instead
require that the exchanges and clearing organizations engage in activities
consistent with the ARP policy statements. This would provide SEC staff
with the ability to adjust their expectations for the organizations subject to
ARP, as technology and industry best practices evolve, and provide clear
regulatory authority to require actions as necessary. SEC already requires
ECNs to comply with ARP guidance; and extending the rule to the
exchanges and clearing organizations would place them on similar legal
footing. In an SEC report issued in January 2003, the Inspector General
noted our concern over the voluntary nature of the program.4

Limited resources and challenges in retaining experienced ARP staff also
have affected SEC’s ability to more effectively oversee an increasing
number of organizations and more technically complex market operations.
ARP staff must oversee various industrywide initiatives, such as Year 2000
or decimals pricing, and has also expanded to cover 32 organizations with
more complex technology and communications networks. However, SEC
has problems retaining qualified staff, and market participants have raised
concerns about the experience and expertise of ARP staff. The SEC
Inspector General also found that ARP staff could benefit from increased
training on the operations and systems of the entities overseen by the ARP
program. At current staff levels, SEC staff report being able to conduct
examinations of only about 7 of the 32 organizations subject to the ARP
program each year.5 In addition, the intervals between examinations were
sometimes long. For example, the intervals between the most recent
examinations for seven critical organizations averaged 39 months.6

Having additional staff, including those with technology backgrounds,
could better ensure the effectiveness of the ARP program’s oversight. SEC


4
 SEC Office of Inspector General, Market Contingency Preparedness, Report No. 359,
(Washington, D.C. Jan. 27, 2003).
5
 In addition to examinations, the SEC ARP staff also monitor the organizations subject to
ARP by conducting a risk analysis of each organization each year, reviewing internal and
external audits performed of these organizations’ systems, and receiving notices of systems
changes and systems outages from these organizations.
6
 Standards for federal organizations’ information systems require security reviews to be
performed at least once every 3 years and recommend that reviews of high-risk systems or
those undergoing significant systems modifications be done more frequently. See Office of
Management and Budget, Appendix III to OMB Circular A-130: Security of Federal
Automated Information Resources.



Page 8                                          GAO-03-468T Potential Terrorist Attacks
              could conduct more frequent examinations, as envisioned by federal
              information technology standards, and more effectively review complex,
              large-scale technologies at the exchanges, ECNs, and clearing
              organizations. If the ARP program must also begin reviewing the extent to
              which broker-dealers important to clearing and trading in U.S. securities
              markets are adhering to sound business continuity practices, additional
              experienced staff and resources would likely be necessary to prevent
              further erosion in the ability of SEC to oversee all the important
              organizations under its authority. The increased appropriations authorized
              in the Sarbanes-Oxley Act, if received, would present SEC a clear
              opportunity to enhance its technology oversight, including the ARP
              program, without affecting other important initiatives.


              Our work at the 15 organizations we reviewed showed that all of these
Conclusions   organizations were taking steps to address physical and electronic security
              at their facilities and information systems and had business continuity
              plans to address potential disruptions in their operations, although the
              extent to which these organizations addressed these issues varied. We
              recognize that, in addressing these issues, organizations may have to make
              trade-offs based on their overall risk profile and other business factors.

              However, we recommend in our report that SEC take a leadership role and
              work with market participants to develop goals and strategies to ensure
              that U.S. markets will be able to resume trading activities after future
              disasters smoothly and in a timely manner as appropriate.7 Comprehensive
              and viable resumption strategies would also require SEC and market
              participants to identify sound business practices for the organizations that
              might be called upon to conduct trading after a disaster if others were
              unavailable. Our report also recommends that these strategies be tested. In
              addition, SEC has an important oversight role in ensuring that market
              participants implement sound practices and the improvements to the ARP
              program that our report recommends should also help ensure that SEC’s
              oversight is as effective as possible.

              Mr. Chairman, this completes my prepared statement. I would be happy to
              respond to any questions you or other members of the Subcommittee may
              have at this time.



              7
               Potential Terrorist Attacks: Additional Actions Needed to Better Prepare Critical
              Financial Market Participants, GAO-03-414, (Washington, D.C., Feb. 12, 2003).



(250127)
              Page 9                                          GAO-03-468T Potential Terrorist Attacks