The Importance of a Business Continuity Plan – A Lesson from Hurricane Sandy
By Matthew Hilsenrad, Director of Disaster Recovery, Abacus Group LLC
It’s becoming a faded memory, but only seven years ago the financial capital of the world – New York City – was nearly brought to its knees by Mother Nature. Hurricane Sandy flooded the NYC subways and tunnels, blacking out most of Lower Manhattan. The New York Stock Exchange and Nasdaqdata were closed for two days. The storm cost New York State a staggering $32 billion, New York City $19 billion and the U.S. economy an estimated $65 billion.
In the storm’s aftermath, the financial services industry scrambled to recover. Many firms and institutions came to the quick realization that they had not been prepared for the business disruptions. Many began to plan for the next potential crisis.
Today, with so much at risk, every financial firm should have a working Business Continuity Plan (BCP) in place. Surprisingly, many still do not. And, while some firms have plans, they rely too much on each department to produce its own strategy, neglecting to take into account the needs of the entire firm.
One of the most important lessons learned from Sandy is the importance of geographic data diversity. In the ensuing years, some firms have opened new cloud data centers, always considering proximity to a secondary site so that clients are prepared for any regional disaster scenario. Each data center should be located on different power grids and with alternate connectivity providers (not to mention outside of known flood zones).
Sandy also taught many of us the value of proactively moving essential client services to a secondary site ahead of a predicted major event. Firms with this type of disaster recovery strategy were able to work through the storm, for the most part uninterrupted. After the storm, some firms did a thorough assessment of their BCPs, which led to further action to protect clients from future events. For instance, one firm had a secondary site near Philadelphia, which for some clients was less than 100 miles from the firm’s primary site. Following Sandy, the firm moved all of its client data from its onsite offices to more dispersed data centers. Within a year, the firm started planning out a migration project which moved the secondary site to a location 1,500 miles from the primary data center.
In rewriting a BCP, it is helpful to memorialize a set of best practices. Before you compose your BCP, be mindful of any regulatory requirements (SEC, CFTC, FINRA, GDPR or the California Privacy Act). Be prepared to share your BCP with investors, prime brokers or other financial entities – if you don’t have a BCP, they may demand one or take their business elsewhere.
Additionally:
No one can predict the future with certainty, but you can be certain that disasters will happen – not only natural disasters but human-inspired events like a cyber attack. A flexible, up-to-date and well-tested Business Continuity Plan can give you confidence that your firm will survive anything that Mother Nature or the Internet throws at you.
About the Author
Matthew Hilsenrad is the Director of Disaster Recovery at Abacus Group, a global firm that provides outsourced IT services and cloud hosting solutions to the alternative investment industry. Matt oversees Abacus’ disaster recovery services, including management of a Zerto replication platform, process planning, and coordination of all DR testing. He has over 20 years of experience in IT services and a bachelor’s degree from the University of Buffalo.