Influenza Pandemic
Key Securities Market Participants Are Making Progress, but Agencies Could Do More to Address Potential Internet Congestion and Encourage Readiness
Gao ID: GAO-10-8 October 26, 2009
Concerns exist that a more severe pandemic outbreak than 2009's could cause large numbers of people staying home to increase their Internet use and overwhelm Internet providers' network capacities. Such network congestion could prevent staff from broker-dealers and other securities market participants from teleworking during a pandemic. The Department of Homeland Security (DHS) is responsible for ensuring that critical telecommunications infrastructure is protected. GAO was asked to examine a pandemic's impact on Internet congestion and what actions can be and are being taken to address it, the adequacy of securities market organizations' pandemic plans, and the Securities and Exchange Commission's (SEC) oversight of these efforts. GAO reviewed relevant studies, regulatory guidance and examinations, interviewed telecommunications providers and financial market participants, and analyzed pandemic plans for seven critical market organizations.
Increased demand during a severe pandemic could exceed the capacities of Internet providers' access networks for residential users and interfere with teleworkers in the securities market and other sectors, according to a DHS study and providers. Private Internet providers have limited ability to prioritize traffic or take other actions that could assist critical teleworkers. Some actions, such as reducing customers' transmission speeds or blocking popular Web sites, could negatively impact e-commerce and require government authorization. However, DHS has not developed a strategy to address potential Internet congestion or worked with federal partners to ensure that sufficient authorities to act exist. It also has not assessed the feasibility of conducting a campaign to obtain public cooperation to reduce nonessential Internet use to relieve congestion. DHS also has not begun coordinating with other federal and private sector entities to assess other actions that could be taken or determine what authorities may be needed to act. Because the key securities exchanges and clearing organizations generally use proprietary networks that bypass the public Internet, their ability to execute and process trades should not be affected by any congestion. In analyzing seven critical market organizations, GAO found they had prepared pandemic plans that addressed key regulatory elements, including hygiene programs to minimize staff illness and continuing operations by spreading staff across geographic areas. However, not all had completed or documented analyses of whether they would have sufficient staff capable of carrying out critical activities if many of their employees were ill. Also, not all had developed alternatives to teleworking if congestion arises. SEC staff have been regularly examining market organizations' readiness, but could further reduce risk of disruptions by ensuring that these organizations prepare complete staffing analyses and teleworking alternatives.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-10-8, Influenza Pandemic: Key Securities Market Participants Are Making Progress, but Agencies Could Do More to Address Potential Internet Congestion and Encourage Readiness
This is the accessible text file for GAO report number GAO-10-8
entitled 'Influenza Pandemic: Key Securities Market Participants Are
Making Progress, but Agencies Could Do More to Address Potential Internet
Congestion and EncourageReadiness' which was released on October 26, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
October 2009:
Influenza Pandemic:
Key Securities Market Participants Are Making Progress, but Agencies
Could Do More to Address Potential Internet Congestion and Encourage
Readiness:
Pandemic Influenza:
GAO-10-8:
GAO Highlights:
Highlights of [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-10-8],
a report to congressional requesters.
Why GAO Did This Study:
Concerns exist that a more severe pandemic outbreak than 2009‘s could
cause large numbers of people staying home to increase their Internet
use and overwhelm Internet providers‘ network capacities. Such network
congestion could prevent staff from broker-dealers and other securities
market participants from teleworking during a pandemic. The Department
of Homeland Security (DHS) is responsible for ensuring that critical
telecommunications infrastructure is protected.
GAO was asked to examine a pandemic‘s impact on Internet congestion and
what actions can be and are being taken to address it, the adequacy of
securities market organizations‘ pandemic plans, and the Securities and
Exchange Commission‘s (SEC) oversight of these efforts. GAO reviewed
relevant studies, regulatory guidance and examinations, interviewed
telecommunications providers and financial market participants, and
analyzed pandemic plans for seven critical market organizations.
What GAO Found:
Increased demand during a severe pandemic could exceed the capacities
of Internet providers‘ access networks for residential users and
interfere with teleworkers in the securities market and other sectors,
according to a DHS study and providers (see figure below). Private
Internet providers have limited ability to prioritize traffic or take
other actions that could assist critical teleworkers. Some actions,
such as reducing customers‘ transmission speeds or blocking popular Web
sites, could negatively impact e-commerce and require government
authorization. However, DHS has not developed a strategy to address
potential Internet congestion or worked with federal partners to ensure
that sufficient authorities to act exist. It also has not assessed the
feasibility of conducting a campaign to obtain public cooperation to
reduce nonessential Internet use to relieve congestion. DHS also has
not begun coordinating with other federal and private sector entities
to assess other actions that could be taken or determine what
authorities may be needed to act.
