U.S. regulators issue disaster recovery guidelines

Computerworld - Three U.S. regulatory agencies have released disaster recovery guidelines for financial institutions notable for their lack of any recommended minimum distance between primary and secondary data centers and their recognition that achieving many of the goals could take years.
The Federal Reserve, the Office of the Comptroller of the Currency and the Securities and Exchange Commission on April 8 issued a white paper describing objectives for disaster recovery and business continuity plans that should be set in place.
The agencies stated that they expect organizations that fall within the scope of the white paper to "adopt the sound practices within the specified implementation time frames."
The regulators focused mostly on what they described as "core clearing and settlement organizations," or the largest brokerages, custodian banks and clearing firms, saying they should substantially achieve disaster recovery and sound business continuity practices by the end of 2004.
In the event of a wide-scale disaster, the nation's financial system "rests on the rapid recovery and resumption of the clearing and settlement activities that support critical markets," the agencies said.
The guidelines include the recommendation of recovering operations "within the business day on which a disruption occurs, with the overall goal of achieving recovery and resumption within two hours after an event."
"The paper's business continuity objectives, sound practices and timetables will clearly improve the resilience of the U.S. financial markets," Donald Kittell, executive vice president of the Securities Industry Association, stated in a press release.
The document also said that the focus of financial firms should be on "appropriate back-up capacity necessary for recovery and resumption of clearing and settlement activities for material open transactions in the wholesale financial markets."
The agencies' business continuity objectives include rapid recovery and timely resumption of critical operations following wide-scale disruptions or loss of staff in "at least one major operating location," and a high level of confidence through ongoing testing that plans are "effective and compatible."
In August, an interagency white paper that was released on strengthening the resilience of the U.S. financial system was soundly criticized by banks and brokerages for its suggestion that there be a minimum distance of 200 to 300 miles between a primary and backup data center (see story).
Many firms considered it technically unfeasible. For example, Fibre Channel, the most common network protocol used between data centers, has a distance limit of about 62 miles, or 100 kilometers.
"We were pleased, because they took into account the dialogue agencies had with the industry after the first white paper came out[in August]. That's the key point. We're all working together," said Margaret Draper, a spokeswoman for the Securities Industry Association in New York.
Draper said the white paper could eventually become the basis for industry-specific rules that would be administered by self-regulatory organizations, such as the National Association of Securities Dealers Inc. and the New York Stock Exchange.
Regulators said firms should also maintain sufficient geographically dispersed resources to meet recovery and resumption objectives.
But the agencies stated that they aren't recommending that firms move their primary offices or data centers outside of metropolitan locations, because they understand that financial firms need to maintain processing sites near the financial markets.