Potential Terrorist Attacks: More Actions Needed to Better Prepare Critical Financial Markets (02/12/2003, GAO-03-468T}
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-03-468T
TITLE: Potential Terrorist Attacks: More Actions Needed to Better Prepare Critical Financial Markets
DATE: 02/12/2003
This is the accessible text file for GAO report number GAO-03-468T
entitled 'Potential Terrorist Attacks: More Actions Needed to Better
Prepare Critical Financial Markets' which was released on February 12,
2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products� accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
Testimony:
Before the House Committee on Financial Services, Subcommittee on
Capital Markets, Insurance, and Government Sponsored Enterprises:
United States General Accounting Office:
GAO:
For Release on Delivery Expected at 3:00 p.m., EDT
on Wednesday,
February 12, 2003:
POTENTIAL TERRORIST ATTACKS:
More Actions Needed to Better Prepare Critical Financial Markets:
GAO Highlights:
Highlights of GAO-03-468T, a testimony before the Subcommittee on
Capital Markets, Insurance, and Government Sponsored Enterprises,
Financial Services Committee, House of Representatives.
POTENTIAL TERRORIST ATTACKS
More Actions Needed to Better Prepare Critical Financial Markets.
Why GAO Did This Study:
The September 11, 2001, terrorist attacks exposed the vulnerability of
U.S. financial markets to wide-scale disasters. Because the markets are
vital to the nation�s economy, GAO�s testimony discusses (1) how the
financial markets were directly affected by the attacks and how market
participants and infrastructure providers worked to restore trading;
(2) the steps taken by 15 important financial market organizations to
address physical security, electronic security, and business continuity
planning since the attacks; and (3) the steps the financial regulators
have taken to ensure that the markets are better prepared for future
disasters.
What GAO Found:
The September 11, 2001, terrorist attacks severely disrupted U.S.
financial markets as the result of the loss of life, damage to
buildings,
loss of telecommunications and power, and restrictions on access to
the affected area. However, financial market participants were able to
recover relatively quickly from the terrorist attacks because of market
participants� and infrastructure providers� heroic efforts and because
the securities exchanges and clearing organizations largely escaped
direct damage. The attacks revealed limitations in the business
continuity capabilities of some key financial market participants that
would need to be addressed to improve the ability of U.S. markets to
withstand such events in the future. GAO�s review of 15 stock
exchanges,
clearing organizations, electronic communication networks, and
payments
system providers between February and June 2002 showed that all were
taking steps to implement physical and electronic security measures and
had developed business continuity plans. However, organizations still
had limitations in one or more of these areas that increased the risk
that their operations could be disrupted by future disasters. Although
the financial regulators have begun efforts to improve the resiliency
of clearance and settlement functions within the financial markets,
they have not fully developed goals, strategies, or sound practices to
improve the resiliency of trading activities. In addition, the
Securities and Exchange Commission�s (SEC) technology and operations
risk oversight, which is increasingly important, has been hampered by
program, staff, and resource issues. GAO�s report made recommendations
designed to better prepare the markets to deal with future disasters
and to enhance SEC�s technology and operations risk oversight
capabilities.
What GAO Recommends:
GAO�s report recommends that the SEC Chairman work with industry to
* develop goals and strategies to resume trading in securities
markets;
* determine sound business continuity practices needed to meet these
goals;
* identify organizations critical to market operations and ensure they
implement sound business continuity practices; and
* test strategies to resume trading.
In addition, the report contains recommendations to improve SEC�s
oversight of information technology issues.
To view the full report, including the scope
and methodology, click on the link above.
For more information, contact Davi M. D�Agostino (202) 512-8678 or
dagostinod@gao.gov.
Statement of Davi M. D�Agostino
Director, Financial Markets and
Community Investment:
GAO-03-468T:
Mr. Chairman and Members of the Subcommittee:
I appreciate the opportunity to appear before you today to discuss
GAO�s work on how key financial market participants and the financial
regulators are working to improve the resiliency of their operations
and the financial markets in the event of future terrorist attacks.
Today, I will present the findings from our report Potential Terrorist
Attacks: Additional Actions Needed to Better Prepare Critical Financial
Market Participants, GAO-03-414 (Washington, D.C.: Feb. 12, 2003).
