[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]





                            PROTECTING OUR
                       FINANCIAL INFRASTRUCTURE:
                       PREPARATION AND VIGILANCE

=======================================================================

                                HEARING

                               BEFORE THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                               __________

                           SEPTEMBER 8, 2004

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 108-108


                    U.S. GOVERNMENT PRINTING OFFICE
97-449                      WASHINGTON : 2004
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001


                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    MICHAEL G. OXLEY, Ohio, Chairman

JAMES A. LEACH, Iowa                 BARNEY FRANK, Massachusetts
RICHARD H. BAKER, Louisiana          PAUL E. KANJORSKI, Pennsylvania
SPENCER BACHUS, Alabama              MAXINE WATERS, California
MICHAEL N. CASTLE, Delaware          CAROLYN B. MALONEY, New York
PETER T. KING, New York              LUIS V. GUTIERREZ, Illinois
EDWARD R. ROYCE, California          NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma             MELVIN L. WATT, North Carolina
ROBERT W. NEY, Ohio                  GARY L. ACKERMAN, New York
SUE W. KELLY, New York, Vice Chair   DARLENE HOOLEY, Oregon
RON PAUL, Texas                      JULIA CARSON, Indiana
PAUL E. GILLMOR, Ohio                BRAD SHERMAN, California
JIM RYUN, Kansas                     GREGORY W. MEEKS, New York
STEVEN C. LaTOURETTE, Ohio           BARBARA LEE, California
DONALD A. MANZULLO, Illinois         JAY INSLEE, Washington
WALTER B. JONES, Jr., North          DENNIS MOORE, Kansas
    Carolina                         MICHAEL E. CAPUANO, Massachusetts
DOUG OSE, California                 HAROLD E. FORD, Jr., Tennessee
JUDY BIGGERT, Illinois               RUBEN HINOJOSA, Texas
MARK GREEN, Wisconsin                KEN LUCAS, Kentucky
PATRICK J. TOOMEY, Pennsylvania      JOSEPH CROWLEY, New York
CHRISTOPHER SHAYS, Connecticut       WM. LACY CLAY, Missouri
JOHN B. SHADEGG, Arizona             STEVE ISRAEL, New York
VITO FOSSELLA, New York              MIKE ROSS, Arkansas
GARY G. MILLER, California           CAROLYN McCARTHY, New York
MELISSA A. HART, Pennsylvania        JOE BACA, California
SHELLEY MOORE CAPITO, West Virginia  JIM MATHESON, Utah
PATRICK J. TIBERI, Ohio              STEPHEN F. LYNCH, Massachusetts
MARK R. KENNEDY, Minnesota           BRAD MILLER, North Carolina
TOM FEENEY, Florida                  RAHM EMANUEL, Illinois
JEB HENSARLING, Texas                DAVID SCOTT, Georgia
SCOTT GARRETT, New Jersey            ARTUR DAVIS, Alabama
TIM MURPHY, Pennsylvania             CHRIS BELL, Texas
GINNY BROWN-WAITE, Florida            
J. GRESHAM BARRETT, South Carolina   BERNARD SANDERS, Vermont
KATHERINE HARRIS, Florida
RICK RENZI, Arizona

                 Robert U. Foster, III, Staff Director


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    September 8, 2004............................................     1
Appendix:
    September 8, 2004............................................    47

                               WITNESSES
                      Wednesday, September 8, 2004

Abernathy, Hon. Wayne, Assistant Secretary for Financial 
  Institutions, Department of Treasury...........................    10
Britz, Robert G., President and Co-Chief Operating Officer, New 
  York Stock Exchange, Inc.......................................    29
Dolloff, Wilton, Executive Vice President, Operations and 
  Technology, Huntington Bancshares Incorporated, on behalf of 
  Bits and The Financial Services Roundtable.....................    34
Gaer, Samuel, Chief Information Officer, NY Mercantile Exchange..    36
Liscouski, Robert, Assistant Secretary, Information Analysis and 
  Infrastructure Protection, Department of Homeland Security.....    11
Mohr, John, Executive Vice President, The Clearing House 
  Association L.L.C..............................................    32
Olson, Hon. Mark W., Member, Board of Governors, Federal Reserve 
  System.........................................................     8
Tishuk, Brian S., Executive Director, ChicagoFIRST...............    38

                                APPENDIX

Prepared statements:
    Oxley, Hon. Michael G........................................    48
    Bachus, Hon. Spencer.........................................    50
    Emanuel, Hon. Rahm...........................................    52
    Gillmor, Hon. Paul E.........................................    53
    Hinojosa, Hon. Ruben.........................................    55
    Kelly, Hon. Sue W............................................    57
    Abernathy, Hon. Wayne........................................    59
    Britz, Robert G..............................................    65
    Dolloff, Wilton..............................................    86
    Gaer, Samuel.................................................   101
    Liscouski, Robert............................................   109
    Mohr, John...................................................   116
    Olson, Hon. Mark W...........................................   125
    Tishuk, Brian S..............................................   136

              Additional Material Submitted for the Record

Britz, Robert G.:
    Written response to questions from Hon. Ruben Hinojosa.......   151
Olson, Hon. Mark W.:
    Written response to questions from Hon. Spencer Bachus.......   152
    Written response to questions from Hon. Ruben Hinojosa.......   155
Tishuk, Brian S.:
    Written response to questions from Hon. Ruben Hinojosa.......   158

 
                             PROTECTING OUR
                       FINANCIAL INFRASTRUCTURE:
                       PREPARATION AND VIGILANCE

                              ----------                              


                      Wednesday, September 8, 2004

             U.S. House of Representatives,
                   Committee on Financial Services,
                                                   Washington, D.C.
    The committee met, pursuant to call, at 10:07 a.m., in Room 
2128, Rayburn House Office Building, Hon. Michael Oxley 
[chairman of the committee] presiding.
    Present: Representatives Leach, Bachus, Kelly, Biggert, 
Miller of California, Capito, Tiberi, Brown-Waite, Frank, 
Maloney, Gutierrez, Ackerman, Sherman, Lee, Inslee, Hinojosa, 
Lucas of Kentucky, Matheson, Miller of North Carolina, Emanuel, 
Scott, and Bell.
    Mrs. Kelly. [Presiding.] This hearing of the committee will 
come to order.
    This morning the committee convenes to continue its ongoing 
oversight of preparedness incident recovery and critical 
infrastructure protection issues. I thank Chairman Oxley for 
holding this hearing.
    At the heart of critical infrastructure is the safety and 
soundness of the financial services sector which drives every 
aspect of our economy. Earlier this Congress, the Oversight and 
Investigations Subcommittee held a hearing to examine the state 
of readiness of the financial services sector and the critical 
infrastructure that allows it to serve our country. In that 
hearing, the subcommittee learned about many promising steps 
that have been taken by our financial caretakers, as well as 
the constant assessment and improvements that still must be 
performed.
    Over the last several years, our country has experienced 
many extraordinary events that have threatened the safety of 
the American people and of our financial system, from the 
horrific attacks of September 11, 2001 to the blackouts and 
hurricanes, but fortunately our markets have experienced 
remarkably quick recoveries, illustrating the tremendous 
resiliency of the financial system and the U.S. economy.
    As a result of these events, it is apparent that the 
technology age we live in, which allows us to provide services 
and access information in a heartbeat, is both a boon and one 
of our greatest vulnerabilities. It is imperative that we 
continually revise our efforts to protect data systems and the 
infrastructure that allow them to operate, which are ever more 
entwined and dependent on one another.
    Today, this review could not be any more timely. Last 
month, Department of Homeland Security Secretary Tom Ridge 
issued a warning of possible al Qaeda terrorist attacks to our 
financial institutions, including the Prudential Financial, the 
Citigroup Center Building, and the New York Stock Exchange, as 
well as the International Monetary Fund and World Bank 
buildings. The committee is very interested in the steps that 
have been taken to protect our financial infrastructure since 
the threat level was elevated to code orange for the financial 
services sector in New York City, Northern New Jersey and here 
in Washington, D.C.
    As terrorists continue to target our economy and financial 
institutions, we must ensure our financial infrastructure is 
strong enough to withstand diverse types of attacks. We must 
ensure that all our systems, whether financial, energy, 
transportation or telecommunications, are able to operate under 
extraordinary circumstances.
    The committee is pleased to have with us this morning 
Federal Reserve Board Chairman Mark Olson, who has been a 
leader in these efforts in his role at the Fed. We also welcome 
the Assistant Secretary for Financial Institutions at the 
Treasury Department, Wayne Abernathy, who also serves as the 
department's sector coordinator for critical infrastructure 
protection. And joining us is the Assistant Secretary of 
Homeland Security for Infrastructure Robert Liscouski, who is 
responsible for the department's efforts to identify our 
critical infrastructures and propose protective measures to 
keep them safe from terrorist attacks.
    Keeping our financial systems functioning and safe requires 
a high degree of coordination between many different and 
important parties, both public and private. The committee is 
also pleased to have with us witnesses on our second panel who 
are leaders in protecting critical financial services assets 
from major disasters, including several individuals from the 
great State of New York. These witnesses, along with others in 
the private sector and the government who could not be 
represented here today, are working in the field every day to 
protect our financial systems.
    The committee thanks all of our witnesses today for your 
appearance, and we look forward to your testimony. Together, we 
hope that we can ensure that our financial systems are 
functioning smoothly under all circumstances and the American 
people should have full confidence in the financial services 
sector.
    [The prepared statement of Hon. Sue W. Kelly can be found 
on page 57 in the appendix.]
    Mrs. Kelly. I would like to now recognize my colleague, Ms. 
Maloney.
    Mrs. Maloney. Thank you very much. I join you in thanking 
Chairman Oxley and Ranking Member Frank and my colleague from 
the great State of New York for chairing this meeting. I 
welcome all of our witnesses, who include a number of 
organizations that I am privileged to represent. Some of them 
are my constituents.
    In New York City, the heart of the nation's financial 
infrastructure, we can vividly remember what it was like to 
have that infrastructure damaged by terrorist attack just 3 
years ago. We know very well the extraordinary lengths that 
many of New York's fine institutions, some of which are 
represented here today, went to ensure that the financial 
markets functioned as soon as possible to protect not only the 
U.S. economy, but that of the world from irreversible harm. I 
do not think any of us will forget the anticipation, the 
anxiety before the big boards opened up again and were there to 
serve the people. These terrible events demonstrated clearly 
that the protection of our financial infrastructure is 
essential to the nation's financial system. Unfortunately, they 
also demonstrated that we were ill-prepared for an attack on 
it.
    So my fundamental question today, to each of the private 
sector witnesses represented today, is what would happen 
differently today. My even more basic question to Treasury, the 
Fed and Homeland Security is who would be in charge of the 
government response. I would like to hear that there is an 
established, tested and proven system of coordination and a 
clear line of authority and accountability so that decisions 
can be made in a prompt and informed manner, but I am not sure 
that that is the case.
    We have several new committees, the Financial and Banking 
Information Infrastructure Committee, the Financial Service 
Sector Coordinating Council, and the Financial Services 
Information-Sharing and Analysis Center. But how exactly do 
they work in practice? Who makes the final call? Who staffs 
these committees? And who is responsible for carrying out their 
decisions?
    I would like to hear how our response system held up last 
month when the terror level was raised for financial 
institutions in New York City and elsewhere. I would also like 
to hear how that system is working now to ensure a speedy and 
sufficient response to the danger posed by Hurricane Frances to 
the financial institutions in its path. We, this committee, 
know the government is capable of a sustained and coherent 
response to threats to the financial infrastructure.
    As those of us who have served on this committee know, we 
were prepared for the Y2K threat. There were many hearings, the 
government response, and many oversight hearings. But as the 9/
11 Commission reports, that effort relaxed after the millennium 
passed and the government was not well coordinated nor was key 
information properly shared among various agencies or with the 
private sector in the months leading up to September 11.
    One year after September 11, this committee asked the 
General Accounting Office to report on what additional steps 
had been taken to protect the financial infrastructure since 
that catastrophe. The GAO report, which was the last government 
report issued on this subject in February of 2003, gave 
regulators and firms a mixed assessment, criticizing them for 
having focused on clearing and settlement activity, to the 
exclusion of trading and retail firms.
    Our Oversight Committee reviewed the ground again in 
October of 2003 in the context of the August 2003 blackout, and 
we had the pleasure of hearing from many of our panelists 
today. As a New Yorker, I am proud of the way in which the 
public and private financial sectors of my city worked together 
to respond to these two tremendous disasters and are continuing 
to work with the federal government.
    Such efforts demonstrate that our cities are prepared to 
protect their financial industry and that the calls some have 
made for financial institutions to create backup locations 
hundreds of miles away from an urban area are totally 
misguided. They can have them in a different area of the urban 
area. Congress and the federal government should support the 
hubs of our nation's finance by providing additional homeland 
security funding to them and by assisting them in identifying 
and protecting the critical elements of our financial 
infrastructure that they possess.
    So as we sit here today, we have recent reminders of how 
crucial it is constantly to review and refine the safeguards of 
our financial infrastructure. I look forward to hearing from 
our witnesses what they have done to protect the physical body 
of the nation's financial system from harm, and what we can do 
to be of assistance in that effort.
    I thank all the panelists for being here and yield back my 
balance.
    Mrs. Kelly. Thank you very much.
    Mr. Bachus?
    Mr. Bachus. I thank the Chairman.
    I would say in response to what Ms. Maloney said, that of 
course the structure for responding to a terrorist attack 
actually was established back in 1998 by Presidential Decision 
Directive 63, signed by President Clinton. Then it was refined 
by Executive Order by President Bush right after 9/11. I think 
that the experience that we had on 9/11, that experience was 
that our financial markets are very resilient and that we were 
in fact prepared for something which is almost impossible to be 
prepared for, something we never faced before. But the 
financial markets functioned very well, and showed a great 
amount of resilience.
    Despite the infrastructure damage to the World Trade towers 
and actually the physical loss of the facilities, the market 
operations recovered very quickly. I think we are all amazed at 
how quickly they responded. I think that is very good news. The 
GAO did make certain recommendations, but again a lot of what 
you all focused on was because really you were directed to 
focus on those things. I think all in all, clearing and 
settlement, if you do not focus on those things, you have a 
real problem. As far as retail firms and trading organizations, 
I think since the last year and a half, and we are going to 
hear from our second panel, you have done a great deal to focus 
on that. I know the latest threat is what the two speakers 
before are focused on, was actually car bombs or a bomb which 
would take out some physical structure.
    But you are actually, our first panel, you are the 
designated people under the presidential directives to be in 
charge, and the designated agency for our financial 
institutions is the Treasury Department, working with other 
organizations. So I think the underlying message ought to be 
that financial institutions, our financial markets performed 
very well under a tremendous attack. The market did not 
recover, but that was a result of just market factors and 
facing a new threat, and the facts of uncertainty in the world, 
not anything to do actually with the inability of the markets 
to operate.
    I would also say, and I am sure that there will be a 
question addressing this, there are certain things that you 
have asked us to do, and one of them is the netting provisions, 
which in the Congress, we passed it out of the House, but the 
Senate has never taken it up. You have identified that as one 
of your top priorities in case of another financial attack. So 
this Congress really has failed to do some of the things that 
you have said are most important.
    So with that, I end my comments, but I applaud the 
administration for everything they have done.
    [The prepared statement of Hon. Spencer Bachus can be found 
on page 50 in the appendix.]
    Mrs. Kelly. Thank you very much.
    Mr. Hinojosa?
    Mr. Hinojosa. Thank you, Chairwoman Kelly.
    I want to thank you and Ranking Member Frank for holding 
this very important hearing today.
    The United States needs to remain prepared for any and all 
terrorist attacks following the horror that we endured on 9/11. 
We need to remain vigilant to ensure that similar attacks never 
happen again on U.S. soil.
    As I noted during the committee's hearing on the 9/11 
Commission report during the August recess, we here in the 
United States need to focus on increasing the security of our 
own documentation such as driver's licenses, passports, and 
visas in order to prevent such terrorists from entering the 
United States again. The 9/11 Commission Vice Chairman Lee 
Hamilton agreed that we need to increase the security of our 
own documentation and such measures should include requiring 
biometric information and security features such as 
fingerprints, digitized photos, holograms and serial numbers on 
these types of documents, and increasing the technology with 
which financial institutions can verify IDs.
    Prior to 9/11, the United States consulate that required 
biometric information from individuals seeking entry into the 
United States was the U.S. consulate in Mexico. Such biometric 
data and more is now included as part of the 12 security 
features Mexico added to the matricula consular ID card in 
2002. As the Washington Times noted some time ago, the updated 
matricula consular ID card is more secure than many of our U.S. 
documents. Perhaps we should emulate the security features 
incorporated into the card as we create a new, more secure 
system of documentation in the United States.
    The U.S. was very lucky that the 9/11 terrorist attacks did 
not completely halt the free flow of the U.S. capital markets 
for very long. Granted, the New York Stock Exchange and others 
closed down for a short time, and certain Federal Reserve Bank 
airplanes were unable to fly for a time due to the flight 
restrictions following the terrorist attacks. These Federal 
Reserve flights are an integral part of the payment 
clearinghouse system in the United States. Nonetheless, I was 
very impressed by the ability of the New York Stock Exchange to 
adapt quickly to the terrorist situation and to accommodate the 
trades of so many exchanges on its own system in the days 
following 9/11.
    I ask that the balance of my opening statement be included, 
Madam Chair.
    [The prepared statement of Hon. Ruben Hinojosa can be found 
on page 55 in the appendix.]
    Mrs. Kelly. Of course. We would be glad to include the 
opening statement of anyone of the members of this committee, 
and it is so moved.
    Mr. Leach, have you an opening statement?
    Mr. Leach. Just briefly. Just very briefly let me mention a 
couple of things by perspective. As everybody in banking knows, 
a century ago a famous bank robber once commented that, why do 
you rob banks? You do it because that is where the money is. 
But the interesting aspect about the modern financial system is 
that financial institutions and trading institutions are not 
where the money is. It is simply where assets are traded and 
kept track of. Great violence applied to a bank; great violence 
applied to a trading institution in one sense does not destroy 
a lot of assets. It destroys to some degree or disrupts 
tracking mechanisms, but if there is good redundancy, the 
system itself can be not harmed gravely. So redundancy is 
really the issue.
    Secondly, I think that we ought to beware that even though 
it is true that Congress has really been slacking in its 
discipline in not putting forth a netting bill, which is a very 
important bill and one which I have long advocated, and it is 
not done largely because we have problems that related to 
inter-institutional committees of jurisdiction, but hopefully 
it will happen this year. But the big issue is, what happens if 
there is a calamity? Here, the great aspect of perspective is 
that we have had for many decades authorized an institution of 
the United States Government, the Federal Reserve, to liquefy 
any calamity anywhere in the world, but particularly in the 
United States. So if something awful were to happen to a 
financial institution, the Fed is there to make sure the system 
can be sustaining.
    I only say this because acts against the financial 
community are acts of barbarism, but they are not acts that 
bring down the American system. They are simply acts of 
barbarism. Everybody in the private and public sector has to be 
very concerned that we get any system that goes down, up and 
running again, but that can happen. The American system will 
not be affected as a country. It will simply be a disruption. 
That is the way we have to work at it because we cannot 
perfectly protect anybody and anything.
    Let me just in conclusion say, because I tried to discount 
the importance of the netting bill, let me raise its importance 
again. It is really irresponsible that Congress has not acted 
yet to put forth a bill that settles derivatives-type trading 
instruments on an orderly basis instantaneously. We are 
obligated to do that and I am hopeful that that will happen 
this fall.
    Thank you, Madam Chairman.
    Mrs. Kelly. We turn now to Mr. Gutierrez.
    Mr. Gutierrez. Good morning and thank you, Madam Chairman, 
for calling this hearing on protecting our nation's financial 
infrastructure. I am particularly pleased that we will be 
hearing from Brian Tishuk of ChicagoFIRST, an organization 
composed of Chicago's primary financial institutions that was 
formed to address these various issues.
    ChicagoFIRST is an excellent example of a public-private 
partnership that should serve as a model for other regions. We 
will be hearing in detail about the formation of the 
organization, which was not an easy task. We will also hear 
about their recent tabletop exercise which tested the 
partnership's ability to function under the threat of a 
terrorist attack. At the appropriate time, I will be asking the 
Department of Homeland Security about certain matters in the 
written testimony, specifically the fact that ChicagoFIRST has 
discussed with DHS its interest in hardening Chicago in general 
and the financial district specifically.
    As part of that, ChicagoFIRST has recommended funding for 
certain equipment being sought by both the City of Chicago and 
ChicagoFIRST; the placement of a DHS center in Chicago; and has 
asked for DHS's help in procuring security clearances for 
certain financial representatives so that they can participate 
more actively in the protection of the city's financial 
infrastructure. These recommendations and requests have 
apparently gone unheeded and no answers have been forthcoming 
from Homeland Security to ChicagoFIRST. I will be asking DHS, 
though it has been helpful to ChicagoFIRST, if it could take 
more of an initiative to reaching out to financial centers 
other than Chicago to promote regional partnerships.
    I wish to thank my colleague, Congressman Emanuel, for his 
request that ChicagoFIRST testify before us, and I look forward 
to the testimony, as well as the testimony of the other 
witnesses.
    Thank you, Madam Chairman.
    Mrs. Kelly. Thank you very much, Mr. Gutierrez.
    Mr. Scott.
    Mr. Scott. Thank you very much, Chairlady.
    This is a very timely hearing, and I, like many people 
across this nation, am quite worried about another possible 
attack. I certainly want to thank Chairman Oxley and Ranking 
Member Frank, Ms. Kelly, for holding these hearings today.
    The recent warnings of attacks on financial services 
targets caused no disruption to financial activity. However, 
concrete Jersey barriers have multiplied around New York and 
Washington. While these temporary barriers provide some 
cosmetic protections against potential terrorist attacks such 
as car bombs, what about suicide bombers who could very well 
just be walking Wall Street or any of the streets in the area 
or any of the streets in Washington, D.C., and get very close 
to us, as we have seen from other places around the world?
    To be prepared, to be vigilant, we need to know concretely, 
what is the role of our Federal Reserve? What is the role of 
our Treasury Department? How are their roles coordinated with 
our basic intelligence agencies of the CIA, the FBI and the 
Defense and State Departments's intelligence agencies, of what 
is happening around the world in other financial capitals? I 
would be very interested to hear your response in terms of our 
reshuffling the deck on our intelligence operations to see if 
our financial services industry's intelligence apparatus will 
work better under a new general authority of an intelligence 
czar.
    I think further also we have to work to prevent attacks by 
monitoring and by detecting terrorists. Let us take a look at 
certain organized crime groups that work concretely with 
terrorist organizations. I think also that we are going to have 
to look at other areas, our computer systems, our 
telecommunications networks, our electrical power grids, our 
transportation systems, how all of those work. Also, terrorist 
organizations may be targeting cities other than New York and 
Washington, D.C. And maybe they may be even more likely 
targets, regional financial centers like Atlanta, Chicago, San 
Francisco, and Houston.
    It is important that the financial infrastructure include 
regional plans to address these threats. For example, federal 
agents recently arrested a man from Pakistan who was 
videotaping buildings in several southern cities, including my 
own city of Atlanta. And other regional threats, that would be 
power failures, natural disasters.
    Certainly, as Congress reviews the financial services 
industry's readiness to respond to attacks, we must also work 
to ensure that any attacks do not cause long-term damage on 
creditworthiness of innocent consumers. And then finally 
looking at the world, and the impact of how, for example, a 
terrorist attack on a financial center such as Tokyo or Paris 
would have on our financial system, this particularly in view 
of the fact that we are the world's leading financial center.
    These and many other questions I look forward to examining. 
I think this is a very important hearing this morning, and I 
look forward to each of your testimonies.
    Thank you, Madam Chair.
    Mrs. Kelly. Thank you, Mr. Scott.
    Without objection, all members' opening statements will be 
made part of the record.
    We turn now to our first panel. We have three witnesses on 
our first panel: The Honorable Mark W. Olson, member of the 
Board of Governors, Federal Reserve. We have the Honorable 
Wayne Abernathy, Assistant Secretary of the Treasury for 
Financial Institutions, Department of Treasury. And we have the 
Honorable Robert Liscouski, Assistant Secretary of Homeland 
Security for Infrastructure Protection.
    Without objection, your written statements will be made 
part of the record. You will each be recognized for a 5-minute 
summary of your testimony. I am sure that all of you have 
testified in front of these committees before, so I do not need 
to explain the lighting system.
    Mr. Olson, let us begin with you.

