[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
FINANCIAL SERVICES SECTOR PREPAREDNESS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
FINANCE, AND ACCOUNTABILITY
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
__________
SEPTEMBER 26, 2005
__________
Serial No. 109-124
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
http://www.house.gov/reform
______
U.S. GOVERNMENT PRINTING OFFICE
26-505 WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON GOVERNMENT REFORM
TOM DAVIS, Virginia, Chairman
CHRISTOPHER SHAYS, Connecticut HENRY A. WAXMAN, California
DAN BURTON, Indiana TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania
GIL GUTKNECHT, Minnesota CAROLYN B. MALONEY, New York
MARK E. SOUDER, Indiana ELIJAH E. CUMMINGS, Maryland
STEVEN C. LaTOURETTE, Ohio DENNIS J. KUCINICH, Ohio
TODD RUSSELL PLATTS, Pennsylvania DANNY K. DAVIS, Illinois
CHRIS CANNON, Utah WM. LACY CLAY, Missouri
JOHN J. DUNCAN, Jr., Tennessee DIANE E. WATSON, California
CANDICE S. MILLER, Michigan STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio CHRIS VAN HOLLEN, Maryland
DARRELL E. ISSA, California LINDA T. SANCHEZ, California
JON C. PORTER, Nevada C.A. DUTCH RUPPERSBERGER, Maryland
KENNY MARCHANT, Texas BRIAN HIGGINS, New York
LYNN A. WESTMORELAND, Georgia ELEANOR HOLMES NORTON, District of
PATRICK T. McHENRY, North Carolina Columbia
CHARLES W. DENT, Pennsylvania ------
VIRGINIA FOXX, North Carolina BERNARD SANDERS, Vermont
JEAN SCHMIDT, Ohio (Independent)
------ ------
Melissa Wojciak, Staff Director
David Marin, Deputy Staff Director
Rob Borden, Parliamentarian
Teresa Austin, Chief Clerk
Phil Barnett, Minority Chief of Staff/Chief Counsel
Subcommittee on Government Management, Finance, and Accountability
TODD RUSSELL PLATTS, Pennsylvania, Chairman
VIRGINIA FOXX, North Carolina EDOLPHUS TOWNS, New York
TOM DAVIS, Virginia MAJOR R. OWENS, New York
GIL GUTKNECHT, Minnesota PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York
JOHN J. DUNCAN, Jr., Tennessee
Ex Officio
HENRY A. WAXMAN, California
Mike Hettinger, Staff Director
Tabetha Mueller, Professional Staff Member
Adam Bordes, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on September 26, 2005............................... 1
Statement of:
Allen, Catherine, chief executive officer, BITS, the
Financial Services Roundtable; Donald Donahue, chairman,
Financial Services Sector Coordinating Council for Critical
Infrastructure Protection and Homeland Security; Samuel
Gaer, chief information officer, New York Mercantile
Exchange, Inc., chief executive officer, NYMEX Europe
Limited; and Steve Randich, executive vice president of
operations and technology and chief information officer,
the NASDAQ Stock Market, Inc............................... 60
Allen, Catherine......................................... 60
Donahue, Donald.......................................... 88
Gaer, Samuel............................................. 101
Randich, Steve........................................... 114
Kelly, Raymond, police commissioner, city of New York........ 6
Parsons, D. Scott, Deputy Assistant Secretary, Critical
Infrastructure Protection and Compliance Policy, Department
of the Treasury; R. James Caverly, Director, Infrastructure
Coordination Division, Department of Homeland Security; and
Daniel Muccia, first deputy superintendent of banks, State
of New York Banking Department............................. 22
Caverly, R. James........................................ 30
Muccia, Daniel........................................... 41
Parsons, D. Scott........................................ 22
Letters, statements, etc., submitted for the record by:
Allen, Catherine, chief executive officer, BITS, the
Financial Services Roundtable, prepared statement of....... 65
Caverly, R. James, Director, Infrastructure Coordination
Division, Department of Homeland Security, prepared
statement of............................................... 33
Donahue, Donald, chairman, Financial Services Sector
Coordinating Council for Critical Infrastructure Protection
and Homeland Security, prepared statement of............... 90
Gaer, Samuel, chief information officer, New York Mercantile
Exchange, Inc., chief executive officer, NYMEX Europe
Limited, prepared statement of............................. 105
Kelly, Raymond, police commissioner, city of New York,
prepared statement of...................................... 9
Muccia, Daniel, first deputy superintendent of banks, State
of New York Banking Department, prepared statement of...... 42
Parsons, D. Scott, Deputy Assistant Secretary, Critical
Infrastructure Protection and Compliance Policy, Department
of the Treasury, prepared statement of..................... 24
Platts, Hon. Todd Russell, a Representative in Congress from
the State of Pennsylvania, prepared statement of........... 3
Randich, Steve, executive vice president of operations and
technology and chief information officer, the NASDAQ Stock
Market, Inc., prepared statement of........................ 116
FINANCIAL SERVICES SECTOR PREPAREDNESS
----------
SEPTEMBER 26, 2005
House of Representatives,
Subcommittee on Government Management, Finance, and
Accountability,
Committee on Government Reform,
Brooklyn, NY.
The subcommittee met, pursuant to notice, at 10:07 a.m., at
the Brooklyn Law School, 250 Joralemon Street, Brooklyn, NY,
Hon. Todd Russell Platts (chairman of the subcommittee)
presiding.
Present: Representatives Platts and Towns.
Staff present: Michael Hettinger, staff director; Tabetha
Mueller, professional staff member; Daniel Daly, counsel; and
Adam Bordes, minority professional staff member.
Mr. Platts. A quorum being present, this hearing of the
Committee on Government Reform Subcommittee on Government
Management, Finance, and Accountability will come to order.
I'd like to thank first the Brooklyn School of Law and my
esteemed colleague and ranking member of our subcommittee, Mr.
Towns, for hosting this field hearing here in Brooklyn. We're
here in New York because this is the heart of our Nation's
financial sector. On September 11, 2001, terrorists destroyed
the World Trade Center in an attempt not just to murder and
maim, but to dismantle our economy. With the backdrop of two
destructive hurricanes, we see that any disaster, whether
natural or man made, requires us to be well prepared. This
hearing is about the preparedness of the financial sector in
particular.
The rapid recovery of the financial infrastructure after
September 11th inspired confidence throughout America. The U.S.
Treasury securities market opened just 2 days later and the
equities market was in full operation by September 17th. Still,
Congress, the executive branch and industry realized that
financial firms would need new contingency plans. The Federal
Government in partnership with local governments and the
private sector responded with a variety of initiatives. Many of
these post September 11th improvements were tested during the
massive power blackout on August 14, 2003. All indications
after the blackout were that improvements put in place after
September 11th helped mitigate the damage that could have
resulted from the infrastructure shutdown and panic the
blackout caused. These results are encouraging.
The purpose of this hearing is to examine the present
status of financial market preparedness for wide scale
disasters or disruptions, including efforts aimed at
prevention, detection and response. This hearing will provide
local, State and Federal Government officials and
representatives from the private sector a chance to discuss
accomplishments and identify areas where improvements and
resources are still needed.
[The prepared statement of Hon. Todd Russell Platts
follows:]
[GRAPHIC] [TIFF OMITTED] T6505.001
Mr. Platts. We have a very distinguished group of
witnesses, beginning with Mr. Raymond W. Kelly, police
commissioner for the city of New York. Commissioner Kelly,
thanks for being with us.
Mr. Kelly. Thank you, sir.
Mr. Platts. Commissioner Kelly will be followed by Mr. D.
Scott Parsons, Deputy Assistant Secretary for Critical
Infrastructure Protection and Compliance Policy from the U.S.
Department of Treasury; Mr. R. James Caverly, Director of the
Infrastructure Coordination Division at the U.S. Department of
Homeland Security and Mr. Daniel A. Muccia, first deputy
superintendent of banks from the State of New York Banking
Department.
On our third panel will be Ms. Katherine Allen, chief
executive officer of BITS, the Financial Services Roundtable
and Mr. Donald Donahue, chairman of the Financial Services
Sector Coordinating Council for Critical Infrastructure
Protection and Homeland Security; Mr. Samuel Gaer, chief
information officer for the New York Mercantile Exchange; Mr.
Steve Randich, executive vice president of operations and
technology and chief information officer for the NASDAQ stock
market.
Thank you again all for being here today and we look
forward to your testimony.
I'm pleased now to yield to our ranking member, the
gentleman from New York, Mr. Towns, for purposes of an opening
statement.
Mr. Towns. Thank you very much, Mr. Chairman. Thank you for
holding this hearing today in Brooklyn. I'd also like to thank
our police commissioner, Mr. Kelly, which I'd say is the finest
commissioner this city has ever known or seen. He's done a
fantastic job over the years. Always a pleasure to see you
here.
Mr. Kelly. Thank you, sir.
Mr. Towns. I'm pleased to welcome our Government Management
Subcommittee to our home town, Brooklyn, NY, New York and look
forward to our distinguished panel from both the public and
private sectors. The financial capital of the world, New York
remains a vital component of economic growth, both domestically
and abroad. Although political and economic alterations have
shaped and changed the marketplace in recent years, banks,
brokers, government lenders and Wall Street have remained the
backbone of our capital and currency markets from Brooklyn to
Beijing.
The New York Stock Exchange alone accounts for
approximately 2,800 companies with a combined market
capitalization of nearly $20 trillion. On an average day the
New York Stock Exchange trades nearly 1\1/2\ billion shares for
an average daily dollar volume of roughly $50 billion. Stock
and equity instruments, however, are not the only source of
economic reliability for our markets. Future commodities and
options trading at places such as the New York Mercantile
Exchange serve as a major investment vehicle among
institutional investors, pension funds and economic forecasters
for domestic and foreign companies. Imagine the crisis our
domestic manufacturers or agricultural sectors would be faced
with if they did not have access to a viable commodities
trading platform for energy products.
Recent events, however, beginning with the tragedy of
September 11, 2001 have forced both government and industry at
all levels to reevaluate how well we are prepared to maintain
stability and continuity in the marketplace should another
disaster occur. Such events are not only fiscal in nature, as
electronic attacks on our electricity and telecommunication
grids can prove as consequential and costly as a physical
attack.
The government and private sector have appropriately
embraced the need for stronger planning and coordination of
activity since September 11th and have successfully begun to
incorporate risk-based activities in their plans to reduce the
threats facing industry and the physical infrastructure, human
capital and personnel and information sharing capabilities.
Backup systems and fiscal entities separate from current
operations are now common among brokerage houses and trading
platforms. Nevertheless, the various types of threats facing
our financial services sector require planning at not only the
Federal level, but at the State and local levels of government
as well.
While the Department of Homeland Security may coordinate
information sharing activities and threat level analysis, it
would require the Metropolitan Transportation Authority, the
New York PD and the Office of Emergency Management to execute a
broad-based evacuation of Wall Street or southern Manhattan in
the event of a physical attack within the surrounding area.
These activities would require State authorities to reconfigure
travel patterns on interstate highways and area bridges to
insure safety and orderly evacuation activities. Furthermore,
the functionality and reliability of our telecommunication
electricity and pipeline grids will require both Federal and
State coordination of activities in order to remedy and
preserve the security of our energy resources in the wake of a
disaster.
From this perspective, I hope our witnesses can demonstrate
for us a clear delineation of responsibilities among both
government and regulators and private sector participants. An
underlying tenet of our market-based model is the level of
trust and transparency investors both large and small can place
in our institutions. It is our responsibility for planning and
executing an adequate level of security and reliability for
market activities that is shared at all levels of government in
concert with private sector participants.
Thus, I hope our witnesses will speak to this blueprint of
coordination, execution and transparency to insure that our
market remains the bedrock of economic growth for centuries to
come.
Again, I'd like to thank all the witnesses for appearing
today, and on that note, Mr. Chairman, I yield back.
Mr. Platts. Thank you, Mr. Towns. We'll commence with the
testimony of Commissioner Kelly. If you don't mind, would you
please stand and be sworn in?
[Witness sworn.]
Mr. Platts. We'll note that the Commissioner affirmed the
oath in the positive. We'll proceed, we have a general
guideline of about 5 minutes, but, Commissioner, we're
delighted to have you here and the expertise you have, he may
be giving you some guidance on time, but we really would like
to you take whatever time you need to share your insights with
us.
STATEMENT OF RAYMOND KELLY, POLICE COMMISSIONER, CITY OF NEW
YORK
Mr. Kelly. Thank you very much, Mr. Chairman and
Congressman Towns. Good morning and thank you for inviting me
today.
Defending this city, the financial capital of the world,
from a terrorist attack is the No. 1 priority of the New York
City Police Department. Accordingly, I'd like to focus my
remarks today on the preventive measures the department is
taking against this threat.
As you know, one of the stated aims of Osama Bin Ladin and
al-Qaeda is to target America's economy. Shortly after the
September 11th attacks, bin Laden himself exulted in the
massive blows suffered by the U.S. economy, offering in an
interview his own estimation of over $1 trillion in losses. We
have no doubt that he seeks to replicate that strike if
possible.
Since then, we learned of another plan to target financial
institutions in New York. This after authorities discovered
detailed surveillance of the Stock Exchange and the Citigroup
Center in the laptop computer of an al-Qaeda operative captured
in Pakistan last year. This followed two additional al-Qaeda
plots to target the city in 2003; the first to bring down the
Brooklyn Bridge and the second to smuggle weapons through a
garment district business into the heart of Manhattan. These
plots were foiled by increased police visibility and good
intelligence sharing.
I cite them as evidence that New York City remains squarely
in the cross hairs. Consequently, nowhere else is the effort to
prevent another attack being undertaken with greater urgency.
In addition to the dollar cost, this has required that we
divert 1,000 police officers to counter-terrorism duties every
day, and engage in extensive training and preparation. We've
also undertaken a range of defensive measures to protect and
harden the downtown financial district and enlist the support
of the private sector.
Beginning in January 2002, we created a new bureau of
counter-terrorism and we restructured our intelligence
division. We've recruited outstanding individuals with
extensive Federal intelligence and counter-terrorism experience
to run them. We expanded our presence on the Joint Terrorist
Task Force with the FBI and we posted detectives to seven other
countries to enhance the flow of information we receive about
any threats relevant to New York City.
We established one of the premier counter-terrorism
training centers in the Nation right here in Brooklyn. In
addition to our own core of 37,000 police officers, we have
delivered training through that center to the members of the
New York City Fire Department, the Metropolitan Transportation
Authority Police Department, New York State Police; Nassau,
Suffolk, Westchester, Rockland County Police and other
agencies. We have also brought in dozens of private security
professionals from hotels, banks and other institutions and
trained them to better protect their facilities. Through our
Nexus program we are reaching out to businesses that terrorists
might seek to exploit. We want businesses to report any unusual
order or anomalies that might suggest terrorist involvement.
Detectives have paid thousands of visits to businesses
throughout the city to increase their counter-terrorism
awareness.
In July we launched a new initiative with the private
security industry in New York called NYPD Shield. We are
establishing a secure Web site with training materials and
threat information updates and we have offered detailed
briefings on topics such as the London bombing and the attacks
on the Egyptian resorts at Sharm el Sheikh. We also exchange
threat information daily with the city's corporate and
institutional security directors through an instant messaging
system.
We have expanded the protection of critical infrastructure
throughout the region. We have created the threat reduction and
infrastructure protection program [TRIPS]. We've also divided
critical infrastructure into five categories and assigned a
team of detectives to cover each one. These investigators visit
facilities throughout the city, identifying vulnerabilities and
developing comprehensive protection plans with site managers to
prevent attacks.
In 2003, at the beginning of the war in Iraq, we
implemented a comprehensive security plan known as Operation
Atlas. Given the ongoing terrorist threat Atlas remains in
effect today. Broadly speaking, Operation Atlas has tightened
the protective net around the city by increasing vigilance at
entry points into New York and by placing mass transit and
other potential targets under much greater scrutiny.
Turning to the financial district itself, beginning in
2002, the Police Department engaged in extensive collaboration
with the New York Stock Exchange and downtown business leaders
to harden the financial district. The area around the Exchange
is the subject of 24-hour police presence under Operation
Atlas, which includes visits by our heavily armed Hercules
teams. We also established vehicle checkpoints at seven major
intersections leading into the Exchange. Each is monitored by
Stock Exchange security officers trained by the NYPD. Each
checkpoint is outfitted with Police Department recommended
equipment, including Delta barriers and sallyports to deter
truck bombs; explosives screening points and bomb-resistant
guard booths. Further protection is offered by dozens of
retractable bollards and heavy planters that restrict
pedestrian and vehicle blow.
I want to note that as lower Manhattan continues to
recover, and continues its rebuilding process, we plan to
dedicate significant resources and personnel to keep pace with
the growth of business. That includes the establishment of a
coordination center where all relevant law enforcement agencies
and the private sector will be represented. We look forward to
Federal support of such an initiative.
Mr. Chairman, any viable counter-terrorism program must
stress prevention and response equally. And if, God forbid, New
York City is struck again by terrorists or any other disaster,
the Police Department will be prepared to respond immediately.