Specifically, I will discuss (1) how the September 11, 2001, terrorist
attacks affected the financial markets and the actions market
participants and infrastructure providers took to restore trading; (2)
the steps taken by 15 stock exchanges, electronic communication
networks (ECN), clearing organizations, and payment systems providers
to address physical and electronic security and business continuity
planning since the attacks; and (3) the steps financial regulators have
taken to ensure that the markets are better prepared for future
disasters.
In summary:
The September 11, 2001, terrorist attacks severely disrupted the U.S.
financial markets because of the loss of life, damage to buildings,
loss of telecommunications and power, and restrictions that were placed
on access to the affected area. However, financial market participants
were able to recover relatively quickly from the terrorist attacks, as
a result of market participants� and infrastructure providers� heroic
efforts and because the securities exchanges and clearing organizations
largely escaped direct damage. If certain organizations had sustained
serious damage, the markets would probably not have been able to reopen
by September 17, 2001. Market participants and regulators have
acknowledged that the attacks revealed limitations in their business
continuity capabilities and that these limitations would need to be
addressed to improve their ability to recover if such events occurred
in the future. Our review of 15 stock exchanges, ECNs, clearing
organizations, and payments system providers between February and June
2002 showed that all were taking steps to implement physical and
electronic security measures and had developed business continuity
plans. However, organizations still had limitations in one or more
areas that increased the risk of disruptions to their operations if
such disasters occurred in the future. Although the financial
regulators have begun efforts to improve the resiliency of clearance
and settlement functions within the financial markets, they have not
fully developed goals, strategies, or sound practices to similarly
improve the resiliency of trading functions. In addition, the
effectiveness of the Securities and Exchange Commission�s (SEC)
technology and operations risk oversight efforts--which clearly have
increased in importance--have been limited by program, staff, and
resource limitations. Some of these issues were also highlighted in a
January 2003 report issued by the SEC Inspector General. Our report
made recommendations designed to better prepare the markets to deal
with future disasters and to enhance SEC�s technology and operations
risk oversight capabilities. SEC agreed with the thrust of our
recommendations.
Market Participants and Infrastructure Providers Employed Innovative
Solutions to Restore Trading:
The September 11, 2001, terrorist attacks had a devastating effect on
the U.S. financial markets with significant loss of life, extensive
physical damage, and considerable disruption to the financial district
in New York. Damage from the collapse of the World Trade Center
buildings caused dust and debris to blanket a wide area of lower
Manhattan, led to severe access restrictions to portions of lower
Manhattan for days, and destroyed substantial portions of the
telecommunications and power infrastructure that served the area.
Telecommunications service in lower Manhattan was lost for many
customers when debris from the collapse of one the World Trade Center
buildings struck a major Verizon central switching office that served
approximately 34,000 business and residences. The human impact was
especially devastating because about 70 percent of the civilians killed
in the attacks worked in the financial services industry, and physical
access to the area was severely curtailed through September 13, 2001.
Although most stock exchanges and clearing organizations escaped direct
damage, the facilities and personnel of several key broker-dealers and
other market participants were destroyed or displaced. Market
participants and regulators acknowledged that the reopening of the
stock and options markets could have been further delayed if any of the
exchanges or clearing organizations had sustained serious damage.
The stock and options exchanges remained closed as firms, that were
displaced by the attacks attempted to reconstruct their operations and
reestablish telecommunications with their key customers and other
market participants. In the face of enormous obstacles, market
participants, infrastructure providers, and the regulators made heroic
efforts to restore operations in the markets. Broker-dealers that had
their operations disrupted or displaced either relocated their
operations to backup facilities or other alternative facilities. These
facilities had to be outfitted to accommodate normal trading operations
and to have sufficient telecommunications to connect with key
customers, clearing and settlement organizations, and the exchanges and
market centers. Some firms did not have existing backup facilities for
their trading operations and had to create these facilities in the days
following the crisis. For example, one broker-dealer leased a Manhattan
hotel to reconstruct its operations. Firms were not only challenged
with reconstructing connections to their key counterparties but, in
some cases, they also had the additional challenge of connecting with
the backup sites of counterparties that were also displaced by the
attacks. The infrastructure providers also engaged in extraordinary
efforts to restore operations. For example, telecommunications
providers ran cables above ground rather than underground to speed up
the restoration of service.
By Friday September 14, 2001, exchange officials had concluded that
only 60 percent of normal market trading liquidity had been restored
and that it would not be prudent to trade in such an environment. In
addition, because so many telecommunications circuits had been
reestablished, market participants believed that it would be beneficial
to test these telecommunications circuits prior to reopening the
markets. Officials were concerned that without such testing, the
markets could have experienced operational problems and possibly have
to close again, which would have further shaken investor confidence.