 STATEMENT OF HON. MARK W. OLSON, MEMBER, BOARD OF GOVERNORS, 
                     FEDERAL RESERVE SYSTEM

    Mr. Olson. Thank you very much, Chairwoman Kelly. We thank 
you, Ranking Member Frank, Chairman Oxley and members of the 
committee for holding this hearing. I agree with all of the 
members who have acknowledged that this is an important subject 
and a very timely subject.
    A number of questions have come up. I would be happy to 
address them as the questioning goes around, but let me just 
open by talking about three specific points that I would like 
to highlight. First, many of you started your opening remarks 
by talking about the efforts of 9/11. Of course, that was what 
constituted the start of a new era for us in terms of our 
recognition of both the exposure to terrorism activities and 
other threats to the financial services system.
    The Federal Reserve, of course, responded that day by 
providing, among other things, $100 billion of liquidity into 
the financial services system, as Congressman Leach alluded to 
in his opening remarks. I think that the resilience of the 
system at that point was demonstrated by a number of facts. 
Number one, the fact that the Fed over the course of a 5-day, 
in fact even a several-week period, responded in a different 
way providing either liquidity or overdraft protection or 
responding to changing needs as a result of the excesses of 
float that were building up in some parts of the system.
    We also initiated the swap lines for currencies with other 
central banks, indicating the cooperation internationally that 
we have been able to achieve and had achieved up to that point. 
Beyond that point, the Fed then began to look at its own 
resiliency. We initiated 40 different efforts to test our own 
ability to provide financial services, the redundancy necessary 
to provide the financial services, and the ability to sustain 
operations over a period of time.
    I would point out that on 9/11, the Federal Reserve Bank of 
New York did not close; that last weekend with the hurricane in 
Miami, the Miami Fed and Jacksonville Fed did not close. So we 
have a very strong track record of being able to meet those 
needs.
    Beyond our own efforts, of course, an interagency team 
produced a white paper involving the Fed, the Comptroller of 
the Currency, and the SEC, where we identified the requirements 
of the critical financial institutions in order to meet 
clearing and settlement responsibilities on an ongoing basis, 
and in order to meet the critical functions of the financial 
services network. For each of the institutions that have been 
identified, a target deadline has been set to achieve the level 
of readiness which is anticipated either in 2005 or 2006, 
depending on their starting points.
    Additionally, and this is the point that a number of you 
alluded to, there is a heightened level of cooperation among 
the federal agencies and within the private sector. The 
Treasury Department has been designated as the lead as sector 
liaison, and we have been happy to work with them. I think the 
resilience of it and the importance of it was brought out in 
response to the elevation to code orange under the direction of 
Homeland Security. In our judgment, that worked very well and 
we achieved a state of readiness very rapidly after the 
information was made available.
    Indeed, Congresswoman and members of the committee, we feel 
that the financial institutions sector has progressed in a very 
significant way over the course of the past several years, 
particularly the last 3 years, and it continues to improve. It 
is a moving target, as we learn more about the potential 
threat. As Congressman Scott suggested, we need to adjust as 
new information is produced, and we have done so.
    I would be happy to answer questions when my time comes.
    [The prepared statement of Hon. Mark W. Olson can be found 
on page 125 in the appendix.]
    Mrs. Kelly. Thank you very much, Mr. Olson.
    Mr. Abernathy.

  STATEMENT OF HON. WAYNE ABERNATHY, ASSISTANT SECRETARY FOR 
      FINANCIAL INSTITUTIONS, U.S. DEPARTMENT OF TREASURY

    Mr. Abernathy. Chairwoman Kelly, Ranking Member Frank, 
members of the committee, I am pleased to tell you that the 
financial services sector is in a state of advanced readiness 
and preparation, and that it handled well the recent 
information about terrorist targeting of specific institutions. 
Customers were able to continue business as usual. While there 
was concern, there was no crisis. There was no panic, but 
rather activation of planned steps to mitigate exposure to 
risks. I applaud our intelligence and law enforcement agencies 
for obtaining this vital information and promptly sharing it 
with the affected institutions.
    President Bush has led the development and implementation 
of an effective program to defend our country against 
terrorism. Protection of our financial infrastructure is a key 
element of that program and much valuable work has already been 
done. That is because we have long known in general what recent 
information has reaffirmed with specificity, that our financial 
institutions are being targeted by our enemies. They are under 
assault every day. Most of these assaults are in the nature of 
electronic or cyber attacks such as computer viruses, trojans, 
worms and various forms of financial fraud, including fishing 
and spoofing. These assaults have progressed from computer 
hackers and pranksters into theft, and now we believe on to 
schemes to disrupt organizations and operations.
    Some of these attacks have their sources in organized 
crime. Increasingly, still more sinister actors are involved. I 
do not say this to be alarmist, but rather to make the point 
that our financial institutions have for some time now been 
operating in a dangerous environment, and they are becoming 
increasingly adept at doing so successfully. This success is a 
result of careful organization and hard work by the private 
sector and government agencies at all levels.
    The organized government effort today is based upon a 
directive from President Bush, Homeland Security Presidential 
Directive 7. This is a flexible, coordinated program that works 
well in marshaling resources and activities. HSPD-7 places upon 
the Department of Homeland Security the central responsibility 
for coordinating the overall national program. The directive 
relies upon specific agencies to take the immediate lead, 
ensuring that critical protection efforts will be led by 
departments that have the expertise and experience. Treasury is 
the lead agency for the banking and finance sector.
    Nearly all of the financial infrastructure is owned by the 
private sector. We work closely with the private sector through 
reliance upon several organizations. Chief among these is the 
Financial Services Sector Coordinating Council or FSSCC, the 
chairman of which is appointed by the Treasury secretary. The 
current chairman is Don Donahue, a senior officer of the 
Depository Trust & Clearing Corporation in New York City. The 
FSSCC is made up of entities and trade associations 
representing virtually every financial institution in the 
nation.
    Alongside the FSSCC is the Financial Services Information-
Sharing and Analysis Center, or FS-ISAC, the chief 
communications system for the sector on a wide variety of 
threats and challenges. Last year, Treasury devoted $2 million 
to develop and implement a plan for broadening the reach of the 
FS-ISAC. In the last couple of weeks, Federal Housing Finance 
Board Chairman Alicia Castaneda and I sent a joint letter to 
each of the federal home loan banks encouraging them to join 
the FS-ISAC. We continue to encourage all financial 
institutions to sign up.
    Under the sponsorship of the President's Working Group on 
Financial Markets, and chaired by the Treasury, the Financial 
and Banking Information Infrastructure Committee, or FBIIC, 
brings together representatives of all of the federal and state 
financial regulators. A cardinal rule of the FBIIC and the key 
to its success and achievement over the last several years is 
the principle of responsibility. The FBIIC does not try to take 
over the responsibility or interfere in the work of any agency. 
What the FBIIC provides is a means of coordinating efforts, 
sharing best practices, pooling talents and resources, 
facilitating communication, encouraging wherever possible and 
cajoling where necessary.
    While terrorist threats themselves are bad news, I see much 
good news in our latest experience. Our antiterrorism efforts 
are bearing fruit, providing valuable information that is being 
applied and acted upon appropriately by the financial sector 
just as soon as it is made available, without disruption or 
degradation of services. The success of the collective actions 
of the federal, state and local governments and the 
preparedness and response of the private sector are 
progressively denying terrorists their objective, their goal of 
disrupting our free markets. Freedom and free markets are the 
targets of the terrorists, and we are showing that we can 
harness the power of free people and free institutions to 
defeat the terrorists.
    So in conclusion, there is much work yet to do, but 
tremendous work has already been done. Our markets are deeper, 
more resilient than ever before, and they are becoming more so 
every day.
    Thank you.
    [The prepared statement of Hon. Wayne Abernathy can be 
found on page 59 in the appendix.]
    Mrs. Kelly. Thank you, Mr. Abernathy.
    Mr. Liscouski.