We have trained approximately 12,000 of our officers in more
advanced chemical, biological and radiological response to an
attack involving weapons of mass destruction. We have also
provided training to nearly all of our uniformed personnel in
the New Citywide Incident Management System or SIMS, adopted
last year by New York City. The system provides a unified
command structure that allows the Police Department to work
seamlessly with other first responders, including the Fire
Department, for any disaster.
We conduct daily exercises throughout the city in
responding to a terrorist attack. This constant training and
drilling paid off during the blackout of 2003, when the Police
Department was mobilized to protect the city from looting and
potential disorder. There were few arrests and disruptions were
kept to a minimum.
As you know, while overall evacuation planning is the
responsibility of the city's Office of Emergency Management,
the Police Department would play a major role in such an event.
One of our most important responsibilities would be to secure
key sites and protect life and property during and after a
major incident. We're fully prepared to do that.
On that note, I want to mention that last week we welcomed
back the second half of the 300-plus police officer contingent
we sent to Mississippi and New Orleans after Hurricane Katrina.
These officers took part in search and rescue operations and
patrolled against looters. Along with the pride and
satisfaction from a job well done, the Police Department will
undoubtedly learn from that experience and we dispatched
another joint New York City Police Department and Fire
Department team to Texas to assist there with Hurricane Rita.
Finally, Mr. Chairman, I want to emphasize that all of our
preparations come at a steep price; about 180 million per year
to maintain our daily counter-terrorism and intelligence
activity. These are ongoing operational costs to defend the
city. While the Federal Government provides vital assistance
for training, equipment and overtime, we still have huge
expenses to cover. Regrettably, the influx of Federal support
one would expect to flow to New York as a result of living in
the cross hairs has not been sufficient.
The Police Department is defending New York's people, its
infrastructure and the Nation's financial assets from another
terrorist attack, yet a large proportion of the Federal
homeland security grant funding still is not targeted to
threat. The Federal Government must invest realistically in
protecting those areas the terrorists are likely to target
again. Along with a few other major cities, New York tops that
list. Everything we know about al-Qaeda tells us that this is
true. It's a lesson from our history that we simply cannot
afford to ignore.
Thank you for inviting me today, Mr. Chairman.
[The prepared statement of Mr. Kelly follows:]
[GRAPHIC] [TIFF OMITTED] T6505.002
[GRAPHIC] [TIFF OMITTED] T6505.003
[GRAPHIC] [TIFF OMITTED] T6505.004
[GRAPHIC] [TIFF OMITTED] T6505.005
[GRAPHIC] [TIFF OMITTED] T6505.006
Mr. Platts. Thank you, Mr. Kelly, we appreciate your
testimony and glad to have an exchange with you. Just this past
week we saw with Mayor Bloomberg announcing the $6 million
grant from the Department of Justice regarding the
interoperations of communications, through the city and the
surrounding counties and boroughs of New York and New Jersey
and that certainly goes to part of your message about
coordination and the ability to be on the same page.
Can you expand a little bit on that effort and how that's
building on the interoperable communications already in place
since September 11th?
Mr. Kelly. We actually had interoperability capability
before September 11th and since September 11th it's been
reinforced and practiced indeed. We emphasize and check our
interoperability channels every day. What this gives us is the
ability to communicate with the surrounding areas; particularly
Essex County in New Jersey and Bergen County and Westchester
County. So in the event that our resources from those counties
need to come into New York City or we respond to their
purposes, we can communicate more effectively.
So it's certainly moving in the right direction. With
support it will take perhaps about a year to get that function.
We do have now interoperability with Nassau County, which
is contiguous to New York City, on our eastern border. So it's,
again, part of the continuum to continuing to improve our
ability to communicate.
Mr. Platts. The provision of the $6 million certainly is
not perfect, and I know it's a challenge to acquire sufficient
funds. You've touched in your testimony on the not-unlimited
national funds, that we do it in a smarter way.
Are there specific examples of where the things that are
currently you'd like to see done that stand before Department
of Homeland Security or Justice to help fund some of the
efforts here that are most critical to your efforts regarding a
possible terrorist attack in general or specific to the
financial sector?
Mr. Kelly. We incurred significant operational expenses to
have our counter-terrorism program in place, that is, in
essence, overtime expenses. I mention it in my prepared
remarks, we spend about $180 million a year, Police Department,
that is, to carry out our counter-terrorism functions. That's
on top of other overtime expenses that we have in the normal
course of protecting this city.
What we would like to see is in a general sense more money
made available for those operational expenses. Much of the
money that we have received is targeted for equipment and we
certainly appreciate that and we need it, but we'd like to see
if at all possible a broadening of the authority where we would
get reimbursement that enables us to pay for operational
expenses, particularly overtime expense.
Mr. Platts. Your testimony talked about 1,000 officers a
day. That's year round you have 1,000 officers involved in
training related to counter-terrorism?
Mr. Kelly. Yes, sir. Either officers or full time
equivalent officers. We've created a counter-terrorism bureau,
we expanded our intelligence division. We also have our
preparedness program, where we have responses, everyday drills
where we take them off of normal patrol duties, have them come
to locations--it can be throughout the city, but most of the
locations, quite frankly, are in Manhattan, so we mobilize
twice a day, we'll bring in as many as 100 radio cars, so two
officers will come together twice a day to do that.
We then take them, mobilize, and then go to sensitive
locations that we're concerned about. They don't go necessarily
to the same location every day. We make certain we change the
face of what we do, because we are concerned about
reconnoissance going on. So that's part of our resource tactic,
to make certain we constantly change what we do. But in doing
that, and in training, as you say, it requires about 1,000
officers a day. So it's a significant commitment on the part of
the city at a time when, right now as we speak, we are 4,500
officers below where we were in October 2000.
So not only have we reduced the head count because of
budgetary reasons, we are supplying 1,000 officers for counter-
terrorism forces. We're happy and it's a credit to the great
job that the police officers of the city that crime is
continuing to come down. As a result of their hard work, crime
is down about 20 percent in the last 3\1/2\ years in New York
City. It still takes a lot of hard work, a lot of effort, but
we're juggling a few of balls in the air, as you can see.
Mr. Platts. I think across the country, I'm not a veteran
myself of the military or a member of the law enforcement
community and both communities have my great respect and
admiration and our law enforcement here at home and the first
responders are really the heroes of this war on terror,
certainly in New York and the New York City Police Department.
In your coordination in trying to be prepared, whether it
be communication or manpower, you talked about one, protecting
infrastructure, and again, in the financial sector, or people
in the--evacuation people if the financial sector was again
targeted.
How is your coordination with National Guard? One of the
challenges we saw in Katrina was how that coordination,
Federal, State and local occurred. How often do you train with,
interact with National Guard if they were trained to assist
with either evacuation or control in New York City?
Mr. Kelly. There are actually National Guard troops in New
York City now, certainly at Grand Central Station, Penn
Station. When we have major events, we activate what we call an
emergency operation center in Police Headquarters and we will
have representatives from many city agencies, State agencies,
Federal, including the National Guard, so they're physically
located with us. I must also say private sector security also
comes to our emergency operations center. So we're in the
business of communicating and coordinating with them, at least
the ones--for instance, last, well, it's now, the U.N. General
Assembly is ongoing, but a week and a half ago we had the
plenary session where we had more world leaders that have ever
come to one spot in one building before, it was the 60th
anniversary of the United Nations, so we activated that and
within that center was National Guard, military, so we do it on
a regular basis.
Mr. Platts. You mentioned the private sector in your NYPD
Shield program, trying to have that communication. How can you
describe the buy-in or the involvement of the private sector
communities with NYPD?
Mr. Kelly. They very much want to be working with us and
certainly we want that as well, so there's a very
collaborative, cooperative environment that exists in this
city. We have had a program, the APL program, it stands for
Area Police Liaison Program, it's been in existence since the
1980's, but we've strengthened that. We communicate with the
people in that group virtually every day, by Blackberry, e-
mail, letting them know what's going on on a daily basis. That
program has been ongoing, as I say, and has been strengthened.
Now, NYPD Shield is sort of an umbrella program that
incorporates that and other programs that we have. It is a
proactive attempt on our part to do training, to bring them
even closer to us, and it's been very well received. We have a
Web site and we keep them informed of an ongoing situation. I
said in my prepared remarks, we had a detailed briefing for
them on the London bombings, we very much appreciate it. Just
recently we had a briefing on the Sharm el Sheikh bombings in
Egypt. We had an officer assigned to Israel, he was able to go
there, came back with specific information. Showed him
pictures, and as I said, we're communicating on e-mail all the
time. So that organization has about 1,000 members.
But these are security directors. I mean, they're
representative of the major corporations in New York City.
These are the security people who really are protecting the
financial services industry and other industries as well. So
I'm very encouraged about Shield and I can only characterize
our relationship with the private security and private sector
as being a very strong and collaborative one.
Mr. Platts. I have some additional questions, but I want to
yield. Before I do, I want to note that we're joined by Dean
Wexler and I thank her for letting us be here today. As a law
school graduate, I'm always hesitant to being in a moot court,
I'm used to being out there and being judged, but I guess we're
being judged differently today, but I appreciate your hosting
us. Mr. Towns.
Mr. Towns. I'd like to echo the chairman's thanks, Dean,
for allowing us to come in and also like to thank you,
Commissioner, for coming.
In terms of funding for first response, from the Federal
Government, can you describe for us the flaws or barriers that
may be inherent with the current process? What are some of the
problems that you see in the present process?
Mr. Kelly. As Mayor Bloomberg has stated many times and
I've gone to Washington and testified that we would certainly
support a funding allocation that would base totally on threat.
To us it's logical. We see ourselves threatened and we would be
the recipient of more funding, with some formula based on
threat or at least more heavily based on threat than the
existing formulas that were put in place.
Having said that, I mean, we need the money, but having
said that, the Mayor has made certain that the department is
getting everything that it needs, that we need, and he said
that on many occasions. This strains the city's budget, though,
no question about it. Money, we have to have a balanced budget
every year, so the money that's going to the Police Department,
the Fire Department, other first responders is being taken from
somewhere else in the city's budget. So we believe that a
threat-based formula, a total threat-based formula makes sense
in the post September 11th world that we live in.
Mr. Towns. You mentioned in your comments earlier about
communications and of course information sharing. Have the
industry stakeholders coordinated their certainly internal
efforts with your department? Do you feel that industry has
made adequate progress in developing comprehensive security
practices that are appropriately based on risk and level of
exposure? Do you feel comfortable?
Mr. Kelly. I think we can all do more. I think the private
sector can do more, but I think efforts are being made, some
industries, some companies do more than others. But, generally
speaking, the message is out there, and as far as our
relationship with them, you know, as I stated before, it's a
very cooperative and close relationship. However, I think
private, the private sector has gotten the message, but we
could all do more.
Mr. Towns. Can you describe for us what lessons have been
learned from New York PD and the city since 2001 as to the
value of having industry and government as partners in
information-sharing activities? Are there barriers to adequate
information sharing that remain problematic for industry or
Government participants? I'm concerned about this flow of
information and communications.
Mr. Kelly. I believe it's better than it's ever been. As I
said, our Shield, NYPD Shield program is all about information
sharing. It's very well received by the private sector. We want
to get information out, the Federal Government wants to get
information out. There's a whole, there's an environment that
supports information sharing now as never before in government,
so nobody is holding on to information. Nobody wants to be
caught holding on to information, quite frankly, so there's a
lot of sharing going on.
As I said, we had, in the London bombings, it was all
public information, but we really got in the weeds with our
private security partners, giving them a lot more detailed
information than most of them had. And it's our belief that the
better informed they are, the better able they are to protect
themselves and thereby protect the city. We can't do it alone,
that's our message to them. We need your eyes and ears, we need
your active support, your active involvement.
So I think prior to 2001, sure, I mean, we just didn't see
the threat as we should have, but since 2001, it's gotten
increasingly better as far as the sharing of information at all
levels of government and government with the private sector.
Mr. Towns. I yield back, Mr. Chairman. Thank you.
Mr. Platts. Thank you, Mr. Towns. On the threat-based
allocation, I was just reading your testimony in preparation
for the hearing. It gave me as a member from South Central
Pennsylvania a better idea of the challenges you face in
allocation resources. In my District we have Gettysburg and
some national sites of significance and certainly Philadelphia,
but given how New York has been targeted not just in 2001, but
in some of the intelligence since you referenced, back to 1995,
the allocation, it certainly helps me to better understand the
importance of that threat-based allocation approach.
When we were here for the convention last year and had a
chance to visit the Police Museum, times have changed from some
of what was shared in that museum to today. The fact that there
are seven officers deployed in other countries, being out
there, proactive in your intelligence efforts is quite a
difference from 100 or so years ago.
One of the issues touched on about intelligence gathering
and sharing intelligence, certainly within New York City and
all your efforts, Federal, State and local, private sector. In
Washington, one of the changes we made from September 11th was
the Patriot Act, which was to allow information to be shared
between those communities; intelligence gathering and law
enforcement.
Are you able to share specific examples of how the changes
we made at the Federal level helped you at the local level here
in New York regarding intelligence gathering because of those
statutory changes of the Patriot Act?
Mr. Kelly. Well, the Patriot Act helps the Federal
Government, helps the FBI gather information, also exchange
information or use information internally. It eliminated or
greatly reduced the wall that existed in the FBI, for instance,
between intelligence gathering and criminal investigation. So I
know it's helped.
I can't give you specific examples where it applied to New
York City, but I can only assume like in certain cases, for
instance, well, the Peracca case which I mentioned in my
prepared remarks, I can only hope that helped in the
investigation itself. It eases the flow of information, to me
that's a good thing, inside the Federal Government.
Mr. Platts. Thank you. The private sector and the various
efforts that you have ongoing, reaching out to them, is there
any financial contributions by the private sector to the city
of New York or to the NYPD specific to acknowledge that there's
a benefit to those private sector partners as well, maybe in a
greater sense in some of your efforts, because it's really
targeted, say, specifically to the financial sector, are there
any resources that are allocated by them to your efforts?
Mr. Kelly. Of course, they would argue that their taxes are
their contribution.
Mr. Platts. I would readily agree with them, but it's
always good to ask if they want to give more.
Mr. Kelly. I can give you one example, though, that there
was a contribution. That's with the protection of the New York
Stock Exchange. I mentioned again in my prepared remarks how
certain intersections are protected by individuals trained by
the NYPD. Well, they're paid for by the New York Stock
Exchange. They also pay for some paid detail police officers
that we have assigned there, but we have active duty on-duty
police officers working there as well. We have significant
resources devoted down there, but they're paying for that
heightened level of security there, and of course you could
argue that as we bring together security folks throughout
industry and the financial services industry and we sort of
task them in an implicit way to do things for us, that they're
contributing. But that's the only hard example that I can give
you of contributions where the New York Stock Exchange had paid
significant amount of money for protecting the area around the
Stock Exchange.
Mr. Platts. And I think a good example of that partnership,
public and private.
I want to conclude in your testimony, you talked about
continuing to adapt, especially with the business community
here in the city with the coordination center between law
enforcement and private sector and the need for Federal support
for that initiative, and I assume that means funding support.
I want to give you the opportunity to expand with Treasury
and Homeland Security who is here, and the two Members that are
here, maybe a little bit about what that is and the importance
of it.
Mr. Kelly. Yes, sir. The Freedom Tower is going forward at
the 16-acre site of the World Trade Center. There will be other
structures put in place there. Goldman Sachs has agreed to
build onsite 26, which is right across from the Freedom Tower,
so there's going to be a significant increase of people in the
area and development, of course the financial services sector
is going to be well represented.
As that development goes forward, we are committed, the
city is committed to putting in additional resources in the
area that will involve both personnel, but also technology, and
we're studying that now and moving forward with it.
One of the plans that we have as that goes forward is to
put in place, as I said, a coordination center, where we would
have not only appropriate law enforcement agencies there, for
instance, Metropolitan Transportation Authority, Port
Authority, our own police personnel, Fire Department, but
representatives from the stakeholders that will be there; the
private sector security, and we envision that would be a 24-
hour coordination center, and we've talked to industry leaders,
they're enthusiastic about all this. But that's kind of our
overall plan.
It's going to be expensive. We think it's important for us
to provide additional protection in that area. Now, it will not
only be limited to that area let's say, below Chambers Street.
It will also be somewhat north. Some of the things we're doing
now are under our Operation Atlas, as I said, we mobilize twice
a day and send our units out to sensitive locations. We use
some of these resources to do that, so it will be--it will help
us in doing some of the coverage that now we're taking directly
out of patrol resources and other parts of the city.
So that's kind of the overall plan. Yes, we certainly would
like to have Federal resources to help whenever it could.
Mr. Platts. Thank you. Mr. Towns, do you have other
questions?
Mr. Towns. Yes, I do. Thank you very much, Mr. Chairman.
The recent disaster in the Gulf Coast region demonstrates
for us that major events do not have to be terrorist-related to
have significant consequences. Have there been any significant
efforts made by the New York City Department of Police or the
city itself to establish evacuation plans for, say, Wall Street
or lower Manhattan in the event of a major physical disaster?
Have State and regional stakeholders, such as Port Authority or
MTA, been proactive in developing a comprehensive plan to move
large volumes of people away from the disaster area in a safe
and timely fashion? I guess the last part would be how can the
Federal Government assist you in that process.