Figure: Likely Internet Congestion Points Affecting Teleworkers:
[Refer to PDF for image: flowchart]
Normal weekday usage:
Potential pandemic weekday usage:
Source: GAO.
[End of figure]
Because the key securities exchanges and clearing organizations
generally use proprietary networks that bypass the public Internet,
their ability to execute and process trades should not be affected by
any congestion. In analyzing seven critical market organizations, GAO
found they had prepared pandemic plans that addressed key regulatory
elements, including hygiene programs to minimize staff illness and
continuing operations by spreading staff across geographic areas.
However, not all had completed or documented analyses of whether they
would have sufficient staff capable of carrying out critical activities
if many of their employees were ill. Also, not all had developed
alternatives to teleworking if congestion arises. SEC staff have been
regularly examining market organizations‘ readiness, but could further
reduce risk of disruptions by ensuring that these organizations prepare
complete staffing analyses and teleworking alternatives.
What GAO Recommends:
GAO recommends DHS begin planning to address Internet congestion and
SEC better review market participants‘ plans. SEC agreed. DHS agreed to
address potential congestion for national security and emergency
communications, but not more broadly. GAO believes DHS should do more
to address potential Internet congestion.
View [hyperlink, http://www.gao.gov/products/GAO-10-8] or key
components.
For more information, contact Mathew J. Scirč at (202) 512-8678 or
sciremj@gao.gov
[End of section]
Contents:
Letter:
Background:
Internet Congestion During a Severe Pandemic That Hampers Teleworkers
Is Anticipated, but Responsible Government Agencies Have Not Developed
Plans to Address Such Congestion and May Lack Clear Authority to Act:
Key Securities Market Participants Have Prepared Response Plans, but
Not All Have Documented Staffing Analyses or Plans for Alternatives to
Teleworking:
SEC Has Taken Significant Steps to Assess Securities Market
Organizations' Pandemic Preparedness, but Could Do More:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: FINRA Efforts to Oversee Pandemic Readiness of Broker-
Dealers:
Appendix III: Steps Taken by Bank Regulators to Assess Pandemic
Preparedness in Key Clearing Banks:
Appendix IV: Comments from the Securities and Exchange Commission:
Appendix V: Comments from the Department of Homeland Security:
Appendix VI: GAO Contacts and Staff Acknowledgments:
Figures:
Figure 1: Overview of the Internet:
Figure 2: Role of Various Securities Market Participants in a Typical
Securities Trade:
Figure 3: Potential Points of Congestion:
Abbreviations:
ARP: Automation Review Program:
CMTS: cable modem termination system:
CDC: U.S. Centers for Disease Control and Prevention:
DHS: Department of Homeland Security:
DSL: digital subscriber line:
DSLAM: digital subscriber line access mutiplexer:
FBIIC: Financial and Banking Information Infrastructure Committee:
FCC: Federal Communications Commission:
Federal Reserve: Board of Governors of the Federal Reserve System:
FINRA: Financial Industry Regulatory Authority:
FS/ISAC: Financial Services Information Sharing and Analysis:
Center:
FSSCC: Financial Services Sector Coordinating Council for Critical
Infrastructure Protection and Homeland Security:
GETS: Government Emergency Telecommunications:
Service:
HHS: Department of Health and Human Services:
HSPD-7: Homeland Security Presidential Directive 7:
IT: information technology:
Mbps: megabits per second:
NCS: Office of the Manager of the National:
Communications System:
NS/EP: national security/emergency preparedness:
PSA: public service announcement:
TSP: Telecommunications Service Priority Program:
SEC: Securities and Exchange Commission:
Treasury: Department of the Treasury:
WHO: World Health Organization:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
October 26, 2009:
Congressional Requesters:
The outbreak of the H1N1 flu in April 2009, while not as severe as
initially expected, has underscored the concerns that a potentially
serious virus could emerge that would cause widespread illness and
deaths. U.S. health authorities have estimated that a pandemic similar
to the one that occurred in 1918 could sicken millions of people in the
United States and potentially cause many deaths. The impact of such an
event on various sectors of the U.S. economy could also be significant.