STATEMENT OF ROBERT LISCOUSKI, ASSISTANT SECRETARY, INFORMATION 
ANALYSIS AND INFRASTRUCTURE PROTECTION, DEPARTMENT OF HOMELAND 
                            SECURITY

    Mr. Liscouski. Good morning and thank you, Chairwoman Kelly 
and Ranking Member Frank and distinguished members of the 
committee. It is a pleasure to be before you this morning to 
discuss the protections that we have with the financial 
services sector. I am going to address some of the comments 
specifically in the question-answer period, but I would like to 
give an overview of where we are today in working with the 
Department of Treasury and the Fed.
    The Office of Infrastructure Protection specifically has 
focused on monitoring and assessing threats and vulnerabilities 
to all sectors, including the banking and the financial 
services sector. Before I begin, I would like to recognize the 
efforts of the Department of Treasury and the Fed, and commend 
them for their leadership to organize and take the first steps 
to protect the financial infrastructure prior to September 11.
    Subsequent to the creation of the Department of Homeland 
Security, the Treasury Department and the Fed have been key 
partners with DHS in continuing the execution of our efforts to 
protect our critical infrastructure. In preparation for 
responding to threats and elevated threat levels, my office and 
the directorate for which I work, IAIP, has been building and 
coordinating a two-way exchange of information with the public 
and private sectors. These efforts have also included building 
relationships with the private sector and government entities, 
as well as implementing and integrating technical and 
information-sharing solutions.
    The financial services sector has developed two effective 
mechanisms for two-way information sharing. The Financial 
Services Sector Coordinating Council, the FSSCC, as Assistant 
Secretary Abernathy just described, consists of senior 
representatives of major financial institutions representing a 
cross-section of the financial industry. The second component, 
the Financial Services Information Sharing and Analysis Center, 
the FS-ISAC, provides a mechanism for gathering and analyzing 
and appropriately sanitizing and subsequently disseminating 
information to and from its members and the federal government. 
The FS-ISAC conducts threat intelligence conference calls 
periodically at the unclassified level for subscriber members. 
With IAIP providing input, these calls cover physical and 
cyber-threats and vulnerabilities and incidents that have 
recently occurred. It includes suggestions and recommended 
proactive actions that can be taken to mitigate the threats.
    Sector coordinating councils and their ISACs maintain and 
provide DHS with distribution lists, which allow them to 
quickly disseminate threat warnings, alerts and advisories to 
members of their sectors. Information provided by the sectors 
is incorporated into the situational awareness picture, 
together along with the intelligence community's information 
and the law enforcement community concerning possible threats 
to the nation's critical infrastructures.
    The sectors are also capable of initiating crisis 
conference calls within an hour of notification via a crisis 
alert. In addition, DHS has established close working 
relationships with the appropriately cleared senior sector 
members such as the financial services sector to provide 
classified information relevant to the threat environment.
    The interconnected and interdependent nature of our 
infrastructure makes our physical and cyber-assets difficult to 
separate and therefore it would be ineffective and inefficient 
to address them in isolation. Consequently, my office 
integrates both the strategy and the tactics necessary for the 
appropriate protection of the cyber, physical and people assets 
in concert. In working with the infrastructure protection 
office of the United States secret service, for example, it 
recently joined forces with the Carnegie-Mellon University 
Software Engineering Institute's CERT Coordination Center, 
CERT/CC, in order to conduct an analysis of the insider threat.
    The insider threat study is a collaborative effort to 
better understand the insider activities affecting information 
systems and data in critical infrastructure sectors, to include 
the banking and finance sector. The insider threat study 
examined incidents involving employees who intentionally 
exceeded or misused an authorized level of system access that 
affected the organization's data, daily business operations, 
systems security, or other areas via computer. The study 
focused on online behaviors and communications in which the 
insiders engaged prior to the incidents.
    On August 24 of this year, the first part of the report was 
released to the public sector. It is referenced as the Insider 
Threat Study Elicits Cyber-Activity in the Banking and Finance 
Sector. This portion of the report focused on individuals who 
have had the access and perpetrated harm using information 
systems in the banking and finance sector, which includes 
credit unions, banks, investment firms, credit bureaus, and the 
financial institutions. The findings highlighted in this area 
of the report are of great benefit to the financial sector and 
provided concrete examples of how insiders accomplish their 
activities and offered suggestions on what security and policy 
procedures might deter or prevent future activity.
    I would like to discuss now the latest series of threats 
against U.S. financial institutions spurred by ongoing concerns 
over al Qaeda's interest in targeting U.S. critical 
infrastructure, as well as recent intelligence revelations of 
detailed reconnaissance of several U.S. financial institutions. 
The level and specificity of information found was alarming, 
prompting DHS to recommend raising the threat level of orange 
for the financial services sector in New York, Northern New 
Jersey and Washington, D.C. on August 1. This was the first 
time the level had been changed for an individual sector and 
geographic-specific location.
    In response to the heightened threat level, IAIP acted on 
several fronts in coordination with Treasury and Fed to address 
the threat. Conference calls were arranged between DHS, 
industry leaders, chief security officers, state and homeland 
security officials, and local law enforcement officials, and 
with numerous financial institutions. Our relationship and 
communications with the private sector security leadership for 
the affected institutions particularly were key to our overall 
approach on how to effectively manage the threat situation.
    We provided immediate alerts to the financial sector 
regarding the threat and we continued to work with the industry 
to ensure that all targeted financial institutions were 
individually briefed. IAIP coordinated with federal, state and 
local law enforcement entities to ensure that the appropriate 
information was exchanged between government and the private 
sector.
    We also polled the various financial institutions to 
determine what additional protective measures were needed for 
implementation as a result of the heightened alert period. We 
dispatched personnel immediately to the facilities in 
Washington, New York and Northern New Jersey to conduct site-
assist visits, which would evaluate the recommended security 
measures in collaboration with local law enforcement officials 
and asset-owners and operators to ensure that the appropriate 
vulnerabilities were identified and remediation measures were 
taken.
    In addition to the site-assist visits, IAIP personnel have 
been working with the individual facilities and local law 
enforcement to create buffer zones around the most critical 
facilities. These are community-based efforts focused on 
rapidly reducing vulnerabilities outside the fence of an 
institution or facility to select critical infrastructure 
components in key resources. We work closely with the law 
enforcement community and the private sector to ensure that 
these plans and implementation strategies are effective and 
efficient.
    As I have discussed with you today, IAIP has taken many 
actions to secure the financial services sector, in partnership 
with treasury and the Fed, and we have laid a foundation for a 
true partnership with the public and private sector. Based on 
this foundation, with continued dedication we will continue to 
work to protect the nation's critical infrastructure.
    Thank you for the opportunity today and look forward to 
your questions.
    [The prepared statement of Robert Liscouski can be found on 
page 109 in the appendix.]
    Mrs. Kelly. Thank you very much, Mr. Liscouski.
    I would like to ask you about a question you just brought 
up. Mr. Liscouski, you mentioned the Carnegie study, and you 
talked about the insider threat. My first question, does it 
make any difference? You talked earlier about the department 
working with financial institutions and software companies to 
identify vulnerabilities and to design enhanced software 
assurance practices. Does it make any difference if these 
vulnerabilities are international or if they are home-grown?
    Mr. Liscouski. The concern you raise is a valid one, 
particularly because of the way software is deployed throughout 
our critical infrastructure at-large and particularly in the 
banking and finance sector. Let me just preface my remarks by 
saying a holistic security program has to consider all elements 
of security. So it is a physical security approach, cyber as 
well as personnel security. The software assurance practices 
that you are discussing also include insurance that software is 
developed and engineered to the appropriate specs and standards 
and there are quality assurance conducted on software before it 
is shipped out.
    So when we talk about internationally developed software or 
that which is outsourced internationally versus that which is 
developed here in the United States, the first point in 
securing an institution, whether it be a banking institution or 
other critical infrastructure component, is to ensure that the 
appropriate procedures and mechanisms, the people and process 
part of the security approach, is taken.
    We cannot take a slice of that pie and examine it 
independently for its vulnerabilities without examining the 
interdependencies of the entire process. So we alleviate those 
concerns by assuring that best practices are followed within 
institutions, within critical infrastructure components, and 
good policies and procedures and security practices are set up, 
so we can mitigate the potential effects of any software 
vulnerability, irrespective of whether it is internationally 
developed or developed by an international company abroad or 
domestically.
    So the insider threat study looks at ways that those 
exploits could be manifested or can be exploited, and it looks 
at ways that security procedures and processes can be put in 
place to help mitigate that risk.
    Mrs. Kelly. What recommendations did the study make? Have 
you additional recommendations? Would you care to share that 
with the committee?
    Mr. Liscouski. Yes, ma'am. I would refer to the report 
specifically. I apologize for not having a copy in front of me, 
but my recollection of the report, and I can validate this in 
writing to you later, it did not specifically address software 
development in the context of insider threat. It looked more 
from the perspective of the insider threat as a trusted user on 
a system, and therefore someone who potentially could abuse 
their trusted access internally to an organization.
    So in the context of that part of the study, there were a 
variety of recommendations made for procedures and policies 
which would limit a person's access, but yet balancing the need 
for conducting business. So it focused on behavioral aspects of 
insiders that might foretell that there was a problem, as well 
as recommended policies that could help mitigate those threats.
    Mrs. Kelly. Thank you. I want to ask one other question of 
you, sir. What sorts of warning signs should financial 
institutions be looking for in the case of both physical and 
cyber attacks? Are there warning signs out there that these 
institutions should be looking for?
    Mr. Liscouski. Yes, ma'am. I think this past month, in 
August and the end of July when we received the threat 
information is a good indicator or a good example of how those 
warning signs can be manifested. What we learned from the 
casing reports that were exploited from the information we 
received that resulted in the threat warning going up was that 
there is oftentimes detailed surveillance occurring at 
financial institutions and other critical infrastructure 
components which are observable behaviors. And subsequently, as 
we have indicated, these precursors or pre-incident indicators 
of terrorist activity resulting in surveillance, anomalous 
types of activities that can be observed need to be 
communicated.
    So what the lesson from that was that that information was 
shared with the private sector, the banking institutions in 
this case and the financial institutions, to be shared with 
their security personnel, and those folks were in a position to 
observe anomalous behavior and report that back. So the types 
of attacks that we are concerned about in this particular case 
were typically kinetic or bombing types of attacks, those which 
would require a breach of a perimeter and some sort of pre-
operational surveillance to identify the vulnerabilities of a 
particular institution. Those things are all observable, and if 
they are observed and reported, we can get an indication of 
what is occurring pre-incident, just as an example of something 
that was shared.
    Mrs. Kelly. You looked at bombing attacks, did you say, but 
you have also looked at the cyber-threats. So you have looked 
at both sides of what is happening.
    Mr. Liscouski. That is correct. In the context of the 
recent threat, the job of my office is precisely looking at the 
nexus of all threats, irrespective of if they seem to be 
dominated by a physical threat as in this case initially. We 
take a very detailed look at the cyber-environment to see if 
there is any activity that would indicate that a specific 
institution is being targeted as a result of various types of 
probing. So we consider all the threats, either cyber or 
physical or the people aspect of it, in concert when we get 
threat information.
    In this particular case, we had no evidence that there was 
a cyber-threat manifesting itself in the context of this 
particular physical threat.
    Mrs. Kelly. Thank you very much.
    My time is up. We turn now to Ms. Maloney.
    Mrs. Maloney. I would like to ask the Fed, Honorable Mark 
Olson, the white paper you discussed focuses on clearing and 
settlement. Are you planning a companion piece focusing on the 
areas that the GAO noted were left out? They cited trading and 
retail firms.
    Mr. Olson. A number of things have happened since the GAO 
study, or at least concurrent with the GAO study. Primarily 
among those was the release of an FFIEC best practices, that 
focused on those issues. So in addition to the clearing and 
settlement, there has been an internal effort within the 
regulatory agencies focused on the trading platforms and the 
retail platforms.
    Mrs. Maloney. I would like to ask the Homeland Security 
Assistant Secretary, Robert Liscouski, I understand that we 
were lucky in that the targets identified in the recent terror 
alert were not facilities whose destruction would pose a 
systemic risk to our financial structure. Rather, they were 
highly visible targets whose destruction would likely cause a 
large loss of life and have a symbolic value of attacking some 
of the most successful institutions in our financial services.
    As you know, many of those targets are in cities. I would 
like to say that, especially New York City was cited in the 
last terrorist threat. Even worst, I believe, is that the 
facilities whose destruction would pose a systemic risk to our 
financial infrastructure are also largely located in major 
cities like the one I am privileged to represent, New York 
City.
    My question is, how does this square with a formula for 
funding homeland security protections under which, to give one 
example, New York, according to the congressional survey, CRS 
report, ranks number 35? Yet in our area, certainly financial 
infrastructure, both the systemic structures that could cause 
disruption to our services, and certainly the ones that even 
the terrorists cite that are symbolic, are in New York City and 
other large places. So I wonder why this is happening? I 
commissioned a CRS study myself which showed that New York City 
has gotten about 30 cents per person for every dollar, and 
other states have received much, much more.
    So just focusing on the infrastructure of our financial 
services, it seems incredibly unfair that New York City, which 
is cited by terrorists and also cited in intelligence 
briefings, is having the systemic structure that could really 
permit damage.
    Mr. Liscouski. Ma'am, I am not familiar with the results of 
the study you cited. I would be happy to get back to you with 
the exact dollars that have been distributed to New York City. 
I do not have that in my data here. I can tell you I am working 
with the New York City Police Department and the homeland 
security adviser in New York, as well as the private sector 
institutions. They have a very robust capability to respond to 
that threat.
    As you well know, recently with the most recent threat 
situation we had in New York, the Department of Homeland 
Security as well as the New York City Police Department and the 
state police in New York responded very aggressively and very 
robustly to that particular threat. They were not impeded at 
all. We work very closely with the city in providing the 
appropriate level of resources they need to supplant their 
efforts. Again, I will get back to you in writing if you 
prefer, to respond to the exact dollar figures that have been 
provided. I just do not have that information.
    Mrs. Maloney. Even the 9/11 Commission report noted that 
the funding formulas for high-threat homeland security, they 