Mr. Kelly. We do have very comprehensive evacuation plans.
Evacuation plans are coordinated by the Office of Emergency
Management, but the Police Department plays a significant role
in carrying out those plans. We provide assistance in
evacuations, going to areas that may be evacuated. Search and
rescue would be part of the functions we would provide. We have
a coastal storm contingency plan and we have an evacuation plan
for the entire city. The city is divided into 150 sectors, and
there are elaborate plans for that. As a matter of fact,
Commissioner Bruno, the head of the Office of Emergency
Management is testifying right now at the City Council on those
plans.
As far as the other stakeholders are concerned, yes, the
Office of Emergency Management works with the Port Authority,
MTA. Obviously MTA would provide a significant amount of the
transportation used to evacuate areas of the city. We have, as
you well know, Congressman, a very large public transportation
system in the city; subway and buses. The MTA would be an
integral part of any evacuation plan. Port Authority as well.
As far as Federal Government assistance, I can't think of
anything specific. I'm sure Commissioner Bruno can think of it,
but I can't think of anything that comes to mind for me other
than any resources that could supplement what we're doing,
anything that could help in the movement of people in a major
evacuation, but we are, we have plans to evacuate every sector
of the city, not just the financial district in lower
Manhattan, but I must say that area is in one of the flood
plans.
If you look at our coastal storm contingency plan, you'll
see it's prefaced on certain assumptions; Category 1, 2, 3 and
4 storms. It does not go up to 5, but it does go up to 4, and
there are flood areas in, say, lower Manhattan, that would be
impacted by even a Category 1 storm. So there are plans to have
an evacuation and also plans to provide services in that area,
if something like a large storm hits us.
Mr. Towns. Let me say, Commissioner, we really appreciate
your involvement in the kind of information that you shared
with us in Washington, you know, but we need to sort of do a
little bit more to make certain they fully understand. Because
when I say to my colleagues in Washington that you have 1,000
police officers involved in counter-terrorism and they, knowing
the Police Department is not even 2 percent the size of that,
it's hard to communicate with them what this really means, the
impact of it. Do you have any ideas or suggestions of what you
might say to us or give to us that we may further take back to
our colleagues to try to convince them that New York is unique
in so many ways, and that this is the financial capital of the
world and that New York is a place that we need to make certain
that is protected in every way. So do you have anything that
you might want to share with us further that we might be able
to convey to our colleagues?
Mr. Kelly. I think every part of America, indeed,
significant parts of the world would be adversely affected by
another attack in New York. We know that al-Qaeda's goal is
something bigger and better than September 11th. They're not
looking at small bar events in this city, they're looking for
something larger, and it's been stated in a lot of different
ways. So anybody who thinks that it just affects New York City
or New York State is mistaken.
We're protecting, as I said in my remarks, national assets.
We're protecting assets that if they're attacked, will have an
adverse impact across the world. You look at the things I
mentioned. Look at New York Stock Exchange, you look at
American Stock Exchange, NASDAQ. You look at the financial
services industry headquarters that we have here. We have an
attack here against any of those institutions, it will
reverberate throughout the world, and certainly throughout
America.
So I think that's the message that has to go back to
Washington. We understand that people are concerned about their
districts, that's what they're in Washington for. But you also
have to look at the bigger picture. Because if we're struck
here, it's going to hit in some way, shape and form, every
congressional district in America and it's going to hit in a
very hard way. The next event, God forbid, if there is one, is
going to be, unfortunately, at least in their planning cycle,
their planning minds, much larger than the last one.
Mr. Towns. Thank you. I yield back.
Mr. Platts. Thank you, Mr. Towns. Thank you, Commissioner
for your insights. I appreciate certainly your current service
here in New York, but I also mark your great service as a
combat veteran in Vietnam and your 30 years in the reserves. As
a fellow citizen, I'm personally grateful for your dedication
to all of us citizens.
Mr. Kelly. Thank you very much. Thank you, Mr. Chairman.
Mr. Platts. We'll take about a 2-minute recess here while
we get our second panel: Mr. Parsons, Caverly and Muccia. Thank
you.
[Recess.]
Mr. Platts. We'll reconvene here and again we're delighted
to have our second panel here: Mr. Scott Parsons, Deputy
Assistant Secretary, Critical Infrastructure Protection and
Compliance Policy, Department of the Treasury. Glad to have you
with us. Mr. James Caverly, Director of the Infrastructure
Coordination Division, Department of Homeland Security and Mr.
James Muccia, first deputy superintendent of banks.
Now that you're all seated, if I could ask you all to rise,
we'll swear you in and proceed with your testimonies.
[Witnesses sworn.]
Mr. Platts. You may be seated. The clerk will note all
three witnesses affirmed the oath. We'll proceed first with Mr.
Parsons. If you'd like to begin, and again we'll use roughly a
5-minute guideline, but we're glad to hear your testimony in
full.
STATEMENTS OF D. SCOTT PARSONS, DEPUTY ASSISTANT SECRETARY,
CRITICAL INFRASTRUCTURE PROTECTION AND COMPLIANCE POLICY,
DEPARTMENT OF THE TREASURY; R. JAMES CAVERLY, DIRECTOR,
INFRASTRUCTURE COORDINATION DIVISION, DEPARTMENT OF HOMELAND
SECURITY; AND DANIEL MUCCIA, FIRST DEPUTY SUPERINTENDENT OF
BANKS, STATE OF NEW YORK BANKING DEPARTMENT
STATEMENT OF D. SCOTT PARSONS
Mr. Parsons. Thank you very much. Chairman Platts, Ranking
Member Towns, thank you very much. We really appreciate the
opportunity to be here today to testify on the financial
services sector preparedness to handle a wide scale disruption.
Mr. Platts. Mr. Parsons, do you mind holding that a little
closer? I can hear you, but I'm not sure if everyone can. Thank
you.
Mr. Parsons. I am pleased to tell you that the financial
sector has made tremendous progress to insure its resiliency to
withstand both man-made and natural disasters. President Bush
has led the development and implementation of an effective
program to defend our country's critical infrastructure. The
financial services sector plays an indispensable role in the
Nation's economic system, providing individuals, businesses and
the government with credit and liquidity, short and long term
investments, risk transfer products, various payment systems
and depository services. It enables people to save for their
education, their retirement, to purchase their homes and to
invest in their dreams.
The financial services system is essential to America's
overall economic well-being. I note that we have experienced a
number of events in recent years that test the resilience of
the sector. The attacks of September 11, 2001, the power outage
of August 15-16, 2003 and the elevated threat level for the
financial sector of August 2004 have all tested the
preparedness and resolve of the financial services sector. Most
recently, Hurricane Katrina caused unprecedented devastation in
multiple States. Yet the financial system has survived each of
these events and through hard work and investment becomes
stronger and better able to withstand such disruptions.
The President has mandated that the Federal Government work
closely with the private sector to protect the Nation's
critical assets and infrastructure from major disruption. An
important and unique insight that guides this strategy is that
nearly all of the financial infrastructure is owned by the
private sector, and, therefore, the success of our protective
efforts depends on close cooperation between the Government and
the private sector. On December 17, 2003, the President issued
Homeland Security Presidential Directive No. 7 which
establishes a national policy for Federal departments and
agencies to identify and prioritize U.S. infrastructure and key
resources and protect them from terrorist attacks. HSPD7, as
it's known, recognized that various departments and agencies
have specific knowledge, expertise and experience in working
with certain sectors. Therefore, this directive provided for
sector specific agencies or lead agencies for given sectors and
the Department of Treasury has been designated as a sector
specific agency for the banking and finance sector.
It is under this designation that Treasury collaborates
with appropriate private sector entities and other governmental
agencies to encourage the development of information sharing
and analysis mechanisms and to support sector coordinating
mechanisms with the purpose of, No. 1, identifying,
prioritizing and coordinating the protection of critical
infrastructure, and, No. 2, to facilitate the sharing of
information about physical and cyber threats, vulnerabilities,
incidents, potential protective measures and best practices.
Secretary Snow has a very strong commitment to insuring
that the financial system continues to serve all Americans. The
Nation's economy has been a constant target of terrorists who
wish to do us harm. A consistent part of the rhetoric from
Osama bin Ladin and others is the overall ideology to attack
our Nation's economy, to attack the financial system to support
it and to try to do us harm in this manner.
Secretary Snow has tasked the Treasury Department's Office
of Critical Infrastructure Protection and Compliance Policy to
be responsible for developing and executing policies affecting
both the physical and the cyber security of the U.S. financial
system. The majority of these efforts require close cooperation
and partnership with the public and private sector, and there
are a number of important groups that we work with to achieve
this end. One is the Financial and Banking Information
Infrastructure Committee. This is a body of all of the Federal
and State financial regulators and the Treasury Department is
the Chair of this committee.
The second is a private sector body, the Financial Services
Sector Coordinating Council. You'll be hearing from the Chair
of the FSSCC, as it's known, later on this morning.
We also utilize an important information sharing mechanism
called the Financial Services Information Sharing and Analysis
Center or the FS-ISAC. That is a body that is run by the
private sector with the sole purpose of disseminating critical
physical and cyber threat information to the financial services
sector members.
And last, I would mention an important development,
something that we think holds great promise and that is the
creation of regional coalitions. I note specifically, Ranking
Member Towns mentioned the futures industry. The first
coalition of this nature is called ChicagoFIRST. It was based
in Chicago with the recognition that the futures industry plays
a prominent role in that city, and its goal by its members was
to advance homeland security protective measures, specifically
with local emphasis on it.
We believe that this was a great model and we were able to
partner with several other entities, including BITS, to
document the steps that went into creating this and we've since
published that document. I'm pleased to tell you that there is
considerable focus on this initiative within the Department of
Treasury and we are close to seeing some new announcements for
new regional coalitions that will involve not only those on the
east coast, but hopefully the west coast as well.
With that, Mr. Chairman, I conclude my opening comments.
[The prepared statement of Mr. Parsons follows:]
[GRAPHIC] [TIFF OMITTED] T6505.007
[GRAPHIC] [TIFF OMITTED] T6505.008
[GRAPHIC] [TIFF OMITTED] T6505.009
[GRAPHIC] [TIFF OMITTED] T6505.010
[GRAPHIC] [TIFF OMITTED] T6505.011
[GRAPHIC] [TIFF OMITTED] T6505.012
Mr. Platts. Thank you, Mr. Parsons. Mr. Caverly.
STATEMENT OF R. JAMES CAVERLY
Mr. Caverly. Mr. Chairman, Mr. Towns thank you for having
us here today. What I'd like to do is summarize my comments and
enter my statement into the record.
As we're all aware, protecting the Nation's critical
infrastructure is really a partnership and it's a new kind of
partnership between the owners and operators of that sector.
Most of them being in the private sector and then State
government, local government and Federal Government. Your panel
of witnesses today I think does a great job of exemplifying
exactly what kind of partnership needs to be there to insure
that the Nation's critical infrastructure is protected the way
we need to protect it.
Clearly, the events of September 11th, the power outage of
2003, then the casing reports heightened financial alerts in
2004 identifies the impacts that terrorism or threats of
terrorism can have to the financial communities of this country
and as Police Commissioner Kelly said, those impacts will
reverberate across the country.
The Department of Homeland Security really has three
principal objectives when dealing with critical infrastructure.
One is to provide the resources and training to State and local
government and law enforcement training for security
enhancements. The other is to provide information to those
various levels, whether they're the owners and operators of the
individual components of the Nation's infrastructure, to local
level law enforcement, State law enforcement and then across
the Federal partnership of the kind of information that is
necessary for each of those people to create risk assessments
and react appropriately within the environment in which they're
responsible for. And then underneath that is the creation of a
fluid and viable information-sharing mechanism that will allow
us to get the information quickly out to the points of decision
and bring back information into the analytical framework that
allows to us look at this as a total picture.
As Mr. Parsons identified, the President's directive to his
cabinet contained in HSPD7, Homeland Security President's
Directive 7, a key component of that is asking members of the
private sector to create a framework in which we can deal with
the sector as an entity. The financial services sector was the
first sector to come across and create a single entity called
the Sector Coordinating Council, and you'll be hearing from Mr.
Donahue the head of the FSSCC later. Looking at that and
looking at what was done in Treasury with some activities of
our own, we implemented the National Infrastructure Protection
Plan a framework across all of the sectors to create a set of
sector coordinating councils and government coordinating
counsels that will allow us to act on this partnership. We
believe the financial services has shown us a great way in
which to build this framework.
The other thing that HSPD7 directs the department to do is
develop a National Infrastructure Protection Plan that is
looking at setting security goals, identifying assets and
assessing new risks. The NIPP plan was put out in a base plan
in February of this past year. The next version will be coming
out shortly. Once we get the base plan out in the next short
timeframe, we'll begin working with each of the critical
infrastructure sectors to develop a sector specific plan that
focuses on each of the sectors and the activities the various
players have to do both at Federal, State, local and also
private sector level.
A key component of one of the things that the department is
working on is a risk assessment methodology. Secretary Chertoff
has made risk assessment a key component of his program to
enhance the Nation's critical security infrastructure. We
developed a Risk Assessment Methodology for Critical Asset
Protection [RAMCAP]. As we implement and develop the data
inside, it will allow us to assess the risk across the
infrastructures and do it comparatively. Because of the
connected nature of the infrastructure, this is very, very
important.
As I said earlier today, the panel here reflects a good
level of the coordination and integration that needs to take
place. We believe that the activities of August 2004, which led
us to heighten the Homeland Security alert level in New York
and Washington in the financial services sector is a very good
example. As the intelligence was developed, we began working
very closely with NYPD and the owners and operators and
security directors in specific facilities that have been
surveilled. We were able to take very quick and appropriate
action across not only the responsibility of what local law
enforcement and Chief Kelly were able to do, but also the
owners and operators were able to do and share information. We
think that is an example of exactly how this partnership should
work because each of us has certain responsibilities in the
framework.
One of the things about the financial services sector is
the redundancy that is built into the system. Because of things
that happened in the financial services sector in the 1980's
and 1990's, when in fact it lost power in lower Manhattan and
when it lost telecommunications at certain times, it built
resiliency into its system. It has a very, very robust,
resilient system to allow it, as the chairman pointed out, to
resume its financial operations quite soon after taking a
serious blow. We think that's important.
The national communication system is part of Department
Homeland Security and we're working closely with the financial
services sector to insure the telecommunication backbone for
their information flows has the kind of resiliency and
redundancy necessary to insure that no matter what happens the
transactional part of that connectivity can continue.
One of the most important parts is a program we call
``route diversity methodology.'' It insures as you look at the
networks of the telecommunications that in fact all
transactions are moving across a very diverse network, as
opposed to being funneled into single hubs and therefore
building a resiliency outside of that.
The last thing I'd like to make a brief comment about is
Homeland Security Information Network. It is a framework the
Department of Homeland Security is deploying that will allow us
to connect to the various groups, whether regional groups or
things such as the Financial Services ISAC. It is a cohesive
network that allows a sharing of information not only inside
the sector, but across sector lines and also across
jurisdictional lines to insure that the information part that
flows either to or from the Department of Homeland Security is
accessible, whether it's law enforcement information, first
responder information or information that we receive from the
private sector.
With that, Mr. Chairman, I'll take your questions.
[The prepared statement of Mr. Caverly follows:]
[GRAPHIC] [TIFF OMITTED] T6505.013
[GRAPHIC] [TIFF OMITTED] T6505.014
[GRAPHIC] [TIFF OMITTED] T6505.015
[GRAPHIC] [TIFF OMITTED] T6505.016
[GRAPHIC] [TIFF OMITTED] T6505.017
[GRAPHIC] [TIFF OMITTED] T6505.018
[GRAPHIC] [TIFF OMITTED] T6505.019
[GRAPHIC] [TIFF OMITTED] T6505.020
Mr. Platts. Thank you, Mr. Caverly. Mr. Muccia.
STATEMENT OF DANIEL MUCCIA
Mr. Muccia. Thank you, Mr. Chairman, and Congressman Towns
for allowing me to submit this testimony to you today on the
current status of financial market preparedness for wide scale
disasters or disruptions.
I will briefly summarize the key points contained in the
department's written testimony. First, I do not believe that
the financial regulatory community or the banking industry have
become complacent. The stakes are too high, and the reminders
too frequent. Certainly, if there was a threat of complacency
setting in, the recent catastrophe in the Gulf Coast and New
Orleans has served as a powerful reminder that we can never be
too prepared.
Second, effective communication and coordination between
State and Federal banking agencies is essential to rapid
recovery. From our perspective, the protocols set in place by
the Financial and Banking Infrastructure Information Committee,
which Mr. Parsons chairs, or FBIIC, have proved to be effective
in improving communication and coordination. We understand from
our fellow State regulators in Louisiana that coordination with
their Federal counterparts in response to Katrina have been
excellent. We at the New York State Banking Department know how
valuable that communication and coordination is, as it was
tested both during September 11th and the August 2003 power
blackout. Third, our assessment of the readiness of the New
York State banking institutions we directly supervise is based
on our ongoing supervision and onsite examination programs.
Overall, our examiners are giving good grades to our
institutions. The small number of institutions that are
considered critical to the system are being held to a high
standard of business resumption capability and are expected to
meet current supervisory standards and targets. The vast
majority of non-critical institutions have adequate plans and
those missing the mark are in the process of correcting
deficiencies.
One area that we will be focusing on in the near term is
testing. More testing of business continuity plans is needed.
Test results need to be more carefully and vigorously audited
and the scope of testing needs to be widened. We are discussing
how to achieve this with the Federal banking agencies that
share our supervisory responsibility over our institutions, and
I expect formal guidance will be issued in 2006.
Finally, we recognize that business continuity planning is
a continuous process that requires our constant vigilance and
attention. We are committed to insuring our institutions are as
prepared as possible and thank Congress and this subcommittee
for your continued support and attention to this critical
challenge. Thank you.
[The prepared statement of Mr. Muccia follows:]
[GRAPHIC] [TIFF OMITTED] T6505.021
[GRAPHIC] [TIFF OMITTED] T6505.022
[GRAPHIC] [TIFF OMITTED] T6505.023
[GRAPHIC] [TIFF OMITTED] T6505.024
[GRAPHIC] [TIFF OMITTED] T6505.025
Mr. Platts. Thank you, Mr. Muccia. I appreciate each of
your testimonies. Each of you I believe in your written
testimony and here today referenced an August 2003 blackout. It
was in a sense the first major test after September 11th here
in the New York area. The blackout was also a test especially
throughout the northeast of how our new coordination was going
to work. I'm interested if each of you would want to share your
perspective of how your organization responded. Also, what will
be especially informative is the things that didn't go as you
expected 2 years after September 11th.
Mr. Parsons. Sure. Our observation is, as you noted, Mr.
Chairman, the power outage was indeed the first real test of
the mechanisms that we put in place after September 11th. We
felt they worked very, very well for a couple of reasons. One
is it was critical to get information out to the sector as
quickly as possible, and it had to be an exchange of
information. We knew there was a blackout, but we also wanted
to find out what was happening in New York City.
Those mechanisms worked very well. The communications that
we had built in were very effective in ascertaining the
situation and within 15 minutes or so we had a good
understanding of what exactly was going on. I would also note
that they were instrumental in being able to help spread the
word as quickly as possible. This was in fact not a terrorist
incident, which I think was very, very important for everybody
at that time to understand.
Additionally, it enabled us to convene, for example, all of
the financial regulators to look for any problems that we may
have had. If there were any imbalances created due to the time
of the incident, thankfully it came after the closing of most
of the major markets. Were there any things or actions that we
needed to do to immediately from a regulatory standpoint, and
then also in working with our private sector coordinating body,
the FSSCC, we were able to identify any needs that they may
have had very quickly.
I think it's important to note that the financial sector is
extremely resilient and most of the firms here have well-
drilled, well-thought-out backup emergency plans.
Nonetheless, we used this mechanism to find a couple of
examples where we needed to intervene. One example of that is
at the American Stock Exchange. It needed a new generator so
they could cool its training floor. While working with the New
York Office of Emergency Management, we were able to coordinate
the delivery of that to help the AMEX get back on line quickly.
Very briefly, I would say there were some lessons learned
for us. One of them is the interdependency that we have on
other sectors. You heard Mr. Caverly talk about
telecommunications. That's a very big concern for us in
financial, but we also learned, for example, the need to
resupply generators to--if we were going to have a sustained
outage, and we have subsequently through the FSSCC convened
meetings with other government agencies like the Department of
Energy and the Department of Transportation to discuss these
and other lessons that we learned not only from that event, but
from other pieces of our thinking on this as well.
Mr. Platts. Thank you.
Mr. Caverly. One of the things that it did was reinforced
the critical role that information sharing plays. There were
existing mechanisms prior to the creation of the department;
relationships between telecommunications and electricity
specifically because of their interdependency nature. Based on
the activity that came out of that, DHS has set up the National
Infrastructure Coordinating Center, to provide transparency.
The lesson that moved us in that direction was that on Friday
morning after the blackout, as we were talking to the
telecommunications and electricity people, the electricity
people pointed out that power would not come on in Detroit
until Sunday. The telecommunications people identified that
presented a significant program for their wireless nets,
because most of them depended on batteries, some on generators.
They recognized they needed to bring more generators in as well
as resupply the fuel to the generators that were there, but
they didn't have existing relationships with suppliers.
We were able to take them and connect them up with the
Michigan State Energy Office who knew all the suppliers and
could quickly make sure they had the supply they needed until
the power came back on.
It's that kind of transparency and sharing of information
that's critical to a situation like that. The media gives us
some heads up, but there are things that come from the
operating parts that the owners and operators know and we need
to create a better more fluid forum. The NICC is the process,
and as we built the connectivity it provides the capability for
those extraordinary communications that have to take place in a
crisis.
Mr. Muccia. I would agree with Mr. Parsons in terms of the
overall connectedness of communication. I think one of the
things that happened was some of the protocols we put in place
that we learned sort of ad hoc on September 11th we got to use
in the blackout event. It was a more formal structured way of
communicating that helped get the word around more quickly. Our
institutions did very well.
So overall in our department we exercised our plan and had
representatives at the Federal Reserve in New York. We were in
contact with SEMO and New York OEM. So overall, it worked very
well.
Mr. Platts. The lessons learned in that coordination, for
example, the fuel to the generators to control and identify
quickly what the problem was, how did working with utilities,
what was the cause for that? I think you're right to get the
word out quickly to the public that this is not a terrorist
attack. It was a infrastructure breakdown basically. I didn't
learn it as quickly as the rest of the country, because I was
tent camping in the Northwest at the time. I learned about it a
day late I think, behind everybody else. I was removed from
civilization with my wife and kids.
But in getting a handle of what did happen and how quickly
word did get out, given that the utilities are private sector,
how did that happen? You needed to learn here's what happened,
why it happened and then share that publicly.
Mr. Parsons. The first thing we determined very quickly is
that this is not an act of terrorism and that was simply done
by--I guess it would be a collection of information that flowed
in all at once.
Mr. Platts. Was it the private sector coming forward too?
Mr. Caverly. It was.
Mr. Parsons. Both.
Mr. Caverly. To some degree you can understand the
structure--the North American Electrical Reliability Council,
which sets the reliability standards for the electric industry
is a central point for information. They were on the phone by
3:30 that afternoon identifying the cause of it, which was a
rolling blackout caused--they didn't know initially what caused
the system to start tripping out, but they were able through
their reliability coordinators in the reliability region to
identify that's how it happened. Then you went back to the
operating center. So they built the picture quickly of what the
cause was, being able to talk.
So the information comes out of them very, very quickly
into the system. Remember, it is a regulated industry, so the
reporting requirements are a little more structured than some
other parts of the private sector. In that case the information
came out of it, as well as the reporting you were getting in
the media--there was no report of explosions or other such
things.
Mr. Parsons. Mr. Chairman, it was also useful again to hear
from people in the affected city who were saying, ``we don't
see any explosions, we just see the lights have gone out.
There's no smoke, there's no fire.'' I guess I would answer
that it was kind of information flow both ways, to and from.
Mr. Platts. Mr. Muccia, you mentioned that you worked with
SEMO here in New York. Would that have been the case prior to
September 11th, your involvement, the Banking Department,
immediately, being part of that Statewide effort in responding?
Did that change because of September 11th or would that
involvement of the Banking Department be there already?
Mr. Muccia. It really changed I think to a significant
degree with preparations for Y2K, where we really--we always
had it there, but I think in terms of taking it more seriously
and being more prepared, it started with Y2K and certainly
September 11th really brought it home.
Mr. Platts. Obviously, there's an endless list of efforts
we could engage in and you've each highlighted some very
important ones that your organizations are now pursuing.
There's not an endless sum of money out there, and so you need
to be smart.
Last, we had a hearing on managerial cost accounting in
trying to make that cost benefit analysis on the Federal level
in that case in two or more departments; Veterans Affairs and
Labor. In what way does that go on with your respective
organizations that you're trying to do that kind of cost to
benefit? It kind of relates to the Commissioner, the threat-
based provision of funds, but internally in your organization,
how do you go about that?
Mr. Parsons. That's a very good question. We do have a
limited sum of money and as you noted, we could spend freely,
but we can't do that. So what we try to do is we try to take a
risk-based approach to our efforts at the Department of
Treasury. What we've first done is working with the other
financial regulators, we've identified the wholesale clearing
payment system, which is really, if you really think about it,
it is the series of mechanisms and institutions that really
make the financial system work, and we've chosen to direct our
efforts to those entities, believing that we will get a huge
return that will in fact create a cascading effect and that
other firms will benefit from this knowledge and our efforts
there.
We've embarked on a testing regime which is not focused on
simply doing a test, it's really focused on doing a plan, and
that plan involves the State and local officials and the
affected institution, the institution that we've all
collectively identified or the series of institutions. So it's
very targeted and at the end of the day we have a plan that not
only involves one center, but involves many of the operating
capacities within these given institutions.
So I guess I'd summarize by saying you really have to take
a risk-based approach in thinking about where will we get the
best return for our dollars, and we do think about it before we
accentuate programs.
I would also add through our partnerships with the
regulators and with the Financial Services Coordinating Council
we get a tremendous scale to our investment and it reaches a
vast majority of the financial sector.
Mr. Caverly. Secretary Chertoff is devoted to a risk-based
approached in vulnerability and consequences related to the
infrastructure. As you can imagine, the department has to look
across all 17 critical infrastructure sectors. The RAMCAP
methodology that I mentioned earlier allows us to look at the
risks associated across the sectors and ultimately prioritize
and allocate across the sectors the limited resources that are
available.
It doesn't do us particularly good if you have the best and
most resilient systems in the financial services sector and you
haven't accounted for the risk to transportation or
telecommunication risk or cyber risk. So we have to look across
all those components of a very intertwined infrastructure and
prioritize our assets on a risk basis, so in fact we make the
system resilient.
Mr. Muccia. We also use a risk-based approach in terms of
our supervision and examination and key to that is really our
program of CPC's or resident examiners at critical institutions
that we share responsibility with the Federal Reserve or the
FDIC, depending on the institution. So we leverage off each
other in terms of sharing resources, responsibilities with the
Federal banking agencies and we use resident examiners on those
key institutions to stay in touch and in focus and we leverage
off work. We can't do it all ourselves, even the Federal
banking regulators can't. We leverage off the work done by the
businesses themselves, utilizing their internal audit reports
and their external audit reports and their internal policies
and procedures.
Mr. Platts. You mentioned in your answer about RAMCAP.
Where do we stand in that development deployment of that?
Mr. Caverly. The framework for the methodology has been
developed across the spectrum. We are now doing modules across
each of the sectors. Obviously, that methodology is important
as we develop the NIPP plans for each sector-specific agency.
So those are scheduled to be completed later this fall for each
of the sectors.
Mr. Platts. Thank you. Mr. Towns.
Mr. Towns. Thank you very much, Mr. Chairman. Let me begin
with you, Mr. Parsons. You talked about a regional coalition
and of course you talked about ChicagoFIRST. Many people are
saying that methodology should go further than Chicago, because
there's extra cost involved.
My question is, ChicagoFIRST, I thought it should be New
York First, but that not being the case, could you tell us in
terms of the makeup of that and what it's all about and is it
true that the reason you're having difficulty moving it forward
is because of the additional resources that would have to be
allocated in order for it to be a reality.
Mr. Parsons. Congressman Towns, I can tell you,
ChicagoFIRST is an interesting story. It started out with two
participants for large firms there who said, hey, we feel like
we're not getting adequate representation to the local level,
at the local level for what the financial services sector
really needs. And that conversation led to an idea which in
turn led to collaboration and the result of this over a period
of time, including with the encouragement of the Department of
the Treasury was the establishment of ChicagoFIRST.
I can comment on a couple of things related to funding. One
is, it is a self-funding organization. That is, its members
have agreed to pay dues to fund its effort. They have appointed
an executive director who is a full time employee and who
coordinates all of their activity. They also have a president
and they have a board of directors that oversees their
operation. So I don't believe that in the case for ChicagoFIRST
that funding has become a tremendous issue at this moment in
time.
What I would add, though, is we've been working actively to
encourage the creation of other organizations like ChicagoFIRST
in other areas of the country, and we believe they're extremely
useful. I would note it would have been very helpful, for
example, to have sort of a single point of contact that
represented the financial services sector in New Orleans as we
worked for the recovery of Katrina. I think our mechanisms are
working well. This would have simply augmented and made our
flow of information and our exchange of needs and ideas more
effective.
So we are hopeful that we're going to have, in fact, we
plan on having an announcement on October 13th about the
formation of a new organization in Miami. We hope to have
additional organizations as well.
Mr. Towns. Let me ask you, will you provide additional
money or resources to move this forward? I know you said
there's the different companies, agencies put money in, but are
you willing to also put additional resources in in order to
make it a reality?
Mr. Parsons. That's a great question. We at this time, we
have not planned for specific investments toward the
establishment of these organizations, other than our work to go
down and share with them the documents I referenced in my
opening remarks and written testimony that we partnered with
BITS on, a how-to model, a how-to cookbook, if you will, to
establish these organizations.
What we have done, though, and we've done this twice with
the case of ChicagoFIRST, is we have funded an exercise with
ChicagoFIRST as the point to test various aspects of response,
recovery and generally trying to identify needs within the
community, and I would tell you that we would plan on doing
that for the other regional coalitions as well.
Mr. Towns. There seems to be a lot of excitement around
ChicagoFIRST. I just want to share that with you. I think
that's important.
Mr. Caverly, as the department moves forward with its
reorganization under Secretary Chertoff, can you describe for
us how the new structure of DHS will improve the agency's
efforts to strengthen critical infrastructure protection
activities? Will these new government structures have adequate
authority and attention from the Secretary? How do you
anticipate the new Office of Intelligence and Analysis
improving upon the sharing of information between public and
private sector participants, such as the financial markets?
And also, I guess in terms of the issue of privacy, has
that popped up?
Mr. Caverly. Let me answer the question somewhat in a bit
of reverse order. On the privacy issue, privacy always remains
a critical concern of the department, because as you look for
the information that will help you do--identify the strengths,
identify indications and warnings, we always run into the risk
of having information on U.S. citizens that cause problems with
existing privacy laws. So we're working very, very hard to
insure that we get a robust information analysis system that
doesn't violate the rights and privileges of the American
citizens for the privacy of their personal information.
So we work at it. It does present certain problems that
each of the units within the department have to work with based
on the kinds of information they need to build the picture that
allows them to assess risk, identify threat.
Relative to the Secretary's reorganization, I think if you
look at it, the new rules proposed under the Secretary for
preparedness if you think about it, protection is a seamless
framework that goes from preparedness through protection to
response and recovery. Because if you can respond and recover
as quickly and efficiently as possible, you reduce the impact,
reduce the consequences of an event, whether a natural event or
man-made event, terrorist event. So what the secretary has done
in that case is combined into one unit the responsibility for
the preparedness which the administration recognizes in HSPD8
the responsibility for protection or prevention, if you want,
in HSPD7 and the response and recovery which is in HSPD5. So he
brings together a framework that has both the preparedness
planning, the infrastructure protection planning and,
obviously, the national response plan all into one framework.
The other thing I think that the Secretary's reorganization
recognizes is there's a vast span of responsibilities in
agencies of the department, and what he's really set up is a
framework that allows the coordination and the sharing of
information and the transparency necessary so that those
various responsibilities resting with individual agencies and
organizations can complement each other and not duplicate.
Mr. Towns. Right. Thank you very much.
Mr. Muccia, let me ask you, sharing information about
potential threats is viewed as a critical step in helping to
insure the financial institutions are better prepared to
protect their operations from disruptions. How is your
organization assisting in providing such information to
financial institutions? I would assume that an electronic
attack could easily be targeted on a small institution just as
it could a larger one. Are there additional barriers you can
identify for us in regards to effective information sharing
practices that are the potential solutions to this problem?
Mr. Muccia. Thank you, Congressman. You mentioned cyber
attacks and New York has a cyber security office that
concentrates on those threats and gives advice to the industry,
and one of the mechanisms we actually have set up is a
collection of those types of events that gets centralized at
the New York office and then scrubbed of identifying
information and then put out to the industry so they're aware
of what types of attacks are going on.
In terms of information sharing, in terms of a crisis, we
have a number of points of contact, where we will establish
communications. One of them I already mentioned before, that is
indeed our resident examiners at individual critical
institutions. For all institutions, including the small ones
you talked about, we have numerous contacts available to them.
Obviously, they kind of depend on the telecommunication system
working, but we have obviously contacts through cell phones,
Blackberry, we have some satellite phones available to the
department, so in terms of the infrastructure we have as many
different varieties; Internet, available.
If our offices in New York City--and we will reach out,
part of our plan is we like to be proactive and reach out to
institutions to find out what's happening--if we're disabled in
our offices downtown, we switch to our offices in Albany. If we
need to reactivate our hot site within 24 hours, if we have to
do that, we have numerous points of contact. We also have
examiners who have given their contact information, their home
phones and so forth to various institutions, so we have a
number of ways of doing it and then with our programs of having
representatives at the State Emergency Management Office at
their operations center, at the New York City OEM office and at
the Federal Reserve Bank of New York, we therefore have
numerous points of getting into contact.
Mr. Towns. Thank you very much. Let me just ask all of you
down the line, starting with I guess you, Mr. Parsons. You
always hear about communications, sharing of information,
coordination, you always hear this. Is there anything that
Members of Congress can do to improve or facilitate that in any
way? I know you guys hate for you us to stick our nose under
the tent, I understand that.
Mr. Parsons. Congressman, that is truly an excellent
question. You know, we've put a lot of effort, as you noted, to
information-sharing mechanisms. I would note here today that
Director Caverly is working very hard on the further creation
of the Homeland Security Information Network, which we
wholeheartedly support and we think that's going to be an
excellent mechanism. It will complement other things that we
have currently in place.
Honestly, I think at this point I don't have a good answer
for you, other than to say nothing comes to mind.
Mr. Towns. Right, OK, thank you.
Mr. Caverly. Congressman, I think there are two things. One
is something, not something Congress can fix, but is just
getting the two institutions, government and the private sector
to understand the information needs on both sides and be able
to transfer them into something that's useful to them. The
intelligence community presents information in a certain way
that is understandable to professionals that have dealt with
them for a long time, but not potentially understandable to a
security director who has not been engaged with them for a long
time. Our job is to find ways to do that and we're working very
much on.
I think the other issue, I think this is one where the
legislative entities across the country, whether they're local,
State or Federal, need to continue to search for the right
balance between the need to have sensitive information
protected so that it's not in the public domain versus the
public's right to have the information it needs to form
judgments. There's a delicate balance, but we're moving into an
area where the information needs to be shared between the
owners and operators, the infrastructure and the government,
that doesn't need to be in the public domain, whether it's
vulnerability information or intelligence, and we need to
strive to find a balance in those two very pressing needs.
Mr. Muccia. Congressman, nothing comes to mind right away.
I think in my limited world of banking supervision we've had a
long history of cooperating with the Federal banking
regulators, State and Federal, through our joint examination
programs our joint supervision programs, so we're very used to
having this close coordination and communication.
Mr. Towns. Thank you very much.
Mr. Parsons. Congressman, I just might add, Congress has
already acted in a very beneficial way, that's the Intelligence
Reform Act; working to bring down barriers between agencies
that will help us to share information both among ourselves and
with the private sector as well.
Mr. Towns. Thank you. I yield back to the chairman.
Mr. Platts. Thank you, Mr. Towns. Mr. Parsons made specific
reference to the Patriot Act, intelligence reform. We're
obviously dealing with the reauthorization of that and trying
to strengthen some of the civil rights protections, but as I
referenced to Commissioner Kelly, that information sharing,
obviously, is critical to what you do within the Federal
department or in sharing information with local entities like
NYPD.
Mr. Parsons. Yes.
Mr. Platts. I want to ask Mr. Caverly, you in talking about
the Infrastructure Protection Plan, that implementation going
forward, how often is that coordinated plan reviewed for--in
response now to Katrina and Rita, how would that process go
forward? Is it a weekly review, monthly review? Is there a set
approach to it or is it more just as we learn you go back and
revise?
Mr. Caverly. I think there are several pieces of that.
There is a preparedness plan, which we've begun to work on with
the department relative to the scenarios to be prepared to deal
with and that's an iterative process that the Office of
Preparedness will be doing.
The National Infrastructure Protection Plan is still under
development. We have a base plan framework that we put out an
interim plan last February. The base plan will come back out
for comment to the American public shortly. Then there will be
individual sector plans after that.
Currently the plan is for the Director to look at that
annually. We may look at that cycle and say maybe a biannual
review, it might be longer than that. Then ultimately the
response down to Katrina and Rita were all carried out under
the National Response Plan, which was an effort by the
department based on congressional direction to combine a large
set of Federal response plans that were not connected in a
single framework. So the National Response Plan put out a year
and a half ago does that and that will be a process to come
back and see how well those integrated pieces work down in the
southern part of the country.
Mr. Platts. In developing the plans and getting feedback on
how to protect the infrastructure, and today we're focused
mostly on the financial sector, but another part of
infrastructure is chemical facilities, chemical plants. How
much outreach--I'll give you an example. I had a constituent
came to me and my staff, then followed up with the department
in terms of how this was being addressed. A driver for a
company that does a lot of transportation of chemical, very
volatile chemicals and his concern that when presented with
some of these plans, the identification, confirming that he is
who he's supposed to be and entitled to pick up this very
volatile supply order, that it was very lax.
Do you reach out within the department where actually you
go to those drivers and randomly pick some; say, how do you see
it? Or, how do you get feedback?
Mr. Caverly. It's a couple of things. There's obviously
security protection advisers located around the country going
out to facilities, visiting the supply chain part of those
facilities to pick up that kind of information.
Across something like the chemical sector, there's a range
of activities they do from something like the American
Chemistry Council for the largest manufacturers that have a
responsible care program for their security program, which is
best practices for them. Some of the other groups do. We
created a Chemical Sector Coordinating Council along the lines
that we've seen in financial services for the intent of making
sure that those kind of best practices, those kind of
knowledges, those protected activities can be translated across
a wide range of different kinds of facilities, different kinds
of concerns and operational realities.
I think it's a mix of the two things you identified.
Mr. Platts. I would encourage that outreach in that example
that the driver, his--as we're doing more background checks on
the drivers so they can get their license and be approved. Say
it doesn't mean a whole lot if someone bumps me off enroute,
takes my spot and pulls in and they don't check to see he's not
me. That type of outreach. Sometimes we look at that big
picture and forget that the guys are in the front lines, get
their insights which are sometimes----
Mr. Caverly. That highlights the interdependence of all of
the components. It's not just a single component. It's a system
of systems.
Mr. Platts. It is. You have to look at the plan itself with
the transportation network that's involved in distributing what
that plant is manufacturing.
Mr. Parsons, on the interagency capability sound practices
to strengthen the resilience of the financial system 2006
timeframe we're looking at for those protocols or those
practices being put in place, what's your assessment of where
this industry is as being able to comply with that timeframe?
Mr. Parsons. I believe the industry is well along, and I
believe they will comply with deadlines that have been set.
Mr. Platts. Is there any possible problems that may need to
be revisited or just that are not realistic or overall, are you
optimistic?
Mr. Parsons. Congressman, at this point I've heard of no
problems, I'm not aware of any. So we remain optimistic the
goals will be met. I will take the opportunity to commend the
sector because they have been extraordinary in their response
to this document and they've made extraordinary investments and
extraordinary progress.
Mr. Platts. Great. The coordination. And Mr. Caverly this
may be specific to you, the coordination, again, of information
being shared here, it seems that we've seen tremendous success
in the private sector and public entity in sharing information,
what's happening and how we need to respond. We had a blackout
in York--old York, PA, not New York--a while back and one of
the issues that came to my office was there wasn't a
preestablished ability of businesses to have direct access to
utilities. Where all of us as residents want our refrigerators
working, our lights on and air conditioners individually, but
there are entities that affect a much greater population base
because of the service they provide to the private sector, and
so they ended up coming to me, because I had a contact through
my State House days in dealing with this utility and we kind of
became the conduit for information from the utility, the
private sector provider and timeframe to these businesses,
especially food warehouses and things, so we could decide how
are we going to manage this problem long term.
We became that conduit. Obviously, it would have been
better if it was preestablished. What do you hear on that
direct access specifically to the energy, to utilities with the
financial sector in New York?
Mr. Caverly. I think in New York, again, based on the
history that the financial sector has had with New York, it has
very good connectivity both in telecommunications and
electricity. Again, unfortunately it's because they had
problems in lower Manhattan historically that did in fact move
this up on the many things that somebody has to consider in
assigning their resources to.
I think what you highlight is the need to say one size
doesn't fit all here; that we need things that operate on a
local level, could operate on a regional level and could
operate on a national level to insure that the kinds of
information that you need to continue your operation, the
continuity of operations, is accessible to you.
The utilities are doing a much better job in putting
information now up on the web and having it accessible, but,
again, if you're not used to looking for it there, it might
take you some time to find that information. They understand
the benefit to them of having that transparency out there and
being able to get the information out, particularly in a day of
7 by 24 news coverage where, clearly, misinformation causes far
more trouble frequently than not. So there is a incentive for
them to provide that kind of connectivity.
If you look at groups like ChicagoFIRST, if you look at the
program that Commissioner Kelly talked about Apple in New York,
those local activities that provide that connectivity and
dedicate the time to be connected to understand where to get
that information is a thing that has to happen. So I think we
all have a role to play in getting to what you're suggesting,
which is the ability to have the information needed to make the
decisions when something happens.
Mr. Platts. And that's great for a followup. When it's
information from your organizations to the private sector, some
of that information is very sensitive intelligence information.
How do you handle or prepare for the transfer of sensitive
intelligence with those receiving entities? Do they go through
a certain level of personnel background checks and things that
they're entitled to be privy to to what you're sharing?
Mr. Caverly. Unfortunately, the system that we have for
protecting that national security information never envisioned
what we have now, which is part of the private sector, we have
been able to through a system of security clearances, etc.,
create a framework in which we can get information to them.
It's not as efficient as we'd like. Homeland Security
Information Network, as we develop the capability and adjust
the flow of information, ultimately I think will allow us to
get information to the owner operators in their place of
decisionmaking. Right now it's pretty awkward, because we have
to bring them into a classified facility, assure they have a
clearance, but one of the things we're looking at is how can I
be sure I can give you quickly timely the information you need
to make that decision at the place where you need to make it,
because if you don't, we can't be as efficient as we want.
Clearly, with the financial institutions in New York, their
leadership all have security clearance. We were able to work
very closely with them in sharing some of the most sensitive
information last August, because we knew the need of being able
to share it with them. But we were able to do that on an ad hoc
basis and I think we need to move to a much more systematic
capability. But it requires changing our whole framework for
protecting sensitive national security information that's been
in place for a long time and that takes a lot of time.
Mr. Platts. In that review, that's something the department
is engaged in, how it's going to try to streamline that?
Mr. Caverly. How to streamline that, how to make sure the
information can go to someone who has to act on it in a
protected way without it becoming cumbersome for them to have
to receive the information.
Mr. Platts. Thank you.
One final question, Mr. Muccia, that in your testimony you
talked about the review of the Institution Business Continuity
Plan and the importance of the board of directors' senior
management being engaged in understanding and appreciating the
importance of this issue.
In those reviews, what is the norm? Is it the norm that the
senior board members and executives understand that continuity
disaster recovery is critical in today's time that we now live
in? Is that the norm, or are there some that still don't get
it?
Mr. Muccia. Mr. Chairman, that is the norm today. I once
had a mentor who told me the key to success in business was if
your boss was interested in a topic, then all of a sudden you
become extremely interested in that topic, and I think now the
events that we've had in the past and the examination programs
that we've have that really lie responsibility at the very top
with the board of directors. They know that we'll be taking
enforcement actions against them if they're not paying
attention. They have paid attention and have pushed down that
message to senior management and have held them accountable.
That's where we see success. When the board is active, when the
board knows the plans, when the board is monitoring the status
of those plans; that's when we've had success with the
institutions. We've had some smaller institutions that still
have some work to do, but we are working with the institutions
to make sure they get the message.
Mr. Platts. I would share the message with your mentor.
Those are some wise words. I learned from my mom and dad. If my
mom or dad was focused on something, it was important for me to
get that done.
Mr. Towns, do you have any comments?
Mr. Towns. I just hope my staff is listening. I do have one
more question. I'd like to direct this to Mr. Scott Parsons.
Treasury released a report that essentially called for the
ending of the terrorism insurance backstop for insurance to
provide terrorism insurance products to the marketplace. Many
industry participants, including some of those before us today,
have called for extending the authorization of such programs.
Can you describe for us the economic incentives or barriers
that are present in today's market to justify such a decision?
Won't the loss of the TRIA backstop provide less incentives for
insurers to private such coverage?
Mr. Parsons. Congressman, I appreciate the question;
appreciate the spirit of the question. My response to you is
the department did issue a report and Secretary Snow has signed
it and would I let that report speak for the position of the
department at this point.
Mr. Towns. No further comment?
Mr. Parsons. No, sir.
Mr. Towns. Well, I can understand the sensitivity about it,
but you also need to understand our concerns.
Mr. Parsons. Certainly.
Mr. Towns. We'll drop it at that.
Mr. Chairman, I'll close on that note, hoping, though, we
could get some kind of written response from the Treasury
Department, because this is something that we have people
asking a lot of questions about and we can't give them the
answers, so I would appreciate that, recognizing you might not
be prepared to do that this morning. We look forward to getting
that. Mr. Chairman.
Mr. Platts. Exactly, Mr. Towns. I would suggest if the
department will followup to the committee in writing, we'll
keep the record open for about 2 weeks for that submission.
I want to thank each of you. I did have one final question
in a broad sense, because we certainly as fellow Americans are
watching the devastation of the Gulf in recent weeks now with
Katrina and now Rita. We also appreciate in trying to help
those citizens and businesses recover the tremendous demands on
the Federal, State and local private sector. You read on how
that's going to impact your department and ability to continue
all the other efforts that are underway in Homeland Security,
at Treasury and to have your arms around the needs of the Gulf
Coast, is there anything you want to make sure we're aware of
that's going to be challenging for your departments?
Mr. Parsons. I would just make a general comment, Mr.
Chairman, which is--it has been a very taxing month, and we
have worked very hard to make sure that the people who have
been affected by these storms have financial services that they
need to conduct their lives, and I have to tell you I have seen
some extraordinary work done at all levels; at the State level,
at the local level, at the Federal level, and especially the
citizens and business owners who are down there.
What I would just tell you is that it has opened a new set
of thinking for us in terms of lessons learned, in terms of
things that we think we need to be doing as a next step in
preparing the financial sector, so we anticipate a real effort
to get some good lessons learned out of this, but not just to
have lessons learned, but to actually act on them and make
sure. It's our philosophy that we need to make sure we
understand what is happening and be better prepared for the
next one.
Mr. Caverly. I think two things. The Secretary's
reorganization saw the need to insure that we had a better
balance between the preparedness activities and the prevention
activities and I think this highlights that and his
reorganization does it.
Second, I think it highlighted the changed nature of the
expectation of the private sector and the government in
restoring, particularly for those assets that have significant
natural impacts such as the pipelines, refineries, etc. and it
increases our need for information sharing, for something
simple as working to make sure the aerial photography that we
take very quickly after it gets to the owners and operators who
don't have access to the sites they can begin their response.
We can share things that historically we did not connect the
two together so I think it will have that kind of practical
impact.
Mr. Platts. Thank you, again to each of you. We appreciate
your written testimonies, your testimonies here today and each
of your respective organization's work of you and your
colleagues on behalf of our fellow citizens. Thank you.
We'll take again a brief 2 minute recess where we'll get
our third and final panel set up and reconvene shortly.
[Recess.]
Mr. Platts. This hearing stands back in session. We're
delighted to have on our third panel some members from the
private sector to share their insights. We have Katherine
Allen, chief executive officer of BITS Financial Services
Roundtable; Mr. Donald Donahue, chairman, Financial Services
Sector Coordinating Council for Critical Infrastructure
Protection and Homeland Security; Mr. Samuel Gaer, chief
information officer, New York Mercantile Exchange, chief
executive officer NYMEX Europe Limited; and Mr. Steve Randich,
executive vice president of operations and technology and chief
information officer of NASDAQ Stock Market.
We appreciate each of you being here and we'll ask if you
could stand and be sworn in and we'll take your testimony.
[Witnesses sworn.]
Mr. Platts. Thank you. The clerk will note that all
witnesses affirmed the oath in the affirmative. We would again
appreciate your written testimony. I call it my homework. When
we were in school on a regular basis, and we had that homework.
They're not the only ones to get it and the written testimony
gave Congressman Towns and myself some great insights in
preparation for this hearing. Again, we look forward to your
oral testimony.
If you could try to keep it to 5 minutes each, which will
enable us to get into a Q and A with you. Mr. Towns has a time
crunch, having to leave shortly before 1. Ms. Allen, if you
would like to begin.
STATEMENTS OF CATHERINE ALLEN, CHIEF EXECUTIVE OFFICER, BITS,
THE FINANCIAL SERVICES ROUNDTABLE; DONALD DONAHUE, CHAIRMAN,
FINANCIAL SERVICES SECTOR COORDINATING COUNCIL FOR CRITICAL
INFRASTRUCTURE PROTECTION AND HOMELAND SECURITY; SAMUEL GAER,
CHIEF INFORMATION OFFICER, NEW YORK MERCANTILE EXCHANGE, INC.,
CHIEF EXECUTIVE OFFICER, NYMEX EUROPE LIMITED; AND STEVE
RANDICH, EXECUTIVE VICE PRESIDENT OF OPERATIONS AND TECHNOLOGY
AND CHIEF INFORMATION OFFICER, THE NASDAQ STOCK MARKET, INC.
STATEMENT OF CATHERINE ALLEN
Ms. Allen. Thank you, Chairman Platts and Mr. Towns for the
opportunity to testify today. A full version of my testimony
has been submitted for the record and is here today.
I'm Catherine Allen, CEO of BITS. BITS is a nonprofit
industry consortium of the 100 largest financial institutions
in the United States. We're a non-lobbying group, sort of a
think tank for technology and operations for the CEOs of these
100 largest organizations. We serve the industry needs at the
interface between commerce, technology and financial services.
We're probably most well known for the best practices and
guidelines that we create on behalf of the members for the
industry and we share that much more broadly through the FSSCC,
through other groups, to the smallest institutions to make sure
that they are aware of the issues and address some of those
issues.
BITS and Roundtable member companies direct about $40.7
trillion in managed assets, $960 billion in revenue and 2.3
million jobs. Our activities are driven by the CEOs and the
CIOs or the heads of security of these organizations. The risk
managers and leaders who care for the financial services sector
critical infrastructure.
We also work closely with government agencies such as the
Department of Homeland Security, Treasury, the Federal Reserve,
the FBI and many financial regulators, technology and trade
associations and vendors in achieving what we try to do. The
financial services industry has always taken significant steps
to prepare for and respond to major events. In fact, the
financial sector is often viewed as the poster child for what
needs to happen in the critical infrastructure arena, primarily
because of our focus on operational, fiduciary, financial and
reputational risk.
Events in the past few years from September 11th to Katrina
have escalated our efforts. While I believe our industry
overall is better prepared than ever, there are significant
risks that can only be addressed by working in partnership with
others and that partnership is what I'll talk about mostly in
my testimony.
Financial institutions weathered Hurricane Katrina well and
now Hurricane Rita and responded to customer needs quickly.
They also responded well during the August 2003 power outage
and the terrorist attacks on September 11th.
Our sector is a favorite in terms of a target by cyber
criminals as well as terrorists. Over the past 4 years the
financial services sector has taken major strides to respond to
the risks we face today and prepare to address future threats
and vulnerabilities.
Financial institutions have business continuity plans which
they constantly update, refine and test. This is a regulatory
requirement and part of the risk management process that all
financial institutions have embraced. As financial institutions
identify risks, they work to mitigate them and BITS has made
coordinating financial services industry crisis management
efforts a top priority. Some examples of what we've done: There
have been numerous conferences and meetings to bring together
leaders and experts. We developed a crisis communicator for our
CEOs and crisis management coordination and security executives
to get them on the phone as quickly as possible. We've helped
create and drive membership in the FS-ISAC, the Information
Sharing and Analysis Center; we conducted worst case scenario
exercises, we've engaged in partnerships with the
telecommunications sector and key software providers such as
Microsoft to address our industry's business requirements.
We've compiled lessons learned from September 11th and from the
August 2003 blackout and Hurricane Katrina and have shared
those with the industry.
Most well known are our development of best practices and
voluntary guidelines in everything from how you manage
outsourcers to the alert levels at the Department of Homeland
Security to the cross industry telecom business requirements.
We're currently working on best practices with the energy
industry, energy and power industries. We created a model for
regional coalitions, ChicagoFIRST, and we developed liaisons
and pilots with the telecommunications industry to develop the
appropriate levels of diversity and redundancy. There is no
true diversity and redundancy in the telecommunications system
today and that was one of the things that is critical and on
the top of our list.
Most recently in response to Hurricane Katrina and now
Hurricane Rita, BITS stepped in to help in coordinating and
disseminating critical information and, again, in my longer
testimony, there are examples of that.
As you know, the financial institutions are heavily
regulated and actively supervised by State and Federal
agencies. Both have stepped up their oversight of business
continuity, information security, third party service providers
and critical infrastructure protection. And also the financial
exchanges have added requirements in this area.
Regardless of how well financial institutions respond to
regulations, we simply cannot address these problems alone. Our
partners in other critical industry sectors, in particular
telecommunications, energy and software, must all do their fair
share. In fact, we call it conducting a ``higher duty of care''
because they respond to the critical infrastructures.
During the past 4 years, the FSSCC, the Financial Services
Sector Coordinating Council for Critical Information
Protection, has been created. BITS helped to establish that and
continues to play a major role in its efforts. You'll hear more
about that from Don Donahue in a few minutes. We work closely
with the FSSCC under the Department of U.S. Treasury and with
other departments at other government agencies.
There are specific examples of cooperative efforts that
BITS funded and put together and share with the industry. First
of all, with the Securities Industry Association, we put
together best practices and what you do at different levels of
security from the Department of Homeland Security's alert
levels, what you do at the various orange, red and yellow
levels, we shared those throughout the critical infrastructure
industries.
Second, working with the U.S. Treasury, we funded or
underwrote the costs for developing ChicagoFIRST so we would
have a regional model and then could share that model with
other member companies in other regions of the Nation.
ChicagoFIRST was created to foster preparedness and
recoverability of financial services in specific regions and
again serves as the model for other regions.
As part of BITS' work to strengthen our critical
infrastructure, we also focused on the need for more diverse
and resilient telecommunications services. BITS engaged with
the telecommunications companies, and worked very closely with
the National Communications System, an excellent group, which
is now under the Department of Homeland Security and worked
with them to develop the BITS Guide to Business Critical
Telecommunications Services. It's a resource for outlining what
financial institutions need to ask of their telecommunications
partners and in my role sitting on the NRIC, which is a group
of telecommunications CEOs that respond to the--that advise the
Federal Communications Commission, we also provided that
information into those work groups so we could exchange the
dialog with the telecommunications industry about best
practices.
In dealing with Katrina's aftermath, you can see how
important telecommunications resiliency and redundancy is.
Attached to my testimony is a comprehensive overview of the
contributions that BITS has made in the last 2 years and,
again, shared with the entire industry. They tend to focus
around a few key elements: One, improving communications during
crisis; two, enhancing the resiliency of the telecommunications
infrastructure; third, enhancing the reliability of the
electric grid, because telecom and financial services are all
dependent on that; improving the security of software, hardware
and the Internet; addressing forms of online fraud and identity
theft and improving oversight of third party providers.
There are numerous lessons we can learn from September 11th
and August 2003 and that is to be prepared and share
information and view preparation from a strategic and holistic
manner.
Last, some of the key things I think that the Federal
Government can do is focus on this need for diversity and
resiliency in the telecommunications infrastructure. There may
be incentives such as using the telecommunications excise tax
that could be used to incent telecommunication infrastructure
changes, certainly to make available more satellite and
alternative channels of communication; R&D dollars allocated to
telecommunications resiliency is critically important, and
again I commend the National Communications System under the
Department of Homeland Security and make sure that maintains
its critical role.
Second is the power grid must be considered among the vital
critical infrastructures to make sure it works across the
Nation. Here incentive dollars are needed and, as I said, BITS
is working on best practices for this industry. The alternative
power generation area is critically important for not just
financial services, but all critical infrastructures.
Third, recognize the interdependence of all critical
infrastructures. You cannot make requirements of the financial
sector without realizing how dependent we are on telecom and
power, and in some ways on the transportation industry. BITS
has worked very closely with the chemical, the telecom, the
power, energy and other critical industries to share what we're
doing and to share best practices with them, but again, making
sure that what's of vital importance is how this
interdependency is addressed from the Government level.
Last, and I would say probably most importantly, all of us
at BITS worry about a combined physical and cyber attack. We
have not had that, but I will tell you that all of the Nation's
data systems; the first responder systems, the hospital
systems, the police systems, the financial systems, rely on
pretty much one operating system. The need for us to make sure
that our operating systems and software, our hardware and our
networks are secure and that there are alternatives if they are
not available is critically important and that's what we mean
by the ``higher duty of care'' for providers of those services.
I've attached to my testimony a document we call
``PREPARE,'' which are seven things that we believe the
government can do with regard to cyber security issues and
again they include everything from promoting the issues and
educating the consumers and the industry to providing R&D
dollars to strengthening law enforcement who address cyber
security issues. One other issue and that's in response,
Congressman Towns, to your question about TRIA. We think it's
critically important. It's a tool that provides liquidity in
the property and casualty insurance markets. Thus far, it has
not cost taxpayers any money, but has resulted in the placement
of a significant amount of terrorism coverage. We encourage you
to reauthorize TRIA and continue with that, because it's a
piece of this holistic look at terrorism.
Finally, Hurricane Katrina has made poignantly clear we
need to improve coordination procedures across all
infrastructures and with Federal, State and local government
when events occur.
On behalf of both BITS and the Financial Services
Roundtable, thank you for this opportunity to testify.
[The prepared statement of Ms. Allen follows:]
[GRAPHIC] [TIFF OMITTED] T6505.026
[GRAPHIC] [TIFF OMITTED] T6505.027
[GRAPHIC] [TIFF OMITTED] T6505.028
[GRAPHIC] [TIFF OMITTED] T6505.029
[GRAPHIC] [TIFF OMITTED] T6505.030
[GRAPHIC] [TIFF OMITTED] T6505.031
[GRAPHIC] [TIFF OMITTED] T6505.032
[GRAPHIC] [TIFF OMITTED] T6505.033
[GRAPHIC] [TIFF OMITTED] T6505.034
[GRAPHIC] [TIFF OMITTED] T6505.035
[GRAPHIC] [TIFF OMITTED] T6505.036
[GRAPHIC] [TIFF OMITTED] T6505.037
[GRAPHIC] [TIFF OMITTED] T6505.038
[GRAPHIC] [TIFF OMITTED] T6505.039
[GRAPHIC] [TIFF OMITTED] T6505.040
[GRAPHIC] [TIFF OMITTED] T6505.041
[GRAPHIC] [TIFF OMITTED] T6505.042
[GRAPHIC] [TIFF OMITTED] T6505.043
[GRAPHIC] [TIFF OMITTED] T6505.044
[GRAPHIC] [TIFF OMITTED] T6505.045
[GRAPHIC] [TIFF OMITTED] T6505.046
[GRAPHIC] [TIFF OMITTED] T6505.047
[GRAPHIC] [TIFF OMITTED] T6505.048
Mr. Platts. Thank you, Ms. Allen. Mr. Donahue.
STATEMENT OF DONALD DONAHUE
Mr. Donahue. Chairman Platts, Ranking Member Towns, thank
you for inviting me today. As you know, I currently serve as
chairman of the Financial Services Secretary for Coordinating
Council for Critical Infrastructure Protection and Homeland
Security. Which you've already heard referred to as the FSSCC,
an industry group dedicated to infrastructure protection
efforts. I'm also chief information officer of the Depository
Trust and Clearing Corp., one of the key industry
infrastructures. Through its subsidiaries, DTTC processes most
U.S. trades and a broad range of financial assets, for example,
last year clearing and settling 1.1 quadrillion worth of
financial transactions.
FBIIC was established by the sector in 2002. It currently
has 33 members consisting of many of the key industry
infrastructure organizations and trading markets and a broad
array of industry trade associations representing an estimated
8,000 financial institutions. The FBIIC's mission statement
states that it seeks to foster and facilitate the coordination
of financial services sector-wide voluntary activities and
initiatives designed to improve critical infrastructure
protection and Homeland Security. As I will discuss later,
FSSCC has very real achievements in realizing this mission.
The foundation for FBIIC's achievements is a very effective
partnership with our key Federal counterparts, most
particularly our strong relationship with the Department of the
Treasury. Our sector-specific agency under HSPD7, has been the
essential foundation for many of the sector's accomplishments
in promoting infrastructure protection. The leadership of the
Treasury's Office of Critical Infrastructure Protection has
been invaluable in these achievements. The sector also is
forming an effective relationship with the Department of
Homeland Security and will continue to work with DHS in
coordination with the Treasury to support its infrastructure
initiatives. We also have effectively worked with the financial
regulatory bodies to help them formulate and implement
appropriate regulatory standards in this area.
Earlier this year FSSCC published its report, ``Protecting
the U.S. Critical Financial Infrastructure: 2004 In Review,'' a
copy of which was made available to your staff. Let me mention
a few examples of the sector's accomplishments identified in
that report.
Prominent among them is promoting broad participation,
broader participation in the Financial Services Information
Sharing and Analysis Center, the sector's mechanism for sharing
critical information about physical and cyber security threats
and vulnerability. The FS ISAC reports it now has 1,749
participants plus an expanded reach through the sector's trade
associations representing nearly 10,000 firms.
Sector members have implemented several capabilities
promoting more effective disaster recovery coordination in
regions critical to financial services. You've already heard
much about the example of ChicagoFIRST. Other regions have
implemented similar coalitions and FBIIC and its members are
working with Treasury to promote this model in other areas
across the country.
Third, coordinating the creation of a unified structure of
emergency calls so that calls can be timed in a way to reduce
conflicts and feed information into decisionmaking processes in
an effective way. One of the key learnings that came out of the
August 2003 blackout experience. These are a few examples of
the accomplishments that the report highlights. FBIIC's own
initiatives build on the very strong record of the sector
generally in responding to these new infrastructure protection
challenges.
My own company, DTCC, for example, has put in place a far
more resilient infrastructure supporting the financial markets,
even though we continued to operate without interruption during
the week of September 11th, completing more than $1.8 trillion
worth of financial transactions that week. The industry's other
core clearing and settlement organizations and the trading
markets have implemented a variety of steps since September
11th to reinforce the resilience of their operations. In
addition, key trading markets have thought through reciprocal
arrangements to trade in other markets' financial instruments
in an extreme emergency. Sector trade associations, the
Financial Services Roundtable, BITS, the Futures Industry
Association, the Securities Industry Association and many
others have organized their members' efforts to improve
resilience practices and to test those improved practices. Much
detail regarding these initiatives is set forth in the 2004
annual report. Thanks to these efforts, the sector is to the
point where I am very confident of our ability to operate with
minimal disruption even under very severe circumstances.
As successful as these programs have been, we also need to
rehearse these practices to insure that they will work when
needed. The sector's commitment to doing this as well has been
exemplary. A notable example is the test plan for October 15th,
in approximately 3 weeks, sponsored by the Futures Industry
Association, the Securities Industry Association and the bond
market Association. In this test more than 200 participants in
the futures and securities industries will operate from their
backup centers and test interaction with key markets and market
infrastructures. FSSCC also is sponsoring a comparable test or
considering sponsoring a comparable test on the payment systems
side in 2006 and we expect to be making a decision about that
reasonably soon.
The financial services industry has responded strongly to
the new challenge of business continuity in the post September
11th world. We have done this because of our very clear
understanding that we are responsible for the financial assets
of 270 million Americans and for their ability to continue to
conduct their financial affairs. The people of our industry
take this responsibility very seriously. This committee and the
Congress can rest assured that the financial services sector is
and will continue to be resilient and strongly prepared for
future emergency situations.
Thank you very much.
[The prepared statement of Mr. Donahue follows:]
[GRAPHIC] [TIFF OMITTED] T6505.049
[GRAPHIC] [TIFF OMITTED] T6505.050
[GRAPHIC] [TIFF OMITTED] T6505.051
[GRAPHIC] [TIFF OMITTED] T6505.052
[GRAPHIC] [TIFF OMITTED] T6505.053
[GRAPHIC] [TIFF OMITTED] T6505.054
[GRAPHIC] [TIFF OMITTED] T6505.055
[GRAPHIC] [TIFF OMITTED] T6505.056
[GRAPHIC] [TIFF OMITTED] T6505.057
[GRAPHIC] [TIFF OMITTED] T6505.058
[GRAPHIC] [TIFF OMITTED] T6505.059
Mr. Platts. Thank you, Mr. Donahue. Mr. Gaer.
STATEMENT OF SAMUEL GAER
Mr. Gaer. Good afternoon. Thank you, Chairman Platts, and
Representative Towns for inviting me to participate in today's
hearing. The subject matter of this hearing is of an ongoing
concern and engaging these issues head-on is an important tool
in a set of responsible business practices for both private
industry and government alike. I sincerely welcome the
opportunity to express what the New York Mercantile Exchange or
NYMEX has accomplished to date. The exchange is the world's
largest physical commodity futures exchange and has been an
example of market integrity and price transparency throughout
it's 133-year history. The Exchange also plays a vital role in
the commercial, civic and cultural life in New York. It
provides thousands of jobs in financial services and allied
industries and through its charitable foundation supports
cultural and service programs in the downtown community of New
York, throughout the Tri-state area where our traders and staff
live, in Washington, DC, and Houston.
The business continuity planning process requires
commitment from management and the ability to foresee various
contingencies. Our leading role in the energy and metals
markets demands we take steps to insure that our price
discovery and formation mechanisms will continue to be
available in the event of an emergency affecting our
operations. NYMEX has a proven track record that demonstrates a
dedication to insuring that we can provide our services even in
the face of extreme adversity.
We are not satisfied, however, to rest on successes of past
performance. As such, we continually analyze and improve our
business continuity plans. The Exchange's emergency
preparedness may be broken down into several distinct but
integrated categories. Business continuity planning, the more
narrowly focused practice of recovery planning, the education
of critical staff responsible for emergency preparedness and
finally the Exchange's external efforts, including coordinated
industry-wide testing and provide valuable feedback to
government industry agencies.
The Exchange's business is comprised of many different
process groupings, each of which requires a particular
expertise. These business units are each assigned a staff
member who acts as a business continuity coordinator [BCC],
whose responsibilities include assessing the critical processes
and creating a workable recovery plan. The BCC is an individual
with experience in the procedures of their specific business
unit. Tactical decisions rest with the Emergency Operations
Team, the OOT, which is comprised of BCC's and business
continuity leaders. The BCL's role is to coordinate the
Exchange's continuity and disaster recovery efforts, lead the
EOT and report to the crisis management team. During an
emergency, the high level strategic decisionmaking authority
rests with the CMT, the Crisis Management Team, which is
comprised of members of NYMEX board of directors, executive
committee and critical senior executives. Their role is to
assess the threat and if necessary provide an official
declaration of disaster, communicate with members of the
Exchange and coordinate with regulatory and industry agencies.
The CMT is empowered by the board of directors to make critical
decisions necessary in any emergency recovery effort.
NYMEX's core business is commodity futures trading
clearing. In order to insure the continuity of this business we
have developed several alternative continuity plans. The
Exchange headquarters, for instance, were designed to be as
redundant as possible, including the availability of a backup
generator fueled by, of all things, diesel fuel, which was
critical during the September 11th terrorist attack and the
blackout of August 2003.
One of the first priorities for the Exchange after
recovering from September 11th was to build a completely
redundant replica trading facility. This facility, which was
completed in January 2003 is located outside of the city and is
a reasonable commute for our staff and traders. It contains
fully operational trading ring, telephone work stations and
space and administrative space. More importantly, it also has
the ability to disseminate price data worldwide and is a
completely redundant data center, housing all critical Exchange
IT systems. All of our traders and key employees have been
provided with directions to the site and many of our traders
have participated in a mock trading simulation actually
bringing them out to the site and going through an actual
trading session where they exchange trades and we ran through
the clearing cycle.
In a situation where access to the trading facility in
lower Manhattan or the backup site would not be immediately
available, the Exchange also has two electronic trading
systems, NYMEX Access and NYMEX ClearPort, both of which have
24-hour trading capability. In fact, we were the first Exchange
in New York to open following September 11th. Although it was
preferred that the trading would resume by open outcry, a
preferred venue of trading, it was apparent that the quickest
way to reopen markets would be through NYMEX access, despite
the destruction of the proprietary communication circuits in
the collapsed Twin Towers. The Exchange was the first New York
financial market to reopen when the new system went live on
Friday, September 14th. The initial energy and metals trading
session was just 2 hours long, but the pent up demand for
trading services resulted in then-record electronic volume of
nearly 70,000 contracts. This volume was nearly eight times the
average daily volume of regular 16-hour electronic trading
session at that time.
In the event of an emergency, it is necessary to have a
safe and secure place for teams to assemble and manage recovery
efforts and coordinate services. The Exchange maintains
emergency operations centers at both primary and backup sites.
Should an emergency affect the primary site only, an additional
temporary location has been made available through a local
community relationship. Maintaining communication is the single
most important aspect of any emergency recovery effort. All
aspects of our emergency operations center are choreographed by
multiple communication links between resources and Exchange
responders. Continuity planners must envision and plan for
emergencies that disable telecommunications, utilities,
transportation, other infrastructure service vendors and
customers.
Disaster recovery planning also specifically refers to
restoring the information technologies that run our business
and provide services to staff and customers. Every critical
Exchange system is duplicated and can provide services in the
event the main facility or system is unavailable. Data moves
across redundant fiberoptic links, linking our backup site to
the primary site. In addition to wide area network or WAN
created between the two hot sites the exchange maintains
multiple hot links to Internet service providers. The Exchange
information technology systems form the underpinnings of our
ability to recover the services we provide to the marketplace
in a timely fashion.
As new systems are developed and deployed at NYMEX fault
tolerant distributive-active active and advance replication
technologies are used to help insure we provide these services
in the most adverse environments.
In September 2004, on behalf of NYMEX, I testified before
the House Financial Services Committee hearing on the emergency
preparedness of the financial services sector. We have since
participated in the TopOff 3 exercise sponsored by the U.S.
Department of Homeland Security, which was designed to test the
readiness of first responders; Federal, State and local
emergency managers along with key infrastructure components
such as hospitals and transportation networks. The securities
industry component of the TopOff 3 exercise involved the SEC,
U.S. Treasury Department, exchanges and trade associations such
as the Securities Industry Association, Bond Market Association
and the Futures Industry Association. In addition, in October
2004 NYMEX the MIA other leading futures exchanges and clearing
firms successfully completed the first industry-wide disaster
recovery test. The test scope has expanded in 2005 to include
market data vendors. This industry-wide disaster recovery test
has become an annual event and is scheduled for October 15th.
The Exchange is among the leaders in an industry-wide
initiative to standardized the protocols governing the way
companies send and receive data. This will help many companies
develop systems based on standardized specifications, making it
easier to deploy and maintain data communications internally
and externally under challenging circumstances.
Another area we have taken advantage of is sharing
alliances. The Financial Services Information Sharing Analysis
Center, FS-ISAC, is a source of critical information ranging
from information security alerts to Homeland Security threat
analysis. The New York City Office of Emergency Management is
another source of information for New York-based companies.
This information is critical for the constant monitoring of
potential disruptive events.
NYMEX has a global presence. The Exchange's energy and
metals futures markets provide benchmark pricing information
that is used worldwide. NYMEX recently opened up an exchange in
London and signed a joint venture agreement with the Dubai
Development Investment Authority [DBIA]. The exchange must be
cognizant of world events. NYMEX views continuity planning as
an ongoing project that is necessary to meet critical business
needs and it incorporated this planning into its day-to-day
operations. Every project system or business process deployed
incorporates some form of continuity planning. Risk and impact
analysis, training, disaster recovering, testing and regular
meetings with critical staff create a sense of awareness
throughout the company. Business continuity planning has become
part of NYMEX business fabric.
We strive to learn from past experience. The September 11th
terrorist attack, the 2003 blackout, our mock disaster testing
and planning for the 2004 Republican National Convention, as
well as the recent bombings in London which I was personally
about two blocks away from, have helped us prepare for the
future. This year as we were finalizing preparations for the
launch of the London trading facility and during the July 7th
and July 21st bombings, we activated our emergency teams as a
response to that event. We are currently following important
developments in the Gulf Coast region as our Nation struggles
with the catastrophic damage caused by Hurricanes Katrina and
Rita. As you know, there are critical delivery points for both
gasoline and natural gas in that area.
Government agencies are of critical importance of preparing
for and providing critical support during an emergency. The
relationship the Exchange has developed with government leaders
has enabled us to overcome many difficult recovery challenges.
In the immediate aftermath of September 11th, we received
significant assistance from the Federal, State and city
governments.
The Exchange appreciates being invited to participate in
these important discussions. Further efforts to improve
communication between government and industry will only
strengthen the ability of the Nation and financial markets to
respond to the changes that lay at head. Large scale
emergencies similar to those that have occurred in the past are
inevitable. Continuity planning is not an individual task, but
must be faced by all involved participants in the services
sector.
I would like to thank the chairman and Ranking Member Towns
for holding this hearing and inviting NYMEX to discuss this
extremely important topic. Thank you.
[The prepared statement of Mr. Gaer follows:]
[GRAPHIC] [TIFF OMITTED] T6505.060
[GRAPHIC] [TIFF OMITTED] T6505.061
[GRAPHIC] [TIFF OMITTED] T6505.062
[GRAPHIC] [TIFF OMITTED] T6505.063
[GRAPHIC] [TIFF OMITTED] T6505.064
[GRAPHIC] [TIFF OMITTED] T6505.065
[GRAPHIC] [TIFF OMITTED] T6505.066
[GRAPHIC] [TIFF OMITTED] T6505.067
[GRAPHIC] [TIFF OMITTED] T6505.068
Mr. Platts. Thank you, Mr. Gaer.
Mr. Randich.
STATEMENT OF STEVE RANDICH
Mr. Randich. Thank you for allowing me to testify today.
I'm Steve Randich. I oversee operations and technology at the
NASDAQ stock market, which is the largest equities market in
the world. It's always been a priority at NASDAQ to maintain a
hardened resilient operation that can withstand catastrophic
events. A few principles I want to communicate today is that
NASDAQ for a very long time has viewed business continuity and
disaster recovery as a top priority. We've had a backup data
center in a remote geographic location for 20 years.
Second, exchanges in the United States are evolving toward
an electronic trading model and this will naturally enhance the
capital markets' ability to withstand catastrophic events.
Last, business continuity planning is a collective effort. A
stock market alone does not represent our capital markets.
Instead, it is only as good as its weakest link.
Our operating model provides a natural business continuity
advantage. Historically, an exchange operated at a central
physical location where buyers and sellers would meet face-to-
face to trade. A single central location without a practical
and tested capability of backup puts our Nation's capital
markets at risk. Trading at NASDAQ is executed through our
sophisticated computer and telecommunications network. Unlike
physical floor-based exchanges which employ a specialist to
direct buying and selling of a stock, NASDAQ's open
architecture structure utilizes hundreds of geographically
diverse and competing market makers who simultaneously provide
trading liquidity for stocks listed on the market. This insures
not only healthy competition for investors, but, more
importantly, prevents a single point of failure given the
geographic diversity of these market makers.
NASDAQ was prepared for and fully resilient operationally
to September 11th and the blackout of August 2003. Geography is
critical to our operation resiliency. We have two data centers
that are more than 300 miles apart. They are located in
different geologic and climactic zones and are in different
regional power grids outside of metropolitan areas. We store
enough fuel onsite to allow us to run our data center for a
full week during an extended power outage without a refill. We
also maintain 185 tons of batteries for additional backup. We
test each of our generators weekly and perform a utility
failure test across the entire infrastructure every quarter.
In addition to geographic diversity, we also use locally
situated systems and networks to achieve resiliency. Several
network providers are utilized, each with network diversity
conductivity into our two data centers. Market participants are
insured maximum protection by employing diverse access to both
our primary and backup data center at all times. At no time
during the week of September 11th were NASDAQ systems
inoperative. When the attacks occurred, trading was suspended,
but NASDAQ's systems and network continued to operate. We
focused on insuring connectivity to our market participants who
provide liquidity to our marketplace. Although actual stock
trading was suspended, our systems operated continuously
throughout the week.
Notwithstanding the success after September 11th NASDAQ
implemented improvements to our backup system. We added more
frequent testing to our backup site and began regularly testing
full market-wide disaster recovery tests that are open to all
market participants. In collaboration with State and Federal
authorities, we evaluated and increased our physical security.
Although large portions of the northeastern United States
were out of business during the blackout of August 2003, NASDAQ
maintained full operations throughout that 2-day period. Our
alternative power systems automatically provided immediate
continuity so that there was no impact. However, the blackout
revealed some areas of weakness in the financial sector that
required vigilant attention. There's a need for more backup
facilities outside of high risk metro areas like New York.
Although most large market participants and telecommunications
providers had backup systems and procedures in place, they
didn't all work as expected. There were several examples of
backup generators that failed within 12 hours of the blackout,
largely because of either poor fuel quality or machine
maintenance.
Looking forward, and since September 11th, NASDAQ has
worked closely in participation with the Federal Government and
private sector to strengthen the resiliency of our
infrastructure. We now have a contingency plan that provides
NASDAQ the ability to trade all New York Stock Exchange stocks
if its trading floor becomes inoperative for an extended period
of time. Nearly 18 percent of the daily NYSE volume already
trades electronically on the NASDAQ network, so this
contingency trading plan is in effect tested daily.
In conclusion, NASDAQ is continually anticipating,
evaluating, preparing for what may occur 1 day. Our
preparedness will never be 100 percent perfect as we're limited
by our human imagination of what might occur. Our increasingly
decentralized, geographically diverse operating model continues
to provide us with a high degree of confidence that we will be
prepared for the next event. As I said earlier, the industry is
rapidly moving toward electronically trading, which is very
good news for resiliency. With electronic trading, an exchange
no longer needs to be tied to a single location. Effective
backup and redundancy is the key to security against any form
of accident or attack and essential for our financial national
security. For financial markets we believe this is the core
lesson of September 11th and the blackout. For the committee
and all concerned branches of government, we believe it is a
crucial lesson as well.
Thank you for the opportunity to testify today.
[The prepared statement of Mr. Randich follows:]
[GRAPHIC] [TIFF OMITTED] T6505.069
[GRAPHIC] [TIFF OMITTED] T6505.070
[GRAPHIC] [TIFF OMITTED] T6505.071
[GRAPHIC] [TIFF OMITTED] T6505.072
[GRAPHIC] [TIFF OMITTED] T6505.073
[GRAPHIC] [TIFF OMITTED] T6505.074
[GRAPHIC] [TIFF OMITTED] T6505.075
[GRAPHIC] [TIFF OMITTED] T6505.076
[GRAPHIC] [TIFF OMITTED] T6505.077
[GRAPHIC] [TIFF OMITTED] T6505.078
[GRAPHIC] [TIFF OMITTED] T6505.079
[GRAPHIC] [TIFF OMITTED] T6505.080
Mr. Platts. Thank you, Mr. Randich. Again, to all of you,
appreciate your testimonies.
Maybe a broad question to each of you, just in dealing with
the Federal Government in your respective organizations and
members; infrastructure, critical infrastructure protection,
what do you see as the greatest hurdle in dealing with
preparedness and is there any specific statutory changes you
believe need to be made to allow better cooperation,
interaction with the Federal Government? If anyone would like
to----
Mr. Donahue. I'll start. Mr. Chairman, I certainly could
not recommend any statutory changes, although some of my co-
panelists may have ideas. I think we, as you unquestionably
heard this morning in the testimony, the financial sector is
very, very proud of what they have accomplished in this space
and I think rightfully so. There has been a lot of energy
devoted to this.
You asked earlier about the state of compliance with
respect to the sound practices paper. All of our organizations
have met their deliverables by this time. The significant firms
in the paper are all well on track to meeting the deliverables
by 2006. I think our interaction with Government in support of
those objectives has been very positive. I think a question
that looms on the horizon is, speaking personally, how much is
too much and how much do you achieve agreement in the public
and private sectors about the degree to which resource
investments yet need to be made in financial services to
achieve levels of resilience beyond where we're at at this
point, and making sure that we all have a very reasonable sort
of judgment. If we can arrive at a reasonable judgment on that
question is going to be a key issue as we go forward.
Mr. Platts. Cost benefit analysis----
Mr. Donahue. Very, very much so. Again, you heard from all
the remarks people were making, that there have been a
significant investments by a number of the industry
infrastructure members and a number of individual firms, and
making sure any additional adjustments we're asked to make by
the benefits we're going to derive from them is a critical
issue going forward.
Mr. Platts. Ms. Allen.
Ms. Allen. I would say the two areas I would like to see
the government spend much more time focusing on is the
interdependency area to understand how dependent we are on
these other critical sectors, and how much our regulators can
require us to do something. We cannot do it if the telecom,
power industry and IT industries are not there, and we must
place the focus on cyber security.
Second, I don't know if there are statutory changes needed,
but an example would be antitrust exemption. BITS has a product
certification program. It's a voluntary testing program by
vendors, software vendors, to meet minimum security
requirements. They overwhelmingly tell us, ``We really aren't
going to do it unless we're mandated to do it.'' BITS cannot
mandate because of antitrust concerns. So, look at how do we as
an industry or even critical infrastructure industries set
standards for cyber security.
Another thing is, again, incentives for the
telecommunications infrastructure to have alternative
telecommunications systems, but also to provide this diversity
of redundancy that we need.
Then last, I think the concept of funding regionals was
brought up. If there were some kind of seed money that would
help, we would--let's put it this way, it would happen much
faster, if there were some seed money for the critical areas.
We could all sit here and name who were the 10 to 15 critical
geographic areas and there were some seed money. There's a
model, there's some support, but it does take money, it takes
some coordination to implement.
Mr. Gaer. I would actually echo some of the statements made
regarding to--our experience regarding government involvement
with disaster recovery business continuity has been a very
positive one, in the fact that we're regulated by CFTC is our
primary regulator. I took this job beginning in March 2003 and
we were planning for a lot of these industry-wide events that
were going to occur because the exchanges all got together, at
least in the futures industry the exchanges all got together
and said what do we have to do to make this work a little bit
better. It was very refreshing to see representatives from the
CFTC attend these meetings and say, listen, we're going to let
industry drive this process, we're going to let industry drive
the process, we're going to stand back and watch and see how
you're doing it. We don't want to have to step in, so please
manage this correctly.
From all accounts, from everything you've heard today, I
think the financial services industry as a whole has been
managing it very well. Interaction with government has been on
a very open basis, our access to things like GETS cards for
critical personnel to use, Government Employee
Telecommunication Service, I think it's called? Government
Emergency Telecommunication Services. NYNEX's interaction with
the OEM for events such as Hurricane Isabelle of last year,
where we're invited to come and join in government and to work
together in partnership with government, but it's very clear
from our experience, our industry-wide test, the blackout of
2003 that industry is going to drive the acceptance and
industry is going to drive basically the ultimate result of any
disaster recovery model.
Mr. Randich. Briefly, having worked in a number of
industries, I find it amazing how this particular industry is
so self reliant and motivated in this regard, which is a good
thing. So in that area, I really don't see any need for any
specific legislation, only facilitation of policymaking that
encourages technological innovation and solution in the area of
business continuity and disaster recovery.
Mr. Platts. Thank you, and I think this industry has gotten
the American way of what do we need to do and how do we need to
do it and let's get it done. I think that's been reflected in
all our accounts today, the aggressive nature.
That being said, I think one of the challenges for the
industry, I think everybody has touched on it in some way
today, is the interdependence of your industry with these other
critical infrastructures; telecommunications, power,
transportation, you name it. What would be your read on your
interactions with these other sectors, if you want to pick
power specifically, communication, and how they're responding
and I think it was, Mr. Randich, in your testimony, about how
they have onsite generators for a week's worth of power, fuel,
if we had here in your facility like in New Orleans, where not
only it's going to be well over a week before power will be
restored, it's going to be months to some of those areas, and
even inability to get transportation in because of the amount
of damage that was done, how is the energy industry responding
to having an ability to be redundant in their provision of
services as best possible to your needs, again, not just
energy, any of the infrastructure industry that we depend on.
Mr. Randich. In all cases, the answer is never going to be
perfectly. However, we all have choices that we make in the
marketplace. We decided where we want to put our data centers.
We decide who we're going to buy fuel from. We decide who is
going to be our network provider and our power provider and we
make those choices, so there's some vendor diversity, as well
as we pick partners that have proven to be reliable over time.
So I very much believe that the free enterprise economics and
decisionmaking over time converge on the best solution for the
markets that eventually prevail.
Mr. Platts. As much as possible, again, market-driven
solutions.
Mr. Randich. Market-driven solutions.
Mr. Platts. Ms. Allen.
Ms. Allen. I would add that the telecommunications industry
has been very helpful. Much of that from the work of Duane
Ackerman, who chairs the NSTAC, the President's Advisory
Council. In the private sector, CEOs and CIOs from the
telecommunication sector work closely with us on that. It has
come less from the government other than the NCC.
The telecommunications, the best practices we're working on
there, includes how many days of backup fuel you need to have,
what are the transportation sources for that. That is, again, a
private sector-led effort. It's not to say that the Department
of Energy and others aren't doing things in this critical
infrastructure area, but it tends to be more focused just on
the industry, less on the interdependency issues.
Mr. Platts. OK. How about in the sharing of information
through the ISAC process and how that's working and
specifically with financial sector, you're read on where we are
and where we could go to insure that's effective in its intent?
Mr. Donahue. I think the sharing of information for the
ISAC has been very successful to the extent it's reached. We're
building the interstate highway at this point, and we are
building a communications infrastructure that can get
information out to members of the sector. We, obviously, have
some distance to go in terms of adding end points to that
network, but I believe that has been very successful and I
think the ISAC membership is finding it very useful to get the
alerts and the information that comes to them through that
channel.
I think Jim Caverly in the earlier panel put his finger on
where this needs to evolve, which is the development of more
formal procedures for information coming from the private
sector to DHS, to Treasury in its role as sector specific
agency about where we believe vulnerabilities continue to
exist.
Involving the private sector picture, conversely, of
opening channels information from government in terms of threat
information, in terms of more sensitive information of where
clearance is possibly going to have to be obtained in order to
be able to do that. That's the area that needs work and
experimentation.
Mr. Platts. That was actually one of my specific questions,
because in your testimony you talk about the importance of
communications and information, but what's your read on that
access to sensitive information, whether security clearance is
being required? Sounds like we have a ways to go in allowing
that to be a more seamless automatic process.
Mr. Donahue. I don't think anyone is comfortable with the
state that has reached. DHS and Treasury both working together
did sponsor members of the FSSCC for clearances at the secret
level, which has been very helpful. I think there have been
instances where information could be discussed on conference
calls where we knew everyone on the call had a particular
clearance and therefore they were somewhat more free to discuss
matters, but it's clear that we don't understand who all needs
to have access to the information, how do you sanitize
information so that you can be conveying it to people who
aren't necessarily cleared. I mean, all of those issues still
have to be explored.
DHS approached the FSSCC in I would say late spring and
asked for our agreement to work with them on the development of
an information sharing pilot that would sort of go to the next
generation of an information sharing methodology between the
government and the private sector. We have agreed with them to
go forward with that and I think Katrina and Rita have
intervened to sort of put that on the back burner for the
moment, but I'm sure that will be something they return to in
the fall.
Mr. Platts. The interaction I guess between the private
sector and the government, what is specifically in New York, if
there is a major incident, what's the process of structures in
place for yourself, your organization or members as far as
being in touch with the New York City emergency response
office, the NYPD? Is that a very formalized structure that you
have a contact, people that you go to, and if one of the things
that's down is communications, how do you make that contact,
even if you have the right person to be in touch with?
Mr. Gaer. For us, our proximity is probably one of our
biggest assets in that situation. We have both formal and
informal ways that we communicate with government here in the
city as well as regional and national government. We're briefed
on an ad hoc basis as far as threats and threat levels,
especially ones that are germane to the financial services
area. I think it was about a year or so ago when there were
threats against Merrill Lynch and I think it was Prudential in
Newark, where we were advised of these threats ahead of time
and we were able to harden beforehand. We interact with local
law enforcement, the Joint Terrorism Task Force, very well, as
a matter of fact, sometimes to almost the shock of visitors who
come to our facility in the rigorous amount of security that's
around the building and how they have to get into the building,
they're very, very shocked and then later impressed at how
secure we keep the building.
But the communication between ourselves and between
government, again, it's formal and's informal on an as-needed
basis. I have a list of contacts, our president, our chairman,
the crisis management team can get in touch with people at
their homes on their cell phones or what have you, so it's been
a very post September 11th, it's been a very kind of open
cooperative environment.
Mr. Donahue. A number of the infrastructures in New York,
you mentioned that you have a seat at the OEM, others do as
well. In the event of an emergency in this city, we know that
our people are supposed to go to OEM. Security Industries
Association has a seat, my organization has a seat, the
Exchange's technology arm has a seat. People know they're
supposed to immediately go there so they can be part of that
centralized communication.
You mentioned GETS cards earlier, there has been a fairly
wide distribution of GETS card within the financial
infrastructure in the country, certainly in New York, so people
have the ability to communicate if any telecommunications are
available they get priority. The city has implemented a
corporate emergency access system where we have cards that will
give us access to no-go zones, for example, as I'm sure you
know. Post September 11th, south of Canal Street people were
not allowed to come for the first few days. This program would
allow us to get people into our facilities and get things
working, even though it might be in an area ruled not open to
the public. So there are a number of steps the city has taken
to improve communication and coordination that way.
Mr. Randich. That privileged physical access is a huge
improvement since September 11th.
Mr. Platts. Is it fair to say with the physical access or
the seat at the table with OEM, that this is since September
11th, this is lessons learned and then since the blackout to
keep kind of honing each incident and get a little better?
Mr. Gaer. Yes.
Mr. Donahue. Absolutely.
Ms. Allen. Those are lessons that have gone to the original
coalition, ChicagoFIRST and other models as well.
Mr. Platts. Your work with the creation of ChicagoFIRST
really was a lot of that was derived from New York, we were
talking earlier----
Ms. Allen. Right, the lessons learned from September 11th
and we spent time with the OEM of New York because New York was
actually ahead of all other regions and we used their model and
shared back with them what we had developed on the regional
model.
Mr. Platts. Thank you.
Mr. Donahue, in your testimony you talked about
participating in the TopOff 3 drill. I'm sorry, Mr. Gaer,
sorry. And you referenced that and all the different
participants. What I was curious, your read on how successful
the exercise was from the standpoint of, again, lessons learned
and what would work or not, and how you responded to the
exercise in implementing the lessons learned.
Mr. Gaer. I think you can only judge how successful an
exercise is by its objectives and I think for these particular
tests the objectives being that you had so many participants
from diverse areas, you couldn't really go through every
permutation of everything, so to speak, that's going to happen.
We actually judged it from our point of view to be very
encouraging, to have been very successful. Where we are right
now is honing in on our industry-wide disaster recovery test,
although it's not going to include the telecom sector per se or
the power sector per se. We're really working in our industry
to get it right in our industry first and our first test last
year was a very kind of bland, basic test which was very
successful and it actually exceeded people's expectations and
there was a lot of discussion prior where you get everybody on
board as to when you can do it and what are we going to do and
what are we going to run through and it turned out that people
were more prepared than we thought they were going to be.
For the TopOff, the interaction between ourselves and the
various other industries and agencies I thought went very well.
Certainly in every exercise there are areas where you need
improvement and again I would probably highlight, as other
members of the panel have, the improvements between the telecom
sector and financial services sector would probably be
something we should concentrate on.
Mr. Platts. A followup to that, Mr. Donahue, was the coming
exercise October 15th that you reference in your testimony.
Could you walk me through what's going to happen there and what
involvement, because you reference sponsors and the various
institutions that are going to participate, the involvement of
any Federal agencies that will be participating or just kind of
watching, taking in that exercise?
Mr. Donahue. I think, first of all, what will happen on the
15th is 200-plus firms are going to, there are essentially two
tests occurring that day concurrently, the Futures Industry
Association is doing its second iteration of its industry-wide
test. The securities industry and Bond Market Association are
coordinating a test for their members on the cash side, which
is the first time that piece of the securities industry has
conducted such a test and essentially, what will happen is that
each of the participants in the test will go to their backup
data center locations and their back up business process center
locations and seek to establish connectivity with key industry
infrastructures, DTTC being one, the New York Stock Exchange
being another. Steve, I don't know if NASDAQ is participating,
but NASDAQ would be another infrastructure that they are, I'm
assuming you are, and that would be another infrastructure that
they connect to. Establish connectivity and run a few
transactions through.
We're not going to try to simulate a day's activity or
anything like that, but run transactions through so make sure
you can get transactions to the trading facility, for example,
and then you can get feedback from the trading facility
acknowledging receipt of the order, acknowledging execution of
the order, whatever it may be, so you can function on your
backup if you need to in the light of an emergency take place.
Mr. Platts. Is FCC or Treasury going to be in any way
participating or watching how it goes?
Mr. Donahue. They will be getting a report on the test
results after the fact. At this point it is essentially, this
is the model the industry followed in preparation for Y2K. We
conducted tests that we had organized and we implemented. We
were reporting to our regulatory agencies, to Treasury as well
in this instance, how that it proceeded, because it's clearly
of interest to them, but it's not something they would have
direct involvement in on the actual day of the event.
Mr. Platts. I think another good example of the private
sector not waiting for government to say, hey, do this, but
responding appropriately to being well prepared.
Mr. Randich, in your testimony you went through in detail
some of your security preparations from buffer zones around the
data center, fingerprinting policy for employees and
contractors. A pretty extensive range of security measures.
What would be your assessment on how common that is in the
financial sector, whether it be specifically here in New York
or a broader sense nationally.
Mr. Randich. Significantly more so than it was in September
11th, just being in the business and having to go visit our
customers and peers. It's like going through the airport
several times a day, so that's very good news.
The one area I think is important to note kind of where
it's limited and where it would be important to improve, one of
the advantages we have is that our two data centers are located
in corporate parks, remote areas in one case, even beyond the
suburbs. That basically allows us to, where the single owner
tenant of the facility gives us 100 percent control over the
security and the infrastructure and sometimes I feel that
organizations that have their critical assets in a multi-tenant
high-rise in the metro area don't have the level of control
that they might need.
Mr. Platts. Again, in any urban setting your ability to
have that, proximity of other buildings, even if it's your own
building is a lot more challenging in an urban setting.
Mr. Randich. Very much.
Mr. Platts. Would any of you like to comment on that issue
of the breadth or depth of security in the private sector?
Mr. Gaer. I actually could and I'd like to put a little bit
of a twist on it in that yes, security, at least from the
Exchange level, we have as members virtually every investment
bank, large trading house, etc., they're members of ours and
we're kind of this hub, or a utility for liquidity and price
formation, so we need to take extra steps to be as secure with
our--in our physical as well as our virtual presence. But what
I'm seeing, what I've seen personally from being in Europe and
being in London in particular, London has definitely tightened
up security post what they call 7/7, but I will tell you that
the security that you find, especially here in the New York
metro area is light years ahead of what is happening outside
the United States and that's important to us for reasons of
cyber security, which I believe is probably going to be one of
the next great frontiers that we are all going to have to
tackle as an industry in our DR testing.
Mr. Platts. I think that interdependence with cyber
security, because you can harden a facility, but you could be
on the other side of the world and depending on the cyber
security protections out there, they can still do great harm,
and that's come to light in some of the recent reports on China
and some of their--at least what appears to be concerted
Government efforts on an incredible scale to break into
sensitive data bases in the United States, not just government
offices. So that challenge is one that is global and what
happens elsewhere is going to impact us.
Is there an interaction with those European markets and
what we are doing here in New York? We talked a lot about
sharing of best practices here, how much of that is occurring
international?
Mr. Gaer. I can only speak from our industry and I would
have to say very little as far as an international effort, I
would say very little.
Mr. Donahue. Depends on the level that you're talking
about. At the infrastructure level, it's quite a bit. Swift is
the international payments messaging network, our counterparts
in Europe, Euroclear and Clear Stream are the two securities
depositories over there. There are very definitely interactions
in those core organizations and what's the best practices we
participate in Swift committee, we meet with Euroclear and
exchange business continuity standards very regularly.
Once you go beyond the infrastructure, I would agree
completely that different firms are not necessarily
coordinating the way that we're seeing here in the States.
Ms. Allen. We have some BITS members at the Canadian
Bankers Association and APACS, which is the payment system in
the UK. We've shared best practices with the Japanese, with the
Australians with the OECD countries, but it's nothing formal.
Mr. Randich. We've hosted walk-throughs of our data center
many, many times. We're continually doing it, and it's
interesting, not much European interest, but we've had the
South Americans, the Asians and even the Middle Eastern and
Indian markets come take a look.
Mr. Platts. The hope certainly is that as we are in a
global economy, that is everywhere and that the lessons being
learned here and especially as I've heard loud and clear, the
efforts in the Greater New York area really setting a great
high standard, high bar for the rest of the country and the
world, and the lessons learned now being in Chicago and looking
to regionalize elsewhere around the country and ultimately
around the world is going to be so important.
Mr. Towns apparently wanted, and he had to leave for
another engagement and apologizes that he couldn't stay through
your whole participation, but on technology, as technology
continues to advance every day, the ability to insure the
security of those technological advances, and do you think our
technology sector is doing enough to provide security day one
when these new products are hitting the market, software and
hardware as well, or do we need to take a closer look at what
they're putting on the market from a security standpoint?
Ms. Allen. I would say there's improvement, and certainly
we are working very closely with the largest provider of
operating systems and software. We have a set of business
requirements and a work plan with them to meet some of the
business requirements we have, but it's a longer term process,
because you have to change the culture of the United States,
actually all of the software industry, in how it's developed,
which has been to get it out there fast and let us be the Beta
tests for them.
Today we've got to look at those same providers of
technology, whether it's the software, the infrastructure, the
systems, to really test code much more rigorously, to develop
code much more rigorously, to do the testing and to have the
safeguards before they bring a product to market. That's that
``higher duty of care''--in particular, if it's a provider
where they have a dominant share of the market for the
infrastructure industries. So I think there does need to be
more attention from not only the private sector, but also the
government on this area and I think your question is correct.
We have to look at this globally, because these players are
global players, they're global players and it's going to be--
Microsoft tells us that the time between a vulnerability and
exploitation of that vulnerability is getting down to seconds
now. There's no way you can physically patch all the problems
there so it means you've got to change the way you look at
technology.
Mr. Randich. I think they're coming along slowly. It used
to be a product would differentiate itself from the market with
function, price, ease of use. Security has clearly been
elevated as a measure of decisionmaking factor in the choice.
But by no means should any of us believe you could buy security
off the shelf. At the end of the day we have to take
responsibility for it by choosing the best, most progressive
solution members and tying the loose ends ourselves.
Mr. Platts. Again, kind of where we started with questions
in that American way of partners between public private sector
and individual responsibility and in the end doing what you
can.
I want to thank each of you and I wanted to give each of
you, if there's anything you think you didn't get to highlight
or want to touch on to reaffirm, to give you the opportunity
before we close.
Ms. Allen. I want to thank you for holding this hearing. We
feel the more that Members of Congress understand the issues
from the private sector perspective, the better it is. We would
be happy to educate others in any way we can.
Mr. Platts. We've been happy to have the hearings and have
your participation as well as the other panelists earlier and
it is a great educational process for Mr. Towns, myself and our
committee staff and then having that as a resource beyond just
our committee, to do a full committee with the other Members.
We're on the same team. We are all part of a functioning
economy in coordination, and the financial sector in New York
especially, and ultimately receive quality for it.
Please, each of you, don't hesitate to call on us for
things you want to share as we move forward in a month or year
or whatever that you think we should be aware of. We're always
glad to have that feedback so we can partner well with the
private sector in what we're doing in Washington.
We will keep the hearing record open for 2 weeks if there's
anything from this panel or previous panels to submit for the
record.
Again, we thank each of you and wish you and your
organization and members great success in your efforts, and
this hearing stands adjourned.
[Whereupon, at 1:19 p.m., the subcommittee was adjourned.]