In a severe pandemic, governments may close schools, shut down public
transportation systems, and ban public gatherings such as concerts or
sporting events. In such scenarios, many more people than usual may be
at home during the day, and Internet use in residential neighborhoods
could increase significantly as a result of people seeking news,
entertainment, or social contact from home computers. Concerns have
been raised that this additional traffic could lead to congestion on
the Internet that would significantly affect businesses in local
neighborhoods, such as small doctors' offices or business employees
attempting to telework by connecting to their employers' enterprise
networks.
Among the organizations that could be affected by potential pandemic-
related Internet congestion are those participating in the U.S.
securities markets. For these markets to function, various
organizations must be able to operate, including the exchanges or
electronic trading venues that execute the orders received from broker-
dealers. After trades are executed, a clearing organization processes
the information to verify the accuracy of the transaction and to
transfer ownership of the securities from the seller to the buyer.
Payments are also transferred among the banks used by clearing
organizations and broker-dealers by various payment processors. We have
previously issued a series of reports on the progress that the various
organizations participating in the securities markets have made in
preparing their organizations to prevent various threats--such as
physical or cyber attacks--from disrupting their operations.[Footnote
1] Although many organizations participate in U.S. securities markets,
the amount of trading volume or importance of the role played by
certain of these exchanges, clearing organizations, or payment
processor organizations is such that if one was not able to continue
operating after a disaster, the ability of the overall markets to
function could be affected.
In asking us to review the potential impact of Internet congestion that
arises during a severe pandemic, you raised questions about whether
such congestion could significantly affect the ability of securities
market participants to continue operating effectively, including by
using teleworking, during a pandemic. In this report, we address (1)
the potential impact of a severe pandemic on the Internet and the
actions telecommunications providers and government agencies are taking
to address possible congestion, (2) the adequacy of the actions that
securities market organizations are taking to prepare pandemic plans,
and (3) steps that securities and other regulators are taking to assess
the readiness of securities market organizations to continue operating
during a pandemic.
To address these objectives, we reviewed relevant studies and discussed
network capacities and capabilities with four major Internet providers
that provide service to a large part of the United States, including
many major cities. We also interviewed officials from federal agencies
responsible for telecommunications and pandemic issues, including the
Federal Communications Commission (FCC), the Department of Homeland
Security (DHS), and the Department of Health and Human Services (HHS).
We reviewed the pandemic plans and other related documents from the
same seven critical securities market organizations covered in our
prior reports--including key exchanges, clearing organizations, and
payment processors--whose operations are more critical to the overall
functioning of the securities markets--and compared these plans against
criteria that regulators have issued that outline the key elements that
an organization should include in its pandemic plans and preparations.
We also reviewed a randomly selected sample of examinations of broker-
dealer firms that clear trades for others. For security reasons, we did
not include the names or locations of the seven organizations we
reviewed in this report. In addition, we interviewed the relevant
securities and banking regulators--including the Securities and
Exchange Commission (SEC), the Financial Industry Regulatory Authority
(FINRA), the Board of Governors of the Federal Reserve System (Federal
Reserve), and the Office of the Comptroller of the Currency. We also
reviewed regulatory pandemic guidance, reports, and supporting
documents for examinations conducted by these regulators. We conducted
this performance audit from June 2008 to October 2009 in accordance
with generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives. (More information on our scope and
methodology is contained in app. I.)
Background:
An influenza pandemic can occur when an existing virus mutates into a
novel strain that is highly transmissible among humans, leading to
outbreaks worldwide. Such strains can be highly pathogenic because
there is little or no pre-existing immunity in the population.[Footnote
2] Some of the issues associated with the preparation for and responses
to an influenza pandemic are similar to those for any other type of
disaster or hazard. However, a pandemic poses some unique challenges.
Unlike incidents that are discretely bounded in space or time (e.g.,
most natural or man-made disasters), an influenza pandemic is an event
likely to come in waves, each lasting weeks, months, or years, and pass
through communities of all sizes across the nation and the world. While
a pandemic will not directly damage physical infrastructure such as
power lines or computer systems, it could threaten critical systems by
potentially removing the essential personnel needed to operate them
from the workplace for weeks or months. The World Health Organization
(WHO) and the U.S. Centers for Disease Control and Prevention (CDC)
have said that in a severe pandemic, the absences of those who are ill,
taking care of ill family members, and fearing infection could reach a
projected 40 percent during the peak weeks of a community outbreak,
with lower rates of absence during the weeks before and after the peak.
In addition, an influenza pandemic could result in 200,000 to 2 million
deaths in the United States, depending on its severity. Although
representing a novel strain of flu, the H1N1 outbreak, first detected
in the United States around April 2009, has caused illness ranging from
mild to severe. While most people who have been sick have recovered
without needing medical treatment, hospitalizations and deaths from
infection with this virus have occurred, and recent CDC news bulletins
have indicated the second wave of the disease potentially could be more
severe, especially for children and other at-risk groups.