called it ``pork barrel'' politics, and certainly it should be 
based on need. I would appreciate your getting back to me.
    Mrs. Kelly. Thank you very much. Ms. Maloney, your time is 
up.
    Mrs. Maloney. The light is not red yet.
    Mrs. Kelly. Oh, I am sorry. I thought it was.
    Mrs. Maloney. Okay. I would like to ask Mr. Olson, did the 
events of 9/11 reveal a need for either new powers for the Fed 
or a need for new arrangements with the private sector, for 
example, foreign banks?
    Mr. Olson. Clearly, Congresswoman, we recognized that 
following 9/11 one of the most important things that we needed 
to have happen is that the Fed needed to be designated as an 
enforcement agency. That was accomplished in the Patriot Act. 
Congress responded very rapidly to that important need.
    I think the response to 9/11 suggested to us is that there 
was a need to consider the risks at a level at which we had 
never considered them before, which is exactly what your 
opening series of questions was designed to get at, the most 
chilling of which was up to that point most business continuity 
plans were made presuming that the people would still be there. 
Post 9/11, that was the one thing that changed and the one 
thing that was different, and the one thing that we now 
anticipate seeing both from our own perspective and when we 
examine financial institutions.
    The Chairman. [Presiding.] The gentlelady's time has 
expired.
    The gentlelady from Illinois, Ms. Biggert.
    Mrs. Biggert. Thank you very much, Mr. Chairman, and thank 
you members of the panel for your testimony and efforts to help 
America's financial sector prepare to withstand catastrophic 
events.
    I am going to address my first question to Mr. Liscouski. I 
also am from Illinois, as the Chairman just said, and we do 
have concerns here about ChicagoFIRST. We will hear testimony 
later, so I do not want to say too much about it. I am 
concerned, and I would like to ask you what the Department of 
Homeland Security is doing to promote and encourage the 
infrastructure preparedness in the financial service sector, 
particularly with ChicagoFIRST, which was a group formed by the 
financial sector in Chicago in the outlying areas after 
September 11.
    I think the achievements that they have found in a regional 
way that they have to really have at their tabletop to have 27 
financial institutions serving the City of Chicago, all of the 
agencies, the Federal Bureau of Investigation, Federal Deposit 
Insurance Corporation, FEMA, financial and banking information 
infrastructure.
    What seemed to be missing there with all of these agencies 
was really the Department of Homeland Security stepping up to 
the plate and really being there for that, and to see how that 
works. Because I think that we see this as a model that can be 
used across the country. It seems that there has not been much 
support from the Department of Homeland Security.
    Mr. Liscouski. Congresswoman, thank you for your question. 
Actually, I would like to just add some more context to that, 
because I believe that since we have started up we have 
provided a lot of support to the financial sector, and 
particularly to the Chicago Mercantile Exchange and others 
where we have done tabletop exercises. So I think maybe a lack 
of initial visible support was just a function of the way we 
were starting up our organization.
    Since that time, in the past year and a half, we have been 
working very closely with the sectors, particularly in the 
Chicago area. I think at the first tabletop, ChicagoFIRST was 
just standing up, so it might have been a little bit too early 
at that point. I can give you more details on that. But as you 
well know, working with Treasury and other members of the 
financial sector, we stood up at the Financial Services ISAC to 
conduct a number of tabletop exercises, all geared at the 
financial sector. We broadened the financial sector's tabletop 
exercises to not just include the cyber aspects, but now 
physical aspects. We are taking that on the road so we now can 
do more interdependent sector-type of tabletop exercises, just 
not uniquely those positioned for the financial services 
sector.
    We are working very closely with the U.S. Secret Service, 
which is part of DHS as you well know. We have a very close 
working relationship with the investigative division of the 
U.S. Secret Service in remediating and working real-time on 
investigations and identifying various vulnerabilities in the 
financial sector, and quickly remediating those vulnerabilities 
in a virtual sense, working with banks and other financial 
institutions as they are found.
    So while we have been building up our processes within DHS, 
I would remind you we have been around for about a year-and-a-
half now. My department really was something that came up 
virtually with very little infrastructure of its own. As we 
have been building it and building partnerships, I think we 
have a very effective and very good story to tell there. So as 
I pointed out, we are funding many different types. These 
tabletop exercises are a prime way for us to be able to ensure 
that we have best practices and effective measures for 
protection of the financial sector.
    ChicagoFIRST has been on our list now to work with. We 
understand that there is a request for some financing outside 
the FS-ISAC. We are working with them to examine that, maybe 
not as quickly as they would like at this point, but as in all 
things they do take some time, so we are examining those 
opportunities. I would suggest to you that we will find ways 
that we continue to work with the financial sector.
    Mrs. Biggert. I know that the testimony in the next panel 
will address those issues and say that they really have 
received no communication from the department as far as their 
inquiries into the funding, into procuring security clearances 
for key financial representatives, so that there can be a 
deeper collaboration. It seems to me that this does seem to be 
a real model, and I would hope that you would work closely with 
them and use them.
    Mr. Liscouski. Sure. I will take that under advisement and 
I will look into that specifically and get back to you. Thank 
you.
    Mrs. Biggert. All right. Thank you.
    And then Mr. Abernathy, certainly the Department of 
Treasury has been involved with ChicagoFIRST, too. Could you 
tell me a little bit about how you have worked with the 
ChicagoFIRST?
    Mr. Abernathy. We certainly agree with you, Congresswoman 
Biggert, that ChicagoFIRST is a model to be taken around the 
country. We were involved with the ChicagoFIRST from its 
beginnings. In fact, one of my senior staffers is currently the 
head of ChicagoFIRST, Brian Tishuk. He was very much involved 
when he was working for Treasury in helping to get ChicagoFIRST 
organized.
    But I want to give the chief credit to the financial 
community in Chicago that came together and realized that they 
have some very important national financial assets in that city 
that need protecting, and the best way to protect them is to 
coordinate efforts, to team up and to recognize that when it 
comes to protecting the financial infrastructure, it is not a 
matter of competition. It is a matter of coordination and 
cooperation.
    What we are now in the process of doing is working together 
with the Financial Services Roundtable's BITS organization, 
another industry-coordinating organization, to document how 
ChicagoFIRST was put together, how it works, and put together 
what we call a cook book that we would then like to take to the 
other financial centers around the country and have them apply 
it as appropriate in those cities.
    Mrs. Biggert. Thank you very much. I yield back, Mr. 
Chairman.
    The Chairman. The gentlelady yields back.
    The gentleman from Georgia, Mr. Scott.
    Mr. Scott. Thank you very much, Chairman Oxley.
    I have a couple of questions. First Governor Olson, in your 
testimony you stated that vulnerabilities continue to pose 
challenges to the financial system and that sound practices 
will be able to help recover from a widescale disruption. Yet 
you mention that sound practices addresses only recovery, and 
not prevention of a terrorist attack. I would like for you to 
talk about that for a moment, and particularly answer this 
question in light of that. Is the Federal Reserve currently 
involved with providing information or sharing information with 
law enforcement agencies to help prevent attack? What is the 
Federal Reserve doing in working with our other intelligence 
agencies to prevent the attack? Answer that one first.
    Mr. Olson. Sure. It is an excellent question and it gets to 
the heart of what we spend a great deal of our time doing. In 
the post-9/11 era, we in particular have strengthened the 
resiliency. We have increased our focus on prevention. We begin 
with a premise that our number one priority is our people, so 
you cannot focus on your people without focusing primarily on 
prevention. So what we have done is we have looked at our 
perimeter security, and we have significantly upgraded both the 
quality and the quantity of our protection force, not simply at 
the Fed in Washington, but also throughout the Federal Reserve 
System.
    We have increased our communication with law enforcement 
agencies and with other governmental agencies. We have 
monitored information carefully. The reason I bring that point 
up is because when we reviewed the information that was 
intercepted in the last several months, we have discovered how 
much information that was intercepted was information that was 
already on the public record. So we choose not to be real 
specific in a public forum. But you and other members of this 
committee are entitled to a lot more information on what we are 
doing, and we would be very happy to provide a private briefing 
for you on what we are doing in that area, because your 
questions are right on point. Much of what we are doing, 
particularly in the way of perimeter security, is involved in 
protection.
    Mr. Scott. Thank you very much. I would be interested in 
that other detail.
    Mr. Olson. I have one more follow-up, because I would be 
remiss if I do not speak to it. The telecommunications area is 
one that we are still working on because of the interdependency 
of both the financial institutions and the interconnectivity 
among the private sector telecommunication companies. We are 
working jointly with that industry to try to assure a greater 
protective capability, but that is a subject which we will 
continue to focus on and hopefully the Congress will too.
    Mr. Scott. Thank you, Governor.
    Assistant Secretary Abernathy, in your testimony you said 
that most of the assaults on our nation's financial 
institutions are cyber attacks, computer viruses and organized 
crime. Could you share with this committee how those three 
areas impact our readiness for these terrorist attacks, 
organized crime, cyber attacks and computer viruses? And have 
you seen any evidence that terrorists have been sophisticated 
enough to mimic these types of attack? And how are they 
coordinating it, especially with organized crime?
    Mr. Abernathy. Congressman, you have zeroed in on what I 
think is probably the number one area of concern and effort in 
terms of responding to existing vulnerabilities. We have done a 
good job as far as I think can be done with regard to the 
physical security. But with regard to the danger to the 
systems, the question is, what are the vulnerabilities to these 
cyber-attacks? As I mention in my testimony, we have seen them 
evolve from the pranksters into organized crime, and now we are 
beginning to see what we think is a pattern suggesting that it 
is going beyond organized crime to perhaps terrorists or others 
that are not interested in stealing the money so much as trying 
to keep the systems from operating.
    We have been working very carefully with the financial 
institutions themselves, as well as the computer experts, the 
makers of software, the designers of the hardware, and the 
designers of the systems, to create a more resilient system to 
respond to those kinds of cyber-attacks that might occur.
    Mr. Scott. When you say ``organized crime,'' are we talking 
about American organized crime? Are we talking about 
international organized crime?
    Mr. Abernathy. It is both, sir. Now, American organized 
crime, but one that is particularly difficult to deal with is 
organized crime that originates from a foreign country. That is 
something that we have seen on the significant increase in 
recent months.
    Mr. Scott. Okay. My last point was, if I could Mr. 
Chairman, very quickly, you also stated, Mr. Abernathy, that 
you sent a letter to the federal home loan banks to ask that 
they join the Financial Services Information Sharing and 
Analysis Center. Have you heard from these banks? If so, what 
have they said?
    Mr. Abernathy. We have just recently sent the letter, so as 
we expect it takes time for them to process and make the 
decisions. We have asked the FS-ISAC, the financial services 
organization itself, to make the direct contacts to these banks 
and to ask them, you have heard from the secretary, the 
assistant secretary; you have heard from the chairman of the 
Federal Housing Finance Board; are you ready to sign on. We are 
very hopeful that they will, but we have not had any takers yet 
to this point, but it is still early.
    Mr. Scott. Thank you.
    Thank you for your generosity, Mr. Chairman.
    The Chairman. The gentleman's time has expired.
    The gentleman from Iowa, Mr. Leach.
    Mr. Leach. I am just trying to put a sense of perspective 
in what you are saying. It is impressive to me that a couple of 
words have come up. One is resiliency of institutions; another 
is redundancy of systems. It strikes me that the two R's are 
probably the most important concepts.
    Just in terms of defense of our systems, I think we have to 
make it clear that decapitation does not bring us down. That 
is, loss of life, as Mr. Olson mentioned, is something that we 
are prepared to deal with in terms of how we proceed in the 
future.
    My concern is that we have a dual circumstance, resiliency 
and redundancy in the private sector. We also have it in the 
public sector. In an emergency, the Fed is the center point. So 
I would like to ask Mr. Olson, are you confident of the Fed's 
resiliency and the Fed's redundancy of systems? While it was 
not designed for this purpose, does the fact that you have 
regional institutions magnify your strengths? Is 
decentralization also a systemic strength?
    Mr. Olson. Let me answer your questions in the reverse 
order of the one in which you asked them. In terms of the 
dispersal, the fact that we have Fed systems throughout the 
country is indeed part of our strength. It is part of our 
strength in terms of its role in monetary policy, but it also 
provides us with a physical diversity that is very important 
for us, while we are assuring both the resiliency and the 
redundancy. It meant that in many cases our ability to provide 
backup or partnering, the capability, the facilities were 
already there to do so. So that is particularly important.
    In terms of our ability to meet future circumstances as 
they unfold, I think that the best way to respond to that is 
evaluating the manner in which we have responded in the past, 
for example to 9/11. I think the fact that the banking system 
did not close; that at no point in time did any customer even 
in Manhattan not have access to their personal financial 
information. Now, they might not have had access to the 
information at the branch or the ATM where they were accustomed 
to having it, but it was available because of the resiliency of 
the system and because of the large numbers of systems.
    So I would say we are cautiously confidence. That is not a 
subject that we would ever take for granted.
    Mr. Leach. Is there such a thing as a Fed in a mountain?
    [Laughter.]
    Mr. Olson. I am not sure what you are asking me.
    Mr. Leach. What I am saying is, do you have a second 
Federal Reserve headquarters?
    Mr. Olson. Oh. Could I get back to you on that on a private 
basis?
    Mr. Leach. Of course, fair enough.
    Mr. Olson. As with Congressman Scott, these are important 
questions that we would be happy to provide that information 
for you in another setting.
    Mr. Leach. Fair enough. Just one final, just to be very 
precise, the subject of Congress's approach to a possible bill 
on netting has been raised and addressed. I am correct in 
assuming that as Chairman Greenspan indicated in the last 
hearing, the Federal Reserve strongly supports a netting bill. 
Is that correct?
    Mr. Olson. Very much so. We appreciate your support and the 
support of the other members of this committee who have 
indicated their support for moving that bill. That would be a 
very important step forward, we believe.
    Mr. Leach. Treasury concurs?
    Mr. Abernathy. Yes, sir. We would like to see that enacted 
either as part of the bankruptcy legislation or as free-
standing legislation. It is very important.
    Mr. Leach. And our third witness, you would concur on that 
as well? Thank you.
    Thank you, Mr. Chairman.
    The Chairman. The gentleman's time has expired.
    The gentleman from North Carolina, Mr. Miller.
    Mr. Miller of North Carolina. Thank you, Mr. Chairman.
    My questions are about private sector preparedness and what 
we are doing to encourage it. The 9/11 Commission devoted a 
page to the topic. They pointed out that 85 percent of the 
critical infrastructure was in private sector hands. They said 
that they had encouraged the American National Standards 
Institute, ANSI, a very well respected industry group, to 
develop and promulgate national standards for preparedness, 
convening safety, security, business community experts, and to 
develop a voluntary national preparedness standard.
    Mr. Liscouski, do you agree that those standards should be 
voluntary? Should there be some force of law behind them? Let 
me first disagree to some extent with Mr. Leach, who said that 
he thought an attack on our financial institutions would be an 
act of barbarism, but not something that would bring our system 
