After the Bomb: Preparing For Worst Not Easy Task
September 21, 2009
The bomb that exploded outside the Hellenic Exchanges on Sept 2 did not kill anyone or interrupt trading and processing of Greek shares.
But it caused other exchanges to become quickly reluctant to discuss their security procedures. Bolsa de Mercados y Valores, Spain's stock exchange, for instance, cancelled a planned interview with Securities Industry News at the last minute "due to the potential implications the topic may have for its security." The London Stock Exchange said it was "fully prepared," but declined to elaborate.
Some of the world's largest exchanges and post-trade processing centers appear to favor the recommendations of a 2003 report by the Federal Reserve, Securities and Exchange Commission and Office of the Comptroller of the Currency in the United States. That report called for "critical market infrastructures" to be separated by distance. Operations staff should be separated altogether from the data centers, which keep electronic records of shares traded.
In Athens, the primary and secondary data centers as well as the operations of Helex were all in the same building, which could have led to disastrous results had the bomb really done any damage.The goal of the U.S. guidelines, issued in the wake of 9/11, was to ensure that staffers could get to their back-up offices quickly and the data centers did not rely on the same power grid.
Spyros Capralos, chief executive of the Hellenic Exchanges, declined requests for an interview.
Bank of New York Mellon, one of the U.S. largest clearinghouses for U.S. government bonds, now operates a primary global data center and "multiple" data recovery centers scattered across the U.S. The minimum distance between any primary and secondary data recovery center is 600 miles and the maximum is 900 miles.
"It all comes down to crisis management," explains Susan Vismor, senior vice president and director of business continuity planning for BNY Mellon, also the world's largest custodian bank. "The first reaction is to protect staffers and the second one is to resume operations as quickly as possible."
Broadridge Financial Solutions, which provides middle- and back-office services on a hosted basis for about 30 U.S. brokerages, houses its critical applications in a few data centers in North America and uses replicates data to geographically diverse recovery centers. Operations, technology and support staffers are also located in several separate facilities.
Guidelines issued in 2006 and 2007 by the British Standards Institute, now winning favor among U.S. financial institutions, go into great detail on how business continuity manager should prepare for any type of disaster but they also do not provide any requirements for the locations of primary and secondary data centers.
"The BSI's recommendations are far more detailed than the 2003 U.S. report in providing a step-by step analysis of the entire thought process for a disaster recovery plan, including documentation, testing and analysis of testing results," says Ron Miller, managing consultant for SunGard Professional Services, a unit of SunGard Availability Services in London which provides back-up disaster recovery hot sites.
Euroclear SA, the world's largest family of depositories, says it follows U.S. and BSI guidelines as well as the requirements of local European governments and the International Organization of Securities Commissions. "Our goal is to deal with the consequences of an incident quickly rather than focus on the cause of the problem" says Richard McConnell, chief security officer for Euroclear SA, headquartered in Brussels.