The stock and options markets reopened successfully on Monday,
September 17, 2001 and achieved record trading volumes. Although the
government securities markets reopened within 2 days, activity within
those markets was severely curtailed, as there were serious clearance
and settlement difficulties resulting from disruptions at some of the
key participants and at one of the two banks that clear and settle
government securities. Some banks had important operations in the
vicinity of the attacks, but the impact of the attacks on the banking
and payment systems was much less severe.
Regulators also played a key role in restoring market operations. For
example, the Federal Reserve provided over $323 billion in funding to
banks between September 11 and September 14, 2001, to prevent
organizations from defaulting on their obligations and creating a
widespread solvency crisis. SEC also granted regulatory relief to
market participants by extending reporting deadlines and relaxed the
rules that restrict corporations from repurchasing their shares. The
Department of the Treasury also helped to address settlement
difficulties in the government securities markets by conducting a
special issuance of 10-year Treasury notes.
Attacks Revealed Limitations in Market Participants� Preparedness for
Wide-scale Disasters, and Some Limitations Remain:
Although financial market participants, regulators, and infrastructure
providers made heroic efforts to restore the functioning of the markets
as quickly as they did, the attacks and our review of 15 key financial
market organizations--including 7 critical ones--revealed that
financial market participants needed to improve their business
continuity planning capabilities and take other actions to better
prepare themselves for potential disasters. At the time of the attacks,
some market participants lacked backup facilities for key aspects of
their operations such as trading, while others had backup facilities
that were too close to their primary facilities and were thus either
inaccessible or also affected by the infrastructure problems in the
lower Manhattan area. Some organizations had backup sites that were too
small or lacked critical equipment and software. In the midst of the
crisis, some organizations also discovered that the arrangements they
had made for backup telecommunications service were inadequate. In some
cases, firms found that telecommunication lines that they had acquired
from different providers had been routed through the same paths or
switches and were similarly disabled by the attacks.
The 15 stock exchanges, ECNs, clearing organizations, and payment
systems we reviewed had implemented various physical and information
security measures and business continuity capabilities both before and
since the attacks. At the time of our work--February to June 2002--
these organizations had taken such steps as installing physical
barriers around their facilities to mitigate effects of physical
attacks from vehicle-borne explosives and using passwords and firewalls
to restrict access to their networks and prevent disruptions from
electronic attacks. In addition, all 15 of the organizations had
developed business continuity plans that had procedures for restoring
operations following a disaster; and some organizations had established
backup facilities that were located hundreds of miles from their
primary operations.
Although these organizations have taken steps to reduce the likelihood
that their operations would be disrupted by physical or electronic
attacks and had also developed plans to recover from such events, we
found that some organizations continued to have some limitations that
would increase the risk of their operations being impaired by future
disasters. This issue is particularly challenging for both market
participants and regulators, because addressing security concerns and
business continuity capabilities require organizations to assess their
overall risk profile and make business decisions based on the trade-
offs they are willing to make in conducting their operations. For
example, one organization may prefer to invest in excellent physical
security, while another may choose to investment less in physical
security and more in developing resilient business continuity plans and
capabilities.
Our review indicated that most of the 15 organizations faced greater
risk of operational disruptions because their business continuity plans
did not adequately address how they would recover if large portions of
their critical staff were incapacitated. Most of the 15 organizations
were also at a greater risk of operations disruption from wide-scale
disasters, either because they lacked backup facilities or because
these facilities were located within a few miles of their primary
sites. Few of the organizations had tested their physical security
measures, and only about half were testing their information security
measures and business continuity plans.
Regulators Have Addressed Operations Risks but Have Not Developed
Complete Strategies and Practices to Better Assure Recovery of Trading:
Securities and banking regulators have made efforts to examine
operations risk measures in place at the financial market participants
they oversee. SEC has conducted reviews of exchanges, clearing
organizations, and ECNs that have generally addressed aspects of these
organizations� physical and information security and business
continuity capabilities. However, reviews by SEC and the exchanges at
broker-dealers generally did not address these areas, although SEC
staff said that such risks would be the subject of future
reviews.[Footnote 1] Banking regulators also reported that they review
such issues in the examinations they conduct at banks.
Regulators also have begun efforts to improve the resiliency of
clearing and settlement functions for the financial markets. In August
2002, the Federal Reserve, Office of the Comptroller of the Currency,
and SEC jointly issued a paper entitled the Draft Interagency White
Paper on Sound Practices to Strengthen the Resilience of the U.S.