down. It strikes me that a serious disruption in our financial 
institutions could have a catastrophic effect on our economy. 
Do you agree, first of all, that the risk is grave to our 
economy generally? And then second, that whatever standards we 
come up with, what we think the private sector should be doing, 
should be voluntary, as opposed to having some force of law 
behind it?
    Mr. Liscouski. Congressman Miller, I do not want to take 
this out of context, but I believe the statement regarding the 
catastrophic effect of the attack was the concern about the 
most recent threat.
    Mr. Miller of North Carolina. I was not referring to 
anybody else's testimony, then. I was talking about my own 
perception. I have attended a hearing on the Science Committee 
about the loss or disruption of the electrical grid. If that 
happened, the ripple effect through our economy could be very, 
very serious. It strikes me that the same thing is true in the 
financial services sector. If American business cannot get 
access to money, they cannot pay their bills, they cannot make 
payroll, they cannot buy materials. The people they do business 
with are not getting paid, and on and on. The possible loss 
there is serious. Do you not agree with that?
    Mr. Liscouski. Of course. In the broad context of what the 
overall catastrophic effect could be on the financial services 
in general, yes, that is exactly the type of thing we look at 
from the consequence-of-loss perspective. We always look at the 
consequence of loss when we are looking at sectors and 
vulnerabilities.
    Mr. Miller of North Carolina. Okay. How about the 
voluntariness? Do you think it should be voluntary or do you 
think there should be some force of law behind the standards 
that ANSI has promulgated, that the 9/11 Commission has said 
need to be abided by American business?
    Mr. Liscouski. I just want to conclude my previous comment 
by saying that we have yet to see, however, anything that would 
manifest itself in terms of a threat that would be at that 
catastrophic loss level. With respect to standards and 
regulation, as you well know the financial industry is fairly 
well regulated now. The standards that are imposed by the 
regulation in many cases adequately addresses the requirements 
to meet the specific threats that we are operating against.
    I think in a general sense with respect to standards, we 
are looking to establish best practices and guidelines 
throughout the community, all the critical infrastructure 
components, to ensure that we get good compliance and practices 
to respond to various types of threat scenarios against which 
we are operating. Whether it be ANSI, we are currently working 
with the American Society of Mechanical Engineers to develop 
ways to bake into business processes for best practices. It is 
at that level that we think we can have the most benefit to 
affect the outcome of security for the long term.
    I think the challenge in terms of looking at regulation or 
standards to remediate against a current threat, and they can 
never happen quickly enough. I think the best efforts we can 
make are looking for long-term systemic changes in business 
practices and security practices for the industry is 
irrespective in the financial sector across critical 
infrastructure. My office in particular in working with the 
private sector to ensure that we take that approach.
    The one thing we have to be very careful of is that there 
is not a one-size-fits-all standard. We have to be careful 
about ensuring that when we look at it.
    Mr. Miller of North Carolina. I am not sure I got an answer 
to my basic question of what should be behind it other than a 
hope for goodwill.
    Mr. Abernathy, in your testimony you said the FBIIC will 
also try to share best practices, encouraging whenever 
possible, cajoling where necessary. That strikes me as a fairly 
limited range of options. First, we are going to encourage you, 
and if you do not do right, we are going to ratchet up and 
cajole you. I am not sure the prospect of being cajoled is 
going to strike fear in the hearts of a lot of folks. Is that 
your whole range of options, to encourage compliance with best 
practices or standards or whatever you call it?
    Mr. Abernathy. Let me explain the context. The cajoling and 
encouraging is with regard to the federal and state regulatory 
agencies themselves. We do not have any enforcement authority 
with regard to the Securities and Exchange Commission, but the 
Securities and Exchange Commission, for example, has very 
significant authorities with regard to the entities that they 
supervise.
    So when it comes to the encouraging and cajoling, it is 
making sure that the banking regulators, including the Fed, the 
SEC and other banking regulators are using their authorities to 
make sure that the financial institutions themselves are 
applying their regulatory powers and employing the kinds of 
best practices that you talk about, what the various standards 
are, to make sure that they are able to continue to provide the 
services that they are chartered to provide.
    So the enforcement tools are in the hands of the 
regulators. The job of the FBIIC is to make sure that the 
regulators are using and applying those enforcement tools.
    The Chairman. The gentleman's time has expired.
    The gentleman from Alabama, Mr. Bachus.
    Mr. Bachus. Thank you, Mr. Chairman.
    Governor Olson, I want to commend you. We talked about 
netting earlier, and I want to commend you and the Fed because 
Chairman Greenspan in some testimony before the Congress 
recently talked about how important the netting provisions 
were. So I hope the Senate gets the message, and we are able to 
include that in some legislation.
    Mr. Olson. We thank the members of this committee that have 
been supportive in that effort. We agree that it is important.
    Mr. Bachus. I would take this time just to say again that, 
Chairman Oxley, before 9/11 took steps which I think this 
committee, working with the regulators, to ensure that our 
financial institutions and our markets did go through 9/11 I 
think in an exemplary way.
    My two questions I am going to ask are for Assistant 
Secretary Abernathy. You mentioned that $2 million that 
Treasury spent on the Financial Services Information Sharing 
and Analysis Center.
    Mr. Abernathy. Yes, sir.
    Mr. Bachus. Can you tell me about what Treasury's 
commitment is to that center, which was formed actually by 
Executive Order?
    Mr. Abernathy. The center itself was formed in 1999, if I 
am not mistaken.
    Mr. Bachus. Or 1998, by a presidential decision.
    Mr. Abernathy. Yes. It was actually formed by the private 
sector pursuant to encouragement from the federal government, 
but it is a privately created and organized entity. What we did 
was in recent years, we looked at that entity that originally 
had a very narrow focus, coordinating the largest financial 
institutions. In visiting with them, we said in order to do 
your job you need to be able to reach all of the financial 
institutions. Of course, their response was, how do we do it?
    So we funded a consulting group to look at just how you can 
expand the FS-ISAC and have it self-supporting. The FS-ISAC 
does not receive any operating funds from the federal 
government and we wanted to have a system that was sustainable 
by being funded by its members exclusively. We have come up 
with a plan and a reorganization that we believe is working and 
is moving forward very well.
    Mr. Bachus. What are your plans in regard to the future of 
the center?
    Mr. Abernathy. It is to continue to have it develop as the 
central means of coordinating information among the whole 
financial sector. To demonstrate just how flexible it is, we 
have various levels of communication that are available on the 
FS-ISAC. There are first of all threat announcements that go 
out to everybody, but it is also a platform where specific 
segments of the financial sector can get together and 
communicate with one another on important critical 
infrastructure problems, and we are seeing already a number of 
efforts to do that and to use that as the platform for it.
    Mr. Bachus. Okay. Treasury provides critical financial 
services that need protection every day, like daily check 
forecasts and cash forecasts and collection and disbursement of 
federal funds or federal monies, conducting Treasury auctions, 
things of that nature. What are you doing to see that these 
important functions are somewhat insulated against potential 
threats?
    Mr. Abernathy. You are absolutely right, Congressman. 
Besides being the chairman of these coordinating roles, 
Treasury itself has important roles in the financial system, 
particularly with regard to the movement of all the federal 
money, both the money that is coming in and then the money that 
is disbursed to pay all the bills and all of the checks. We 
frequently work with that element of Treasury in those 
particular bureaus to make sure that they have those two words 
that Congressman Leach talked about, resilient and redundant 
operations in place. We feel very confident that Treasury has 
those not only established, but we test them frequently.
    Mr. Bachus. All right. I have no further questions. I would 
like to say for the record, I think this is correct, the PDD-63 
which President Clinton authorized and it was amended by 
Executive Order, but I think that mandated that the center be 
established. I could be wrong, but I am pretty sure that that 
would make sense because that was 1998, and if it was created 
in 1999.
    Mr. Abernathy. Yes, I believe that is right. What I wanted 
to emphasize, though, is that it is a privately owned entity 
and we think it derives a lot of strength because of that, 
fostered by government, if you will, and encouraged, and it is 
built into a network of other ISACs. But its strength comes 
from the fact that it is owned and governed by the private 
sector.
    Mr. Bachus. Right. And I think we will see that in the 
second group of panelists who are some of the stakeholders or 
participants.
    The Chairman. The gentleman's time has expired.
    The Chair would announce we have about 8 minutes left on 
two floor votes. I would ask the gentleman from New York if he 
would be brief.
    Mr. Ackerman. Brief.
    The Chairman. That was the word I was looking for. The 
gentleman from New York.
    Mr. Ackerman. Yesterday, the nation received very startling 
information from the Vice President of the United States. He 
contended that if he were not reelected, together with the 
President, and the Democrats instead were elected, that 
hundreds of thousands of Americans would be killed in a 
terrorist attack. I would like to know if that is a bunch of 
political hyperbole, or in the hard work that you have been 
doing at the Federal Reserve, at the Treasury Department, at 
Homeland Security, you have come across any information 
whatsoever, over the transom, rumors, chatter, or anything else 
that would indicate that there is any validity or truth to what 
the Vice President says.
    Mr. Olson. Speaking on behalf of the Fed, that is above my 
pay grade, Congressman. I do not have access to the information 
to answer it.
    Mr. Ackerman. So you have seen no information that that is 
true?
    Mr. Olson. I would say that the question is above my pay 
grade. I have not addressed the question.
    Mr. Abernathy. Congressman, I did not see the comments so I 
would not want to comment on it for my own. I will just add 
that we see constantly, as I have pointed out in my testimony, 
that the financial services sector is under assault every 
single day.
    Mr. Ackerman. Nothing to do with Democrats?
    Mr. Abernathy. As far as I can tell, it is a continuous 
assault that is not letting up in intensity.
    Mr. Ackerman. Under a Republican administration.
    Mr. Abernathy. This has been in place now happening for 
numbers of years.
    Mr. Ackerman. But there is no indication that it is 
politically biased. Okay.
    Mr. Abernathy. Nothing that I have seen.
    Mr. Ackerman. And Homeland Security?
    Mr. Liscouski. I think my colleagues have perfectly 
addressed the question, sir. Thank you.
    Mr. Ackerman. Has anybody made contingency plans just in 
case the Democrats are elected, in any of your agencies?
    [Laughter.]
    The Chairman. I have made some contingency plans.
    [Laughter.]
    Mr. Ackerman. I do not mean about your future personally. I 
thank the panel and I thank the Chairman for his indulgence.
    The Chairman. Thank you.
    Ms. Lee?
    Ms. Lee. Thank you, Mr. Chairman.
    Very quickly, let me just thank you again for being here. I 
come from the San Francisco Bay Area, and of course we are very 
concerned not only from attacks and vulnerabilities as it 
relates to natural disasters, but of course as it relates to 
vulnerabilities from terrorism.
    I would just like to know what, as you see it in terms of 
the Bay Area, in terms of financial institutions, because many 
of the top financial institutions are in the San Francisco Bay 
Area, what do you see as some of the vulnerabilities?
    What do you recommend, especially Mr. Liscouski, in terms 
of the coordination between federal, state and local officials 
in terms of the San Francisco Bay Area?
    Mr. Liscouski. Without getting into the specifics of the 
protective measures and the vulnerabilities, it is probably not 
appropriate for this forum, but I think I can talk generally 
speaking with respect to our coordination with state and local 
officials. We work very closely with the Homeland Security 
officials in California, and specifically the local officials 
in San Francisco, and routinely.
    I would be happy to provide to you a separate reporting as 
far as what specific measures we have taken, again just out of 
deference for the type of information we are talking about.
    Ms. Lee. Thank you.
    Assistant Secretary Abernathy, what do you identify or have 
you looked at some of the greatest vulnerabilities facing San 
Francisco's financial district? Is that part of the overall 
planning that you have done?
    Mr. Abernathy. One of the things that we do on a constant 
basis is trying to identify what are the key critical elements 
of the financial infrastructure; what their vulnerabilities are 
and then how we can address those. Certainly, we look at 
wherever they are. They are not located all in New York City. 
Some are there, and some are in other parts of the country. 
Financial services are extremely important to the economy of 
San Francisco and from San Francisco a lot of important 
financial services are provided throughout the nation.
    One of the things that we think will be of great help to 
San Francisco and other money centers around the country is, as 
I mentioned, this cook book that we are putting together of 
looking at the ChicagoFIRST model and providing that to 
financial centers around the country and encouraging them to 
develop appropriate coordinating efforts in their cities as 
well.
    The Chairman. The gentlelady's time has expired. We have to 
go to vote.
    Ms. Lee. Okay. We have to go.
    The Chairman. I want to just take the Chair's prerogative 
to ask Mr. Abernathy the status of TRIA, and just a few 
comments, then we have to close this down.
    Mr. Abernathy. Certainly, Mr. Chairman. We are progressing 
as the law has outlined for us an analysis of how the Act is 
performing. We put in place, as I think we mentioned here 
previously, a very meticulous, sequenced data collection 
exercise so we could see just what is happening on the ground.
    The Chairman. As required in the Act.
    Mr. Abernathy. As required in the Act. We just received the 
most recent collection of data from insurance providers. We are 
also looking at developments not only here in the United 
States, but there is a very interesting development with 
connection to the Olympic Games.
    There we had some very prominent activities that had 
absolutely no government support at all that were able to find 
terrorism risk insurance. We are looking at that example to see 
what it tells us with regard to the availability of the 
products.
    The Chairman. I thank all of you, and this panel is 
dismissed. The committee stands in recess until 12 noon.
    [Recess.]
    Mrs. Kelly. [Presiding.] We welcome our second panel today. 
We have Mr. Robert G. Britz, president and co-chief operating 
officer of the New York Stock Exchange; Mr. John Mohr, chief 
operating officer, New York Clearing House; Mr. Wilton Dolloff, 
executive vice president, operations and technology, Huntington 
Bancshares Incorporated, on behalf of BITS and the Financial 
Services Roundtable; and Mr. Samuel Gaer, chief information 
officer, New York Mercantile Exchange.
    Mr. Emanuel, I understand that you would like to introduce 
our next guest on the panel.
    Mr. Emanuel. Thank you, and thank you for holding this 
hearing.
    I first went to meet with Brian and the ChicagoFIRST group 
a couple of months ago. Brian Tishuk is the executive director, 
and prior to that he had a distinguished career at Treasury 
working on a set of issues over there. ChicagoFIRST, in Brian's 
discussion and in answer to questions, will show as a role 
model to what other cities can do in a sense of the private 
sector coming together, starting ready-to-do planning to deal 
with unintended events.
    In Chicago, like other major financial centers, we have 
about 320,000 to 350,000 jobs in the area who rely on the 
financial services industry, leaders in the future, it is an 
options industry. And what ChicagoFIRST has done is a 
remarkable job in coordination with also what the City of 
Chicago has done.
    So I am pleased that the Chairwoman agreed to have 
ChicagoFIRST and Brian as a person to testify today. As I told 
Brian earlier, I have Alan Greenspan in the Budget Committee, 
and no disrespect intended, I am going to get and go there and 
ask my questions of Chairman Greenspan so I can tell Brian what 
interest rates are going to be like tomorrow.
    I want to thank the Chairlady for holding this hearing and 
thank the entire panel for giving their time today.
    Mrs. Kelly. Thank you very much.
    Let us begin with you, Mr. Britz.

STATEMENT OF ROBERT G. BRITZ, PRESIDENT AND CO-CHIEF OPERATING 
             OFFICER, NEW YORK STOCK EXCHANGE, INC.

    Mr. Britz. Thank you, Chairwoman Kelly.
    Ranking Member Frank, distinguished members of the 
committee, I am Robert Britz. I am president and co-chief 
operating officer of the New York Stock Exchange. As such, I am 
directly responsible for the day-to-day operation of our 
market, our trading floor, our data-processing sites, our 
technical infrastructure, software development, and our 
information business. In addition, I also serve as the chairman 
of the Securities Industry Automation Corporation, or SIAC, 
which is a technology subsidiary of the New York Stock Exchange 
and the American Stock Exchange.
    On behalf of the NYSE, I want to thank the committee for 
holding this hearing and giving us the forum to discuss the 
NYSE's investment in business continuity and contingency 
planning post-9/11. The NYSE lists more than 2,750 companies 
with a combined market capitalization of around $18 trillion. 
Just for context, the next-largest marketplace in the world 
hovers between $2 trillion and $3 trillion. We trade on average 
1.5 billion shares a day, or in dollar terms about $50 billion. 
Ensuring the world's largest equity market can open for 
business every day under all circumstances is clearly our 
highest priority.
    Madam Chairwoman, the NYSE has a long history of developing 
forward-looking business continuity strategies that harden and 
protect our physical and technology infrastructure and improve 
our ability to withstand or recover from a disaster. Our 
approach consists of three components: to prevent an attack or 
natural catastrophe; to withstand them; and to recover from 
them.
    In close cooperation with federal, state and local law 
enforcement, the Exchange has expanded its physical security 
perimeter. We have also taken measures to increase the 
screening of all people, package delivery and mail that enters 
the NYSE or our data centers. And we have instituted a more 
restrictive policy vis-a-vis visitors and deliveries. Business 
continuity planning did not begin after 9/11. Before 9/11, we 
made sure that all of our facilities had emergency generators, 
uninterrupted power supply, and stored water on-site, to enable 
continued operation after the potential loss of power or water.
    Our technology infrastructure was already connected to a 
private extranet that utilizes geographically redundant fiber 
routes. The NYSE and SIAC employ large security forces and 
invest in automated security systems to protect the 
infrastructure. Significant investments have been made in 
information security personnel and infrastructure to protect 
our systems from intrusions and attacks, while enabling our 
business partners to connect to the NYSE technology complex in 
a secure manner.
    Our primary trading floor is actually five different 
trading floors located in four different buildings. Trading can 
be moved from one location to another as may be necessary. 
Since September 11, the NYSE has made an investment totaling 
more than $100 million to prevent and/or recover from an 
interruption to our market. The specific business continuity 
programs include both new initiatives, as well as enhancements 
to existing programs. In particular, the NYSE has built a 
contingency trading floor, expanded SIAC's emergency command 
center, created the Secure Financial Transaction Infrastructure 
network or so-called SFTI network, constructed a remote network 
operations center, and recently received approval to establish 
a remote national market system data center.
    The NYSE's regulatory group filed and the SEC recently 
approved new business continuity rules, Rule 446 for NYSE-
member firms. In addition, beyond ensuring the resiliency of 
the NYSE, to ensure continuity of trading the NYSE has modified 
its systems to accept four-character symbols so that we can be 
a position to trade over-the-counter Nasdaq securities should 
that ever be necessary.
    In addition, we have enhanced NYSE and SIAC disaster 
recovery planning, physical and information security; developed 
and implemented a mandatory business continuity training 
program for all NYSE and SIAC employees; enhanced emergency 
employee communication systems to ensure key personnel can be 
reached; and all personnel have access to relevant and timely 
information in an event. We have instituted a temporal 
dispersion initiative with respect to the data center staff, 
and we also are adding additional generating capacity at the 
New York Stock Exchange proper.
    The NYSE employs a rigorous information technology 
structure to ensure reliability of all of the information that 
we receive, process and disseminate to the world every day. We 
employ external perimeters, firewalls, intrusion detection, 
internal access controls, and we conduct penetration testing 
with so-called ``friendly'' hackers.
    The NYSE and SIAC launched the Secure Financial Transaction 
Infrastructure network, or SFTI, as I mentioned a moment ago. 
It has become the primary extranet serving the financial 
industry. It provides diverse redundant routing to SIAC data 
centers for member firms, national market system participants 
that are connected to the NYSE, to the American Stock Exchange, 
the National Market System, and DTCC's IT infrastructure as 
well.
    Following 9/11, U.S. equity trading was interrupted because 
many broker-dealers lost their connectivity to the markets due 
to the damage suffered by a major central telecommunications 
switching facility near ground zero. SFTI addresses this by 
enabling member firms to connect to the NYSE's data centers via 
multiple access points, so-called carrier hotels throughout the 
New York metropolitan area, as well as Boston and Chicago. From 
these access centers, message traffic is carried over a 
geographically diverse fiber network owned and managed by SIAC.
    Beyond the resiliency of our market, the NYSE is prepared 
to trade Nasdaq stocks if that case ever arises. While NYSE 
systems have been modified and can support four-character 
symbols used by the unlisted stocks, no need for any 
modification on the part of the broker-dealer systems. And 
because our capacity today, NYSE's capacity vis-a-vis its own 
stocks, is about five times our average daily volume of 1.5 
billion shares, we have no question about the ability to absorb 
the extra traffic resulting from Nasdaq stocks.
    Madam Chairman, in your invitation to testify this morning, 
you also asked that the NYSE share its experiences relative to 
the limited code orange threat issued on August 1. On Sunday, 
August 1, Secretary Ridge of the U.S. Department of Homeland 
Security announced that al Qaeda was targeting specific sites 
in Washington, D.C.; Newark, New Jersey; and New York City, 
including the NYSE. In addition, Secretary Ridge announced that 
the Department of Homeland Security was raising the terror 
threat level to orange for New York City. At approximately 6 
p.m. the prior evening, the New York office of the FBI 
contacted NYSE security officials to inform them that the FBI 
had information that was very pertinent to the NYSE, and they 
requested that we meet with them immediately, which indeed we 
did.
    This intelligence clearly indicated that al Qaeda had 
surveiled the NYSE. On Sunday, August 1, the FBI and the NYPD 
informed the NYSE that there would be immediate increase in 
NYPD officers and NYPD ``Hercules'' teams deployed around the 
NYSE's perimeter. In addition, the NYPD would increase the 
number of truck inspections for vehicles traveling south of 
Canal Street to determine if those trucks actually needed to 
proceed downtown toward the financial district.
    On Sunday, August 1, the NYPD pledged their assistance for 
police department access and cooperation during the heightened 
alert. The Department of Homeland Security, as well as other 
federal, state and local agencies, notified the NYSE before 
Secretary Ridge's announcement that the exchange was a specific 
target. With this advance notice, the NYSE was able to 
communicate with its employees through our contingency Web 
sites. Under these contingency sites, we are able to provide 
timely information about the status of our operations for 
Monday, August 2, to members, member firms, member firm 
employees, and NYSE employees.
    On Tuesday, August 3, NYSE officials met with Homeland 
Security Secretary Ridge, New York City Mayor Michael Bloomberg 
and both pledged their cooperation in the provision of federal 
and New York City assets as needed.
    Since 9/11, all of our efforts have served to increase the 
NYSE's physical security, presence, and its business continuity 
planning. Our enhanced business continuity contingency planning 
are online and being tested every day. Unlike many localities 
and sites, New York City and the NYSE remain at a higher level 
and will remain at a heightened alert to protect the people and 
the infrastructure that operate the NYSE's agency-oriented 
market.
    In the event of another terrorist attack or catastrophe, 
the NYSE plans to resume trading in a timely, fair and orderly 
fashion that will provide confidence to America's 85 million 
investors. While the NYSE and SIAC have implemented a 
comprehensive contingency plan that will provide for an orderly 
resumption of trading in the event of an attack or other 
catastrophe, we cannot prepare for every possible contingency. 
We will continue to work with the SEC, the Department of 
Treasury, Homeland Security, and the NYSE's member firms, the 
financial services industry, and federal, state and local law 
enforcement to address the threats and to implement strategies 
and solutions.
    I hope the foregoing is helpful to the committee. We look 
forward to working with this committee going forward on matters 
of mutual interest, and I would be happy to answer any 
questions. Thank you.
    [The prepared statement of Robert G. Britz can be found on 
page 65 in the appendix.]
    Mrs. Kelly. Thank you so much, Mr. Britz.
    Mr. Mohr?

  STATEMENT OF JOHN MOHR, EXECUTIVE VICE PRESIDENT, NEW YORK 
                         CLEARING HOUSE

    Mr. Mohr. Good afternoon. My name is John Mohr and I am an 
executive vice president of The Clearing House, which is 
headquartered in New York. Just to correct the record of the 
cover sheet of the testimony, it lists me there as the chief 
operating officer. I wish that I were, but I am not.
    Mrs. Kelly. Thank you.
    Mr. Mohr. We are headquartered in New York and we are the 
nation's oldest and largest clearinghouse. We are owned by 19 
very large, global, international and regional banks. We were 
founded in 1853, and we are a private sector global payments 
system infrastructure that clears and settles more than $1.5 
trillion each day. We serve as an industry forum for addressing 
strategic and regulatory issues dealing with payments made in 
U.S. dollars. The Clearing House serves more than 1,600 U.S. 
financial institutions and manages payment services that span 
the entire spectrum of paper, paper-to-electronic, and 
electronic payments.
    I want to thank you for this opportunity to update you on 
steps we have taken to further strengthen the key elements of 
the U.S. payment infrastructure which are operated by The 
Clearing House. One of the key lessons learned from the 9/11 
disasters was that from a business continuity perspective 
business as usual was no longer adequate. Contingency and 
business continuity plans needed to be reevaluated and 
refocused.
    Since 9/11, the financial industry has increased its focus 
on the resiliency of its high-value payment systems. It is 
universally agreed that systems such as CHIPS, which is our 
large-value payment system, must be capable of resuming full 
capacity operations quickly, within hours of any catastrophe. 
We take this responsibility seriously. It is worth noting that 
CHIPS never skipped a beat on 9/11 and the days that followed.
    CHIPS itself operated without interruption during the 
entire crisis and all 56 banks that connect to it were able to 
continue to conduct business. This included the 19 banks that 
were located in or near the World Trade Center. Each of these 
banks was required to relocate their operations to contingency 
sites in the middle of an unimaginable disaster. The fact that 
this was successfully accomplished I believe is a great 
testament to the leadership in these banks.
    Following 9/11, our management reviewed the events of the 
week for lessons learned. Some of the things that we have done, 
we added additional security staff to perform more frequent and 
random patrols of our facilities. We conducted penetration 
tests of both our physical security and our logical security 
for our systems. We reconfigured one of our facilities to make 
it better prepared to prevent penetration. We implemented 
state-of-the-art biometric access controls. We also all but 
eliminated visitor access to all of our operating centers.
    We reviewed where our critical employees worked and 
relocated some of these individuals to avoid a concentration 
risk of having too many key individuals in one place. We have 
taken measures to ensure that key operations and support staff 
have secure remote access to our electronic systems so that 
they can operate remotely in the event that they cannot get to 
our principal operating centers. For many years, The Clearing 
House has operated fully redundant data centers, each with the 
capability of backing up the other. To further enhance its 
resiliency, we have developed and out-of-region third data 
center. This new center is fully equipped to take over the 
operation of CHIPS within an hour of a simultaneous failure of 
the other two sites.
    One key procedure which was reaffirmed during the events of 
9/11 is contingency tests. Mandatory testing of contingency 
capabilities has been conducted by CHIPS since the early 1980s. 
The tests cover a variety of disaster scenarios and exercise 
the backup and recovery capabilities of the participants, as 
well as CHIPS. The performance of each participant during these 
tests is evaluated by The Clearing House and those banks that 
fail the test are required to continue to re-test until they 
pass. The discipline of regular testing helped contribute to 
the quick recovery of the banks following the events of 9/11. 
Since 9/11, we have expanded our own testing regimen to include 
two tests a year, coordinated with the Federal Reserve's 
Fedwire system.
    Another significant initiative led by the Clearing House 
following the events of 9/11 was our Intercept Forum which 
addressed the question, what could financial institutions, 
working with the public sector, do to eliminate the flow of 
funds to terrorists and their organizations. We had senior 
representatives from 34 public and private sector 
organizations. This forum identified five task groups which 
were co-led by representatives from both the public and private 
sectors. These five groups, let me touch on them briefly: 
patterns of behavior, account transaction monitoring, and 
global cooperation.
    The first three I think are easily understood, their 
purpose, their mission clearly understood by the names of their 
groups. The other two, control list, following the events of 9/
11, the banks and the regulators and the law enforcement 
agencies needed to sit down and clarify what we were trying to 
accomplish in terms of identifying terrorists, flows of funds 
to terrorists, what policies and procedures had to be in place, 
what new was being put in place. All this had to be 
communicated effectively, so we put a group together to work on 
that.
    Our fifth group, a database team, was originally set up to 
develop a highly secure real-time capability to download 
suspected terrorist information and to upload hits that 
financial institutions may have, reporting them back to the law 
enforcement agencies. This fifth group was superseded by FinCEN 
and their PAC system which was set up in 2003, I believe. We 
work closely with them and handed over that responsibility to 
them. All of our banks have been working with them since.
    I think the Intercept Forum is a great example of the 
private and public sector's ability to work together to achieve 
shared goals. Financial institutions, law enforcement agencies, 
and regulators were able to draw upon each other's core 
competencies in a cooperative way and achieve meaningful 
results. It is clear that going forward we will need continued 
cooperation in all three areas to be successful.
    Thank you.
    [The prepared statement of John Mohr can be found on page 
116 in the appendix.]
    Mrs. Kelly. Thank you.
    Mr. Dolloff, I understand that Mr. Tiberi was wanting to 
come to introduce you because you were a fellow Ohioan. I hope 
you will take my introduction, from being a former Ohioan who 
now is in New York. We are delighted to have you here. You may 
proceed.

    STATEMENT OF WILTON DOLLOFF, EXECUTIVE VICE PRESIDENT, 
OPERATIONS AND TECHNOLOGY, HUNTINGTON BANCSHARES INCORPORATED, 
    ON BEHALF OF BITS AND THE FINANCIAL SERVICES ROUNDTABLE

    Mr. Dolloff. Thank you, Madam Chairman and members of the 
committee for this opportunity to testify about the financial 
services industry's efforts to address critical infrastructure 
protection. I am Wilton Dolloff, executive vice president for 
operations and technology at Huntington Bancshares, 
Incorporated. I am pleased to appear before you today on behalf 
of BITS and the Financial Services Roundtable. I have submitted 
a written statement that provides details on efforts by BITS 
and the financial services industry to strengthen our nation's 
critical infrastructure.
    I would like to use this time today to deliver three 
messages. First, the financial services industry is doing an 
outstanding job strengthening our slice of the critical 
infrastructure pie. Among other things, we have developed 
emergency communication tools, conducted worst-case scenario 
exercises, engaged in partnerships with the telecommunications 
sector and key software providers, compiled lessons-learned 
from the 9/11 attacks and the August 2003 blackout, and 
combated new forms of online fraud.
    Second, as you know, our industry is heavily regulated. The 
regulators have stepped up their oversight, but we cannot 
address these problems alone. Our partners in other sectors, 
primarily telecommunications, power, software, must also do 
their fair share to ensure the soundness of the nation's 
critical infrastructure.
    Third, I want to review several recommendations for the 
Congress to consider. Since 9/11, our sector has done a lot to 
respond to the risk we face today. Protecting our nation's 
critical financial services infrastructure is a top priority. I 
would like to highlight several efforts to help assure the 
security stability of our sector.
    We have improved communications and enhanced our ability to 
analyze and disseminate information. For example, we have 
enhanced the financial services information sharing and 
analysis center, the ISAC, providing an important tool for 
members to share and analyze cyber and physical threat and 
vulnerability information. In addition, we have established the 
BITS-FSR crisis communicator. This high-speed alert system 
rapidly notifies CEOs and CIOs and others as appropriate to 
convene conference calls during which industry leaders share 
information and make decisions. The system was recently 
activated on August 1 immediately following the threat-level 
escalation by the Department of Homeland Security for the 
financial industry.
    One of the key lessons learned in recent years is our 
sector's dependence on other critical infrastructure sectors, 
namely telecommunications and power. BITS is working with the 
telecommunications industry to identify and mitigate 
vulnerabilities and enhance recoverability. While the 
cooperation between these two sectors has been unprecedented, 
much more work remains to be done.
    In August 2003, the blackout occurred in the Northeast. It 
gave us an opportunity to test our assumptions about what would 
happen in a large-scale loss of power. In general, the 
financial services industry performed well. Backup systems 
operated. Alternate communications systems were used and there 
was no measurable impact on settlements and payments.
    Our industry has also been working hard to strengthen 
cyber-security. We have stepped up our efforts by sharing 
information, analyzing threats and working more closely with 
the software industry. In December 2003, BITS surveyed its 
members on the cost of addressing software vulnerabilities and 
learned that costs are approaching $1 billion annually. In 
February 2004, BITS and the Roundtable held a cyber-security 
CEO summit to launch efforts to promote CEO-to-CEO dialogue on 
software security issues.
    In short, we want the software industry to improve the 
security of products and services that they provide to us. Just 
as financial institutions are key targets for hackers and other 
cyber-criminals, our industry is increasingly the target of 
fraudsters operating online. We are responding to the 
escalation in identity theft with a series of steps to 
facilitate prevention of the crime and assist victims when it 
occurs. The cornerstone to these efforts is the BITS-FSR 
Identity Theft Assistance Center, or ITAC. The concept of this 
pilot program is to provide a simplified recovery process that 
benefits victims by relieving much of the current burden of 
reporting the theft and restoring one's financial identity.
    The Congress can help the financial services sector meet 
the challenge of the post-9/11 environment in three ways. 
Number one, encourage the telecommunications industry to 
provide diverse and reliable services to critical 
infrastructure sectors. Two, recognize the dependence of all 
critical infrastructures on the software operating systems and 
the Internet. And finally, number three, encourage law 
enforcement to prosecute cyber-criminals and identity thieves 
and publicize U.S. Government efforts to do so.
    I am pleased that Congress has an active interest in 
helping to shore up the financial sector against 
vulnerabilities and hope that we can work together to heighten 
security. Financial firms will continue to work diligently to 
achieve the level of security that our customers demand.
    Madam Chairman, I will be happy to answer any questions. 
Thank you.
    [The prepared statement of Wilton Dolloff can be found on 
page 86 in the appendix.]
    Mrs. Kelly. Thank you so much.
    Mr. Gaer, we welcome you.

    STATEMENT OF SAMUEL GAER, CHIEF INFORMATION OFFICER, NY 
                      MERCANTILE EXCHANGE

    Mr. Gaer. Thank you, Madam Chairwoman. Good morning, and 
thank you to the members of the committee for inviting me to 
address the issue of emergency preparation and vigilance for 
the financial services sector. The subject matter is of timely 
concern and I sincerely welcome the opportunity to both express 
what the New York Mercantile Exchange has accomplished to date, 
as well as to express concerns regarding areas in which you 
might consider providing assistance to our efforts going 
forward.
    The Exchange is the world's largest physical commodities 
futures exchange and has been an example of market integrity 
and price transparency throughout its 132-year history. 
Commercial enterprises and government entities all over the 
world use our marketplace to manage their energy metals risk, a 
function that is particularly critical to the global economy in 
any time of crisis. The Exchange is also a technology leader in 
the futures industry, developing robust, redundant, best-of-
breed trade management clearing and reporting systems capable 
of quick fail-over to backup systems when required.
    No preparedness planning, however, can be accomplished 
without a careful analysis of the business that needs to be 
protected. Our core business is trading and clearing. In order 
to ensure the continuity of this core business, we have pursued 
several alternatives. The Exchange headquarters was designed to 
be as redundant as possible, including the availability of 
backup generators, which became critical during the blackout of 
2003.
    One of the first priorities for the Exchange after 
September 11, for example, was to build a replica trading floor 
which contains trading rings, administrative space, live price 
feeds, and a fully operational and redundant data center. In 
other words, it is a complete facility. This facility has been 
powered-up since the beginning of the Iraq War and is ready to 
go on a moment's notice.
    The Exchange also has two electronic trading systems, both 
of which have round-the-clock trading capability. In fact, we 
were the first exchange in New York to reopen following 
September 11 when we opened our electronic trading system for a 
2-hour session on September 14, which resulted in a record 
70,000 contracts being traded in 2 hours.
    During an emergency, the high-level strategic decision-
making authority rests with the crisis management team which we 
call the CMT. It is comprised of members of the executive 
committee of the board of directors, C-level executives and 
critical senior executives. Their role is to assess a threat 
and if necessary provide an official declaration of disaster, 
to interface with the members of the exchange, and to 
coordinate with industry and regulatory agencies.
    Maintaining communication between recovery units and 
resources is the single most important aspect of any emergency 
recovery effort. The Exchange has gone to great lengths to 
ensure that the CMT and their subordinates are all able to 
communicate, including provision of cell phones with two-way 
radios, mobile e-mail devices, laptops with cellular modems 
which we affectionately call footballs, and access to CFTC-
sponsored GETS cards. Every critical exchange system is 
duplicated and can provide services in the event the main 
facility or system is unavailable. Data moves across redundant 
optical fiber links, linking our backup site to the primary 
site. In addition to the network created between the two hot 
sites, the Exchange maintains multiple links to Internet 
service providers.
    Training, education and regular testing will ensure that 
the systems and staff are ready to respond to any event that 
disrupts our business. Ongoing planning for events keeps the 
Exchange planners in top form. The Exchange, along with the 
Futures Industry Association, or the FIA, have begun planning a 
major multi-company and multi-exchange coordinated testing 
effort which will culminate in the first annual industry-wide 
disaster recovery test this fall on Saturday, October 9. The 
effort is extremely important to our industry and will be 
repeated annually.
    As a critical infrastructure organization, we strive to 
learn from every event we face. So what were the lessons we 
learned from the various events that we have handled recently? 
The tragic and cataclysmic events that took place on September 
11, 2001 showed us that planning for emergencies that involve a 
single company, building or service is no longer adequate. As 
we look back at 9/11, the relationships the Exchange has forged 
with government agencies will always be of critical importance 
in planning for and support during an emergency event. In 
addition, the relationships our member firms have formed with 
important government leaders have enabled the Exchange to 
overcome many difficult recovery challenges in the past.
    The blackout of 2003 taught us different lessons, foremost 
of which is that the unavailability of a facility is not a 
prerequisite to an emergency event. Multiple redundant service 
providers need to be secured for all critical business 
services. Other events that the Exchange planners carefully 
consider are the planning we have done for the Republican 
National Convention and the regular disaster recovery testing 
and mock disasters that the Exchange conducts all serve to 
reinforce and fine-tune the planning we have at the ready. 
Communications stands alone as the key equalizer when facing 
the surprises any emergency delivers. A disaster gives no 
advance warning.
    Madam Chairwoman, in closing I ask this committee to 
consider the following concerns from the Exchange. As an 
integral part of the critical infrastructure, the Exchange 
already manages a full complement of continuity plans, backup 
sites and emergency operation locations. However, our business 
relies upon the coordination of many services within the 
financial sector. It also relies heavily on telecommunications, 
utility and transportation infrastructure over which the 
Exchange has no control. The Exchange is prepared to recover 
our systems and business processes if faced with another event 
such as 9/11, but the recovery of the services and the price 
discovery mechanisms we provide to the financial services 
sector and economy also relies on resiliencies of the external 
businesses on which the Exchange depends.
    I would like to thank the Chairwoman and the members of 
this committee for inviting the Exchange to speak with the 
other distinguished panelists on this extremely important 
topic. I would be happy to answer any questions the committee 
has.
    [The prepared statement of Samuel Gaer can be found on page 
101 in the appendix.]
    Mrs. Kelly. Thank you very much, Mr. Gaer.
    Mr. Tishuk.

 STATEMENT OF BRIAN S. TISHUK, EXECUTIVE DIRECTOR, CHICAGOFIRST

    Mr. Tishuk. Good afternoon. Chairman Kelly, members of the 
Financial Services Committee, I am Brian Tishuk, the executive 
director of ChicagoFIRST, a coalition of 16 of Chicago's 
leading financial institutions. A list of our members and 
government partners is appended to my written statement.
    Through ChicagoFIRST, these institutions cooperate with one 
another and collaborate with government to address common 
business continuity and homeland security issues. This ensures 
that our business continuity and disaster recovery plans 
conflict neither with one another nor with the government's 
plans for prevention, response and recovery.
    In light of the events of September 11, the Chicago 
financial community, as others, reexamined and enhanced their 
individual business continuity plans. During the spring and 
summer of 2003, a number of these institutions also decided to 
form ChicagoFIRST. Two leaders took it upon themselves to 
commit their time and their respective firms's resources to 
make this coalition a reality: Louis Rosenthal, executive vice 
president at LaSalle Bank and Ro Kumar, first vice president at 
the Options Clearing Corporation.
    From the beginning, our top priority was to get a seat in 
the city's Joint Operations Center or JOC. The JOC is a place 
where different government agencies, city agencies, come 
together to address a crisis, whether it is a snowstorm or a 
terrorist attack. We sought a seat to ensure access to accurate 
and timely information in case of an emergency. We obtained 
this seat in July of 2003. Our members are also working with 
the city and the state to learn where our respective evacuation 
procedures may conflict and to take remedial action.
    Another absolutely critical objective for the financial 
community in Chicago is credentialing. ChicagoFIRST and the 
city are using an interim credentialing solution that we put 
together with them, while the city and the state together 
develop a permanent one. ChicagoFIRST is also working with the 
city and the Red Cross to develop shelter-in-place protocols. 
These best practices will protect our members' employees at the 
office and their families at home.
    Now, every regional partnership will necessarily be unique. 
However, ChicagoFIRST has been constructed in a manner that 
would allow its salient elements to be replicated in other 
parts of the country. I would like to highlight four components 
of our model. First, financial institutions should organize 
themselves in a grassroots fashion and leadership should come 
from within the financial community. Second, with the critical 
infrastructure largely in the hands of the private sector, we 
have an obligation to put some ``skin in the game,'' as the 
saying goes. However, at least in the short term, funding from 
the public sector should also be provided.
    Third, information sharing is key. Such sharing ranges from 
the mundane of my calling the city to find out why there are a 
number of police cars and fire trucks outside a particular 
building, to the absolute essential of having the city and 
state give us a heads-up about impending issues and 
announcements such as the August 1 disclosure of terrorist 
threats against financial institutions on the east coast. 
Finally, not only can the above elements be replicated 
elsewhere, but also adapted to any region, even outside of 
financial centers where other sector participants may be 
necessary.
    I would like to mention briefly the crowning achievement of 
2004, a July tabletop exercise that proved successful in every 
way. Most importantly, we devised a scenario that examined how 
the partnership would function if financial institutions were 
forced to operate for an indefinite period of time under the 
threat of terrorist attack. Unfortunately, 2 weeks after the 
event, we saw that very scenario unfold in real life on the 
east coast that allowed us to be ahead of the game in Chicago.
    In conclusion, the members of ChicagoFIRST are very proud 
of our progress. While much remains to be done, Chicago's 
financial community is better prepared to protect its employees 
and businesses than it was before ChicagoFIRST was formed. We 
hope that our successful approach can provide a model for 
private-public partnerships in other cities throughout the 
country. Thank you again for the opportunity to testify at this 
important hearing, and I am happy to answer any questions the 
committee may have.
    [The prepared statement of Brian S. Tishuk can be found on 
page 136 in the appendix.]
    Mrs. Kelly. Thank you, Mr. Tishuk.
    I would like to ask a couple of questions, but before I do 
three of the five members of this panel are from New York and 
participated in the recovery. I want to compliment all of you. 
You were back up. You were functioning. Our financial systems 
in New York were functioning so quickly. You are to be 
complimented for the work that you did prior to 9/11 to ensure 
that that actually happened.
    I would like to begin with asking a general question, 
actually, but I am going to focus this on you, Mr. Britz. The 
Stock Exchange has often been thought to be a target for 
terrorists. In the press, it was indicated that terrorists had 
cased the Exchange as a potential target. In a broad sense, 
what additional steps have you taken since you heard about 
people casing the place?
    Mr. Britz. First of all, I will share with you an anecdote, 
Congresswoman. When we met, I referenced in my remarks, we met 
with Homeland Security, we met with the FBI the evening before, 
the Saturday evening as a matter of fact, and the NYPD and a 
number of local law enforcement agencies. We asked them point 
blank, what can we do, what might we do that we are not now 
doing? The answer uniformly was, nothing; that they regard what 
we do today or what we did prior to the most recent 
announcement as the gold standard.
    They, in turn, again as I referenced in my remarks, the 
NYPD in particular supplemented their force on the ground 
around our perimeter both in terms of patrolmen, but also in 
terms of the Hercules swat team, if you will, so that we had a 
very substantial presence over and above what we normally have. 
I know you have seen what we normally have, so I think it is 
the gold standard. But post-9/11, essentially what we did was 
push out our perimeter.
    We had well before 9/11 magnetometers, X-rayed every 
package, every valise. I myself walk through a magnetometer 
every morning. My briefcase goes through the X-ray every 
morning. But that, of course, is once you are inside the 
building. We pushed the perimeter out, as you know, with the 
help of the NYPD so that you cannot get within a block of the 
Stock Exchange with a vehicle without going through a 
checkpoint, having canine sniff, checking the manifest, having 
the dog sniff as to whether or not there is any explosive 
capability and so on. So essentially what we have done and what 
we have reinforced with the help of the police department is to 
extend that external perimeter away from the building.
    Mrs. Kelly. Thank you.
    I know there are a number of people who enjoy the fact that 
now there is a sense of a mall around the Stock Exchange. It 
certainly is pleasant to be able to walk without having to 
worry about the traffic down there.
    Mr. Britz. Those are the people who are not in vehicles.
    [Laughter.]
    Mrs. Kelly. Right. Exactly.
    Mr. Dolloff, you represent BITS. I asked a question of Mr. 
Liscouski in the earlier panel. I do not know if you were in 
the room. I am very concerned about the insider threat with 
regard to the programs that are in each one of the businesses 
that work in the financial industry. I am concerned about them 
because I understand that it is possible for people in the 
process of the programming and reprogramming to fit the niche 
market that each business needs, there are programmers who are 
there who are doing certain things.
    Is there something that you can tell me that the industry 
itself, from your BITS organization, the BITS FSR is doing, to 
perhaps profile the people who are doing programming, to do 
some kind of a check so that the programs do not yield up 
information that might be essential information to people that 
we actually would rather not have that information?
    Mr. Dolloff. Congresswoman, if I understand the question 
correctly, I would like to address it from the Huntington's 
perspective first, because I am not sure of the organization 
efforts of BITS in this area. I can tell you that many 
financial institutions have programming standards and 
oversights over their programmers. One person may develop a 
program and it then goes through a testing process, and what we 
call a ``change control'' process where people outside the unit 
that did the program, review the program for its legitimacy and 
to make sure that it is doing as it is intended to do.
    Now, is it possible for somebody to be so clever that it 
could sneak by even that checkpoint? Probably. You can only 
protect against what you think you know. But I think that is a 
standard that you will find in most financial services industry 
shops, if you will, on how they control the quality of the 
programs that they develop.
    Mrs. Kelly. My concern is that so many of us look at a 
threat from outside, hackers, people like that. My concern is 
the threat from inside.
    Mr. Dolloff. I would agree with you. There is always a 
threat, both externally and internally. As I said, we need to 
make sure that we have these dual checks in place, and 
sometimes it is more than dual checking. They go through very 
extensive testing processes to make sure that the program 
development that has taken place does what it is intended to 
do.
    Mrs. Kelly. My time is up. I do have a few more questions, 
but I am going to turn this over now to Mr. Miller.
    Mr. Miller of North Carolina. Thank you, Madam Chair.
    I wanted to pursue a question that I began with the first 
panel about compliance in the private sector with the necessary 
safeguards against terrorism; that 85 percent of our 
infrastructure is in the private sector. There has been 
apparently a fair amount of effort to try to develop standards.
    Mr. Britz, you referred to the New York Stock Exchange's 
standard as the gold standard, which I commend you for, but I 
am afraid that a great deal of the private sector will not 
adopt a gold standard, but a tarnished brass standard of going 
cheap on terrorism safeguards, when in fact they are at risk 
and there are consequences beyond. There are consequences to 
their employees. There are consequences to anybody else who may 
be on their premises. And there are consequences to the people 
that they do business with, in a ripple effect.
    The 9/11 Commission recommended a voluntary standard. Any 
of you, do you agree that it should be voluntary? Or should 
there be some force of law behind some standard in the private 
sector for terrorism safeguards? We can start with you, Mr. 
Britz, and work our way down.
    Mr. Britz. First of all, Congressman, when I referenced a 
gold standard, it was the New York City Police Department and 
the FBI referring to us, not us referring to ourselves. It was 
in the area of physical security.
    Mr. Miller of North Carolina. Either way, I commend you.
    Mr. Britz. Gosh, I really do not feel confident to address 
that question other than to perhaps offer a private sector 
comment which would be that it is in the private sector's 
interest to safeguard their respective franchises. I know that 
the New York Stock Exchange has done everything it has done, 
even though we are overseen by the Securities and Exchange 
Commission to be sure, and the word ``cajole'' was used 
earlier. They cajole us every now and again.
    But most, if not everything that we have done in the area 
of protecting our infrastructure has been self-initiated 
because it is in our business and our franchise interest to do 
that. So you have that kind of a motivator resident within 
every private sector business that has assets and franchises to 
safeguard.
    Beyond that, I am not a regulator of the banks or the 
paying agencies and so on, and I do not know if I would comment 
beyond that.
    Mr. Miller of North Carolina. Anybody else? Try to keep it 
fairly brief because I only have 5 minutes. Yes, sir?
    Mr. Mohr. Yes, I would agree with most of what Mr. Britz 
said. I think it is in the interests of the private sector to 
make sure they are safe and sound. I would also point out that 
the regulators, in my opinion, did an excellent job following 
9/11, leading the review on an industry-wide basis and coming 
up with a lot of good clear thinking, good clear direction.
    I think the partnership between the two was essential to 
making us as strong as we are today. I think the best way 
forward is to keep that partnership going, keep driving the two 
together to make sure that they are working together.
    Mr. Miller of North Carolina. Anyone wish to speak up for 
something other than a volunteer standard? All right.
    A second point that the 9/11 Commission made, let me read 
one question, their bolded recommendation: ``We believe that 
compliance with the standards should define the standard of 
care owed by a company to its employees and the public for 
legal purposes.''
    I took that to be a reference to the substantial body of 
state negligence law, of common law negligence of what the 
standard of care is, and that reference means that they believe 
that under state common law businesses that did not adopt the 
appropriate safeguards, and there are consequences to others as 
a result of their failures, should give rise to civil 
liability.
    There is also a wealth of economic theory that says that 
the civil liability system is a market mechanism to assure 
proper safeguards. Do you agree that the civil liability system 
would apply in cases, certainly now that we know there is a 
terrorism threat, to the consequences of a failure to take 
appropriate safeguards? Anybody want to stick up a hand? Mr. 
Britz, do you want to start with you?
    Mr. Britz. Congressman, I apologize. I do not feel 
confident to respond to that question. I am neither a lawyer 
nor an expert on what it is the Commission intended in those 
words.
    Mr. Miller of North Carolina. Okay.
    Mr. Mohr, do you have any comment?
    Mr. Mohr. I have nothing to add to that.
    [Laughter.]
    Mr. Miller of North Carolina. Mr. Dolloff?
    Mr. Dolloff. I would agree. I do not feel qualified to 
answer that question.
    Mr. Miller of North Carolina. All right.
    Mr. Gaer?
    Mr. Gaer. I would also agree. I am neither a lawyer nor an 
expert on what you are reading.
    Mr. Miller of North Carolina. Mr. Tishuk?
    Mr. Tishuk. I am afraid it is not my area of expertise 
either.
    Mr. Miller of North Carolina. Okay. I am pleased that I was 
able to bring about so much unanimity among the panel.
    [Laughter.]
    Mrs. Kelly. Thank you very much, Mr. Miller.
    Ms. Biggert.
    Mrs. Biggert. Thank you, Madam Chairman.
    I would like to congratulate all of the members of this 
panel for their self-initiated efforts to bolster the 
infrastructure of America's financial sector, and to take the 
offensive approach in that.
    I would especially like to applaud you, Mr. Tishuk, not 
just because you live in Homer and are a constituent, but for 
what you have done with ChicagoFIRST in providing a model 
partnership between the public and private sector in this area.
    Could you just tell us a little bit more about the tabletop 
and what happened and why that is so important, and what you 
learned from it?
    Mr. Tishuk. Certainly. The tabletop took place in mid-July. 
We had terrific participation, some 17 government agencies, 21 
financial institutions, telecommunications providers, power, 
water. It included all of the relevant areas of the city and 
the state, as well as the federal government. It was very 
useful.
    The whole object of the tabletop was to assess assumptions 
that we all had about one another, to make sure that we knew 
what we could really expect from one another during an 
emergency, rather than finding out something we did not expect 
in the heat of the moment.
    It certainly provided a lot of grist for our mill. 
Everybody has told us it was very successful, that they learned 
a lot about all the other participants. We certainly learned a 
lot. We learned our communications systems are even more 
fragile than we had initially thought, and we are working to 
find alternatives to the conference calls that we tend to rely 
upon.
    We are also reaching out to the counties surrounding 
Chicago, because our employees come from there and we certainly 
learned more about the city's and state's evacuation plans for 
getting folks out of the city, out of Cook County and beyond. 
Therefore, it is important to make sure that they are part of 
this dialogue so that our employees know what they can expect 
to find if such an event occurs.
    Perhaps most importantly, given its success, we learned 
that it is very much a goal for us to test, implement lessons 
learned to fill the gaps, and repeat, both in the table top 
format, which is somewhat artificial, as well as in a testing 
mode where you are in your office or where you are supposed to 
be normally, and then respond.
    Mrs. Biggert. It was mentioned earlier, or it was mentioned 
in your testimony that you have had trouble communicating with 
the Department of Homeland Security, while you have worked very 
closely with the Treasury Department. Do you think that that 
will change after today?
    Mr. Tishuk. I certainly have that expectation, yes. I would 
like to point out, though, that we have had excellent support 
and a relationship with DHS's regional arms in Chicago. Both 
FEMA and the Secret Service have been with us every step of the 
way. They have been forthcoming with their ideas and very 
supportive to our suggestions. So from that standpoint, things 
could not be better.
    Mrs. Biggert. One of your suggestions has been that you 
would have a regional center for the Department of Homeland 
Security in Chicago.
    Mr. Tishuk. Correct. Chicago is a vital center. As the East 
Coast hardens for good reasons, we certainly want to make sure 
that terrorists do not look upon Chicago as a softer 
alternative to attacking financial institutions and 
metropolitan areas.
    Mrs. Biggert. Thank you for all that you do.
    I have another question for probably most of the people on 
the panel. After 9/11, a number of financial firms managed to 
shift trading and portfolio management to their offices in 
London and other financial capitals. Should major global 
financial institutions include in their disaster recovery plans 
the ability to shift trading and book management temporarily 
away from the affected country? Do some of you have that in 
your plan in case that there is a disaster? Mr. Britz?
    Mr. Britz. I will take a shot at that, Congresswoman. In 
our Rule 446, the business continuity rule, and I am now 
talking about broker-dealer member firms of the New York Stock 
Exchange, we impose a requirement that they demonstrate the 
ability to operate under various circumstances, but we do not 
dictate as to how.
    When you say ``shift away'' from the affected country, and 
this country is a fairly large country, that may very well 
include shifting to other centers that they may have literally 
around this country, as opposed to necessarily going to Europe 
or some other center. The NYSE as a regulator of broker-dealers 
dictates that you have to demonstrate the capability, but we do 
not dictate as to how.
    Mrs. Biggert. Mr. Mohr?
    Mr. Mohr. For the commercial banks, the regulators have 
already told the larger banks that they must have certain 
recovery capabilities that are outside the immediate region. 
That process is already under way, but there is no directive 
that they have to move offshore. Those banks that did move 
offshore did so because they are multinational banks that have 
processing centers in other areas of the world.
    Mrs. Biggert. Mr. Dolloff?
    Mr. Dolloff. I would agree with what Mr. Mohr just said. We 
have backup facilities outside our immediate region. We, 
however, are not an international or have an international 
presence, so we would not have that capability to go outside 
the United States, but we do have backup facilities.
    Mrs. Biggert. Mr. Gaer?
    Mr. Gaer. Like everybody else on this panel, our business 
is intensely competitive. In an event such as 9/11, for 
example, let us call it a sister exchange of hours. We got a 
phone call from somebody across the pond to host their book, 
and that was their biggest fear, if you will, because they felt 
that once that liquidity goes offshore, it is going to stay 
there.
    As such, we do have a fully redundant trading facility 
where if we needed to move trading, we could move trading to 
that facility. We have two separate, fully redundant electronic 
trading systems that if the facilities are not available, we 
can use those facilities. We in the midst right now of looking 
at actually globalizing and providing a presence offshore as 
well.
    Mrs. Biggert. Thank you.
    Mr. Tishuk?
    Mr. Tishuk. You raise an important issue, but it falls 
outside the scope of our particular mission.
    Mrs. Biggert. Okay. Thank you. Thank you all.
    I yield back.
    Mrs. Kelly. Thank you, Ms. Biggert.
    One thing I did want to just mention, Mr. Gaer you said 
that you are dependent on the external infrastructures. I 
simply want to offer this committee's help, if you have some 
ideas of things that we might be able to do. You can certainly 
call my staff. We would be very interested to do whatever we 
can for you, because I realize that you are in many ways 
affected by that more than some of the other people involved in 
financial services.
    Gentleman, I neglected to say as you sat down that without 
objection, your written statements will be made part of the 
record. You have been recognized for 5-minute summaries of your 
testimonies, but your testimony will be made a part of the 
record, your full testimony.
    The Chair notes that some members may have additional 
questions for this panel which they may wish to submit in 
writing. So without objection, the hearing record will remain 
open for 30 days for the members to submit written questions to 
these witnesses and to place their responses in the record.
    We thank you very much for your patience and for your 
testimony today. This hearing is adjourned.
    [Whereupon, at 1:15 p.m., the committee was adjourned.]


                            A P P E N D I X



                           September 8, 2004

[GRAPHIC] [TIFF OMITTED] T7449.001

[GRAPHIC] [TIFF OMITTED] T7449.002

[GRAPHIC] [TIFF OMITTED] T7449.003

[GRAPHIC] [TIFF OMITTED] T7449.004

[GRAPHIC] [TIFF OMITTED] T7449.005

[GRAPHIC] [TIFF OMITTED] T7449.006

[GRAPHIC] [TIFF OMITTED] T7449.007

[GRAPHIC] [TIFF OMITTED] T7449.008

[GRAPHIC] [TIFF OMITTED] T7449.009

[GRAPHIC] [TIFF OMITTED] T7449.010

[GRAPHIC] [TIFF OMITTED] T7449.011

[GRAPHIC] [TIFF OMITTED] T7449.012

[GRAPHIC] [TIFF OMITTED] T7449.013

[GRAPHIC] [TIFF OMITTED] T7449.014

[GRAPHIC] [TIFF OMITTED] T7449.015

[GRAPHIC] [TIFF OMITTED] T7449.016

[GRAPHIC] [TIFF OMITTED] T7449.017

[GRAPHIC] [TIFF OMITTED] T7449.018

[GRAPHIC] [TIFF OMITTED] T7449.019

[GRAPHIC] [TIFF OMITTED] T7449.020

[GRAPHIC] [TIFF OMITTED] T7449.021

[GRAPHIC] [TIFF OMITTED] T7449.022

[GRAPHIC] [TIFF OMITTED] T7449.023

[GRAPHIC] [TIFF OMITTED] T7449.024

[GRAPHIC] [TIFF OMITTED] T7449.025

[GRAPHIC] [TIFF OMITTED] T7449.026

[GRAPHIC] [TIFF OMITTED] T7449.027

[GRAPHIC] [TIFF OMITTED] T7449.028

[GRAPHIC] [TIFF OMITTED] T7449.029

[GRAPHIC] [TIFF OMITTED] T7449.030

[GRAPHIC] [TIFF OMITTED] T7449.031

[GRAPHIC] [TIFF OMITTED] T7449.032

[GRAPHIC] [TIFF OMITTED] T7449.033

[GRAPHIC] [TIFF OMITTED] T7449.034

[GRAPHIC] [TIFF OMITTED] T7449.035

[GRAPHIC] [TIFF OMITTED] T7449.036

[GRAPHIC] [TIFF OMITTED] T7449.037

[GRAPHIC] [TIFF OMITTED] T7449.038

[GRAPHIC] [TIFF OMITTED] T7449.039

[GRAPHIC] [TIFF OMITTED] T7449.040

[GRAPHIC] [TIFF OMITTED] T7449.041

[GRAPHIC] [TIFF OMITTED] T7449.042

[GRAPHIC] [TIFF OMITTED] T7449.043

[GRAPHIC] [TIFF OMITTED] T7449.044

[GRAPHIC] [TIFF OMITTED] T7449.045

[GRAPHIC] [TIFF OMITTED] T7449.046

[GRAPHIC] [TIFF OMITTED] T7449.047

[GRAPHIC] [TIFF OMITTED] T7449.048

[GRAPHIC] [TIFF OMITTED] T7449.049

[GRAPHIC] [TIFF OMITTED] T7449.050

[GRAPHIC] [TIFF OMITTED] T7449.051

[GRAPHIC] [TIFF OMITTED] T7449.052

[GRAPHIC] [TIFF OMITTED] T7449.053

[GRAPHIC] [TIFF OMITTED] T7449.054

[GRAPHIC] [TIFF OMITTED] T7449.055

[GRAPHIC] [TIFF OMITTED] T7449.056

[GRAPHIC] [TIFF OMITTED] T7449.057

[GRAPHIC] [TIFF OMITTED] T7449.058

[GRAPHIC] [TIFF OMITTED] T7449.059

[GRAPHIC] [TIFF OMITTED] T7449.060

[GRAPHIC] [TIFF OMITTED] T7449.061

[GRAPHIC] [TIFF OMITTED] T7449.062

[GRAPHIC] [TIFF OMITTED] T7449.063

[GRAPHIC] [TIFF OMITTED] T7449.064

[GRAPHIC] [TIFF OMITTED] T7449.065

[GRAPHIC] [TIFF OMITTED] T7449.066

[GRAPHIC] [TIFF OMITTED] T7449.067

[GRAPHIC] [TIFF OMITTED] T7449.068

[GRAPHIC] [TIFF OMITTED] T7449.069

[GRAPHIC] [TIFF OMITTED] T7449.070

[GRAPHIC] [TIFF OMITTED] T7449.071

[GRAPHIC] [TIFF OMITTED] T7449.072

[GRAPHIC] [TIFF OMITTED] T7449.073

[GRAPHIC] [TIFF OMITTED] T7449.074

[GRAPHIC] [TIFF OMITTED] T7449.075

[GRAPHIC] [TIFF OMITTED] T7449.076

[GRAPHIC] [TIFF OMITTED] T7449.077

[GRAPHIC] [TIFF OMITTED] T7449.078

[GRAPHIC] [TIFF OMITTED] T7449.079

[GRAPHIC] [TIFF OMITTED] T7449.080

[GRAPHIC] [TIFF OMITTED] T7449.081

[GRAPHIC] [TIFF OMITTED] T7449.082

[GRAPHIC] [TIFF OMITTED] T7449.083

[GRAPHIC] [TIFF OMITTED] T7449.084

[GRAPHIC] [TIFF OMITTED] T7449.085

[GRAPHIC] [TIFF OMITTED] T7449.086

[GRAPHIC] [TIFF OMITTED] T7449.087

[GRAPHIC] [TIFF OMITTED] T7449.088

[GRAPHIC] [TIFF OMITTED] T7449.089

[GRAPHIC] [TIFF OMITTED] T7449.090

[GRAPHIC] [TIFF OMITTED] T7449.091

[GRAPHIC] [TIFF OMITTED] T7449.092

[GRAPHIC] [TIFF OMITTED] T7449.093

[GRAPHIC] [TIFF OMITTED] T7449.094

[GRAPHIC] [TIFF OMITTED] T7449.095

[GRAPHIC] [TIFF OMITTED] T7449.096

[GRAPHIC] [TIFF OMITTED] T7449.097

[GRAPHIC] [TIFF OMITTED] T7449.098

[GRAPHIC] [TIFF OMITTED] T7449.099

[GRAPHIC] [TIFF OMITTED] T7449.100

[GRAPHIC] [TIFF OMITTED] T7449.101

[GRAPHIC] [TIFF OMITTED] T7449.102

[GRAPHIC] [TIFF OMITTED] T7449.103

[GRAPHIC] [TIFF OMITTED] T7449.104

[GRAPHIC] [TIFF OMITTED] T7449.105

[GRAPHIC] [TIFF OMITTED] T7449.106

[GRAPHIC] [TIFF OMITTED] T7449.107

[GRAPHIC] [TIFF OMITTED] T7449.108

[GRAPHIC] [TIFF OMITTED] T7449.109

[GRAPHIC] [TIFF OMITTED] T7449.110

[GRAPHIC] [TIFF OMITTED] T7449.111

[GRAPHIC] [TIFF OMITTED] T7449.112