As with most disasters, the initial governmental response to a pandemic
will be at the state and local level and will aim to decrease people's
exposure to the virus. Initial responses may include encouraging and
facilitating good hand hygiene, requiring ill individuals to isolate
themselves, educating people about conditions that put them at high
risk for complications, encouraging early treatment, and encouraging
creative solutions to increase the distance between people at school
and work. Under conditions of increased severity of illness, government
response could escalate to include more aggressive actions such as
closing schools, shutting down public transportation, and prohibiting
large public gatherings at venues such as sporting events. These
measures are intended to create "social distance" between people to
prevent large numbers of people coming into direct contact in an
attempt to minimize transmission of the disease. Similarly, individual
organizations are also advised to increase the distance between people
in workplaces. At the federal level, the National Strategy for Pandemic
Influenza Implementation Plan calls for the Secretary of HHS to lead
the federal medical response to a pandemic, and the Secretary of DHS to
lead the overall domestic incident management and federal
coordination.[Footnote 3]
Various Agencies Have Responsibility for Ensuring That Critical
Telecommunications and Financial Sector Infrastructures Are Protected:
Protecting the nation's critical infrastructure against natural and
manmade catastrophic events, including pandemic, has been a concern of
the federal government for over a decade. Several federal policies
address the importance of coordination between the government and the
private sector in critical infrastructure protection. Homeland Security
Presidential Directive 7 (HSPD-7), issued in December 2003, identifies
various federal agencies, including DHS, as having responsibility for
ensuring that steps are taken to protect specific critical
infrastructure sectors of the United States.[Footnote 4] HSPD-7 makes
DHS responsible for, among other things, coordinating national critical
infrastructure protection efforts and establishing uniform policies,
approaches, guidelines, and methodologies for integrating federal
infrastructure protection and risk management activities within and
across these sectors.
In addition to other sectors, DHS is the lead federal agency for two
critical infrastructure sectors--information technology (IT) and
communications--that are important for the Internet.[Footnote 5]
Specifically, the entities within DHS responsible for coordinating
national efforts to promote critical infrastructure protection
activities for those sectors are the National Cyber Security Division
and the Office of the Manager of the National Communications System
(NCS), respectively. [Footnote 6] Although the vast majority of
Internet infrastructure is owned and operated by the private sector,
federal policy recognizes the need to be prepared for the possibility
of debilitating disruptions in cyberspace. With the exception of the
Department of Defense and intelligence community networks, DHS is the
central coordinator for cyberspace security efforts and has
responsibility for developing an integrated public-private plan for
Internet recovery.[Footnote 7] FCC, which was established under the
Communications Act of 1934 to regulate interstate and international
communications by radio, television, wire, satellite, and cable--also
oversees the telecommunications infrastructure on which the Internet
depends.[Footnote 8] Because the functioning of the financial markets
is important for our nation's economy, the financial sector is one of
the infrastructure sectors that has been designated as critical.
Finally, under HSPD-7, the Department of the Treasury (Treasury) is
responsible for infrastructure protection activities specifically
within the banking and finance sector.
Private Companies Provide the Networks That Comprise the Internet:
The public Internet infrastructure is owned and operated primarily by
private companies such as telecommunications companies, cable
companies, and other Internet service providers. It is a network of
many networks used around the world to communicate and share computing
resources, engage in commerce, do research, and provide entertainment.
As shown in figure 1, the various networks that make up the Internet
include the national backbone and regional networks, as well as the
residential Internet access networks and the networks run by individual
businesses, or "enterprise" networks. The national backbone providers
transmit data over long distances using high-speed fiber-optic lines.
Because these providers do not service all locations worldwide,
regional network providers provide regional service to supplement the
long-haul traffic. When a user wants to access a Web site or send an e-
mail to someone who is connected to the Internet through a different
service provider, the data must be transferred between networks. Data
travels from a user's home computer to the Internet through various
means, including coaxial cable, digital subscriber line (DSL),
satellite, fiber, or wirelessly to a provider's facility where it is
aggregated with other users' traffic. Data cross between networks at
Internet exchange points, which can be either hub points where multiple
networks exchange data or private interconnection points. At these
exchange points computer systems called routers determine the optimal
path for the data to reach their destination. The data then continue
through the national and regional networks and exchange points, as
necessary, to reach the recipient's Internet service provider and the
recipient.