Financial System. [Footnote 2] This paper sought industry comment on
sound business practices to better ensure that clearance and settlement
organizations would be able to resume operations promptly after a wide-
scale regional disaster.[Footnote 3] The regulators indicated that the
sound practices would apply to a limited number of organizations that
perform important clearing functions, as well as to between 15 and 20
banks and broker-dealers that also perform clearing functions with
sizeable market volumes.
The regulators that developed the white paper appropriately focused on
clearing functions to help ensure that settlement failures do not lead
to a broader financial crisis. However, the paper did not similarly
address restoring critical trading activities in the various financial
markets. The regulators that developed the paper believed that clearing
functions were mostly concentrated in single entities for most markets
or in a very few entities for others and thus posed a greater potential
for disruption. In theory, multiple stock exchanges and other
organizations that conduct trading activities could substitute for each
other in the event of a crisis.
Nevertheless, trading on the markets for corporate securities,
government securities, and money market instruments is also vitally
important to the economy; and the United States deserves similar
assurance that trading activities also would be able to resume when
appropriate--smoothly and without excessive delay. The U.S. economy has
demonstrated that it can withstand short periods during which markets
are not trading. After some events occur, having markets closed for
some limited time could be appropriate to allow emergency and medical
relief activities, permit operations to recover, and reduce market
overreaction. However, long delays in reopening the markets could be
harmful to the economy. Without trading, investors lack the ability to
accurately value their securities and cannot adjust their holdings.
The September 11, attacks demonstrated that the ability of markets to
recover could depend on the extent to which market participants have
made sound investments in business continuity capabilities. Without
clearly identifying strategies for recovery, determining the sound
practices needed to implement these strategies, and identifying the
organizations that could conduct trading under these strategies, the
risk that markets may not be able to resume trading in a fair and
orderly fashion and without excessive delays is increased. Goals and
strategies for resuming trading activities could be based on likely
disaster scenarios and could identify the organizations that are able
to conduct trading in the event that other organizations could not
recover within a reasonable time. Goals and strategies, along with
guidance on business continuity planning practices, and more effective
oversight would (1) provide market participants with the information
they need to make better decisions about improving their operations,
(2) help regulators develop sound criteria for oversight, and (3)
assure investors that trading on U.S. markets could resume smoothly and
in a timely manner.
SEC has begun developing a strategy for resuming stock trading for some
exchanges, but the plan is not yet complete. For example, SEC has asked
the New York Stock Exchange (NYSE) and NASDAQ to take steps to ensure
that their information systems can conduct transactions in the
securities that the other organizations normally trade. However, under
this strategy NYSE does not plan to trade all NASDAQ securities, and
neither exchange has fully tested its own or its members� abilities to
trade the other exchanges� securities.
SEC�s Automation Review Policy Program Could Be Strengthened:
Given the increased threats demonstrated by the September 11 attacks
and the need to assure that key financial market organizations are
following sound practices, securities and banking regulators� oversight
programs are important mechanisms to assure that U.S. financial markets
are resilient. SEC oversees the key clearing organizations and
exchanges through its Automation Review Policy (ARP) program. The ARP
program--which also may be used to oversee adherence to the white
paper�s sound practices--currently faces several limitations. SEC did
not implement this ARP program by rule but instead expected exchanges
and clearing organizations to comply with various information
technology and operations practices voluntarily. However, under a
voluntary program, SEC lacks leverage to assure that market
participants implement important recommended improvements. While the
program has prompted numerous improvements in market participants�
operations, we have previously reported that some organizations did not
establish backup facilities or improve their systems� capacity when the
SEC ARP staff had identified these weaknesses. Moreover, ARP staff
continue to find significant operational weaknesses at the
organizations they oversee.
An ARP program that draws its authority from an issued rule could
provide SEC additional assurance that exchanges and clearing
organizations adhere to important ARP recommendations and any new
guidance developed jointly with other regulators. To preserve the
flexibility that SEC staff considers a strength of the current ARP
program, the rule would not have to mandate specific actions but could
instead require that the exchanges and clearing organizations engage in
activities consistent with the ARP policy statements. This would
provide SEC staff with the ability to adjust their expectations for the
organizations subject to ARP, as technology and industry best practices
evolve, and provide clear regulatory authority to require actions as
necessary. SEC already requires ECNs to comply with ARP guidance; and
extending the rule to the exchanges and clearing organizations would
place them on similar legal footing. In an SEC report issued in January
2003, the Inspector General noted our concern over the voluntary nature
of the program.[Footnote 4]
Limited resources and challenges in retaining experienced ARP staff
also have affected SEC�s ability to more effectively oversee an
increasing number of organizations and more technically complex market
operations. ARP staff must oversee various industrywide initiatives,
such as Year 2000 or decimals pricing, and has also expanded to cover
32 organizations with more complex technology and communications
networks. However, SEC has problems retaining qualified staff, and
market participants have raised concerns about the experience and
expertise of ARP staff. The SEC Inspector General also found that ARP
staff could benefit from increased training on the operations and
systems of the entities overseen by the ARP program. At current staff
levels, SEC staff report being able to conduct examinations of only
about 7 of the 32 organizations subject to the ARP program each
year.[Footnote 5] In addition, the intervals between examinations were
sometimes long. For example, the intervals between the most recent
examinations for seven critical organizations averaged 39
months.[Footnote 6]
Having additional staff, including those with technology backgrounds,
could better ensure the effectiveness of the ARP program�s oversight.
SEC could conduct more frequent examinations, as envisioned by federal
information technology standards, and more effectively review complex,
large-scale technologies at the exchanges, ECNs, and clearing
organizations. If the ARP program must also begin reviewing the extent
to which broker-dealers important to clearing and trading in U.S.
securities markets are adhering to sound business continuity practices,
additional experienced staff and resources would likely be necessary to
prevent further erosion in the ability of SEC to oversee all the
important organizations under its authority. The increased
appropriations authorized in the Sarbanes-Oxley Act, if received, would
present SEC a clear opportunity to enhance its technology oversight,
including the ARP program, without affecting other important
initiatives.
Conclusions:
Our work at the 15 organizations we reviewed showed that all of these
organizations were taking steps to address physical and electronic
security at their facilities and information systems and had business
continuity plans to address potential disruptions in their operations,
although the extent to which these organizations addressed these issues
varied. We recognize that, in addressing these issues, organizations
may have to make trade-offs based on their overall risk profile and
other business factors.
However, we recommend in our report that SEC take a leadership role and
work with market participants to develop goals and strategies to ensure
that U.S. markets will be able to resume trading activities after
future disasters smoothly and in a timely manner as
appropriate.[Footnote 7] Comprehensive and viable resumption
strategies would also require SEC and market participants to identify
sound business practices for the organizations that might be called
upon to conduct trading after a disaster if others were unavailable.
Our report also recommends that these strategies be tested. In
addition, SEC has an important oversight role in ensuring that market
participants implement sound practices and the improvements to the ARP
program that our report recommends should also help ensure that SEC�s
oversight is as effective as possible.
Mr. Chairman, this completes my prepared statement. I would be happy to
respond to any questions you or other members of the Subcommittee may
have at this time.
FOOTNOTES
[1] In addition to SEC�s oversight, stock and options exchanges act as
self-regulatory organizations that oversee their members� activities.
[2] Board of Governors of the Federal Reserve, Office of the
Comptroller of the Currency, Treasury, SEC, Draft Interagency White
Paper on Sound Practices to Strengthen the Resilience of the U.S.
Financial System (Washington, D.C.: Aug. 30, 2002). The New York State
Banking Department issued the same paper separately.
[3] A wide-scale disruption is defined as one that causes severe
disruptions of transportation, telecommunications, power, or other
critical infrastructure components in a metropolitan or other
geographic area and in adjacent communities economically integrated
with the area.
[4] SEC Office of Inspector General, Market Contingency Preparedness,
Report No. 359, (Washington, D.C. Jan. 27, 2003).
[5] In addition to examinations, the SEC ARP staff also monitor the
organizations subject to ARP by conducting a risk analysis of each
organization each year, reviewing internal and external audits
performed of these organizations� systems, and receiving notices of
systems changes and systems outages from these organizations.
[6] Standards for federal organizations� information systems require
security reviews to be performed at least once every 3 years and
recommend that reviews of high-risk systems or those undergoing
significant systems modifications be done more frequently. See Office
of Management and Budget, Appendix III to OMB Circular A-130: Security
of Federal Automated Information Resources.
[7] Potential Terrorist Attacks: Additional Actions Needed to Better
Prepare Critical Financial Market Participants, GAO-03-414,
(Washington, D.C., Feb. 12, 2003).