Figure 1: Overview of the Internet:
[See PDF for image: illustration]
United States map with flowchart of overview of Internet.
Source: GAO.
[End of figure]
A functioning Internet will be important during a pandemic because it
could be one important way that governments and private entities share
necessary information with the public. Using the Internet to allow
people to communicate effectively without coming together physically
would assist in creating "social distance" to reduce the potential for
illness to further spread. In addition, many organizations, including
DHS, have been advocating that businesses and other enterprises
consider increased use of telework by their workforce as a way to
continue operations while maintaining physical separation from other
workers during a pandemic. Doing so would typically involve employees
working from home and accessing their business's networks over an
Internet connection. Some entities have also advocated the use of the
Internet as a means for reducing the social isolation that could arise
when people are asked to avoid contact with others.
Functioning Securities Markets Require Participation by Various Types
of Organizations:
For the U.S. securities markets to function, ensuring that companies
can raise capital to carry on commerce and investors can obtain returns
on their savings for spending on necessities or for retirement
security, various organizations must be able to operate. Individual
investors and institutions such as mutual funds send their orders to
buy and sell stocks and options to broker-dealers that, in turn, route
these orders to be executed at one of the many exchanges or electronic
trading venues in the United States and abroad. After a securities
trade is executed, it undergoes clearance and settlement to verify the
accuracy of the transaction. Ownership of the securities is then
transferred from the seller to the buyer, and the necessary payment
between the two parties is exchanged. Separate organizations complete
the clearance and settlement process for stocks and for options. In
general, a clearing organization collects and compares trade
information to ensure the accuracy of the trade and calculates the
amounts that are to be exchanged between parties. A depository
organization then transfers ownership and maintains the records of
securities held by broker-dealers and investors. To facilitate these
interactions, the large broker-dealers have accounts directly with the
clearing organizations, while smaller and independent broker-dealers
act as introducing firms by sending their customers' orders to an
intermediary broker-dealer, known as a clearing firm, that accepts and
processes the trades and clears and settles these trades with the
central clearing organization. The clearing firm's systems also
maintain the records of the cash and securities holdings of the
introducing broker-dealers, and their investor customers.
The monies transferred as part of securities transactions are handled
by the banks that maintain accounts for broker-dealers and accept and
make payments for these firms' securities activities. Payment
processing systems operated by the Federal Reserve or private firms
process the payments that are exchanged between the clearing banks used
by the clearing organizations, broker-dealers, and their customers.
Virtually all of the information processed is transferred
electronically between parties; clearance and settlement and payment
transactions take place over proprietary networks that do not traverse
the public Internet infrastructure. Figure 2 illustrates how these
various organizations participate in a trade.
Figure 2: Role of Various Securities Market Participants in a Typical
Securities Trade:
[Refer to PDF for image: flowchart]
Source: GAO.
[End of figure]
Although thousands of entities are active in the U.S. securities
markets, certain key organizations are more critical to the ability of
the markets to function, usually because they offer unique products or
perform vital services. For example, markets cannot function without
the activities performed by clearing organizations and in some cases,
only one clearing organization exists for particular products. In
addition, other market participants are critical to overall market
functioning because they consolidate and distribute price quotations or
information on executed trades. The inability of any one broker-dealer
firm to continue operations during an event would not likely affect the
markets as a whole, but a small number of large broker-dealers
generally account for sizeable portions of the daily trading volume on
many exchanges. If several of these large firms were unable or
unwilling to operate, the markets might not have sufficient trading
volume to function in an orderly or fair way. U.S. securities markets
have evolved in the last decade, with trading occurring at a larger
number of venues, including existing exchanges, electronic markets, and
alternative trading networks operated by broker-dealers or others. As a
result, the criticality of some participants to the overall functioning
of the markets likely has changed since we began reviewing these issues
in 2001, but all continue to play significant roles in U.S.
markets.[Footnote 9]
Several Organizations Oversee the Various Securities Market
Participants:
Various regulators oversee securities market participants:
* SEC regulates the stock and options exchanges and the clearing
organizations for those products. In addition, SEC issues rules and
oversees the broker-dealers that trade on those markets and other
participants, such as mutual funds, which are active investors.
* Self-regulatory organizations also oversee broker-dealers directly
and are responsible for ensuring that their members comply with the
securities laws and these organizations' own rules. FINRA is the
primary self-regulatory organization for securities firms conducting
business in the United States.[Footnote 10] As part of its
responsibilities, this regulator conducts examinations of its members
to ensure compliance with its rules and federal securities laws.
* The clearing banks that maintain accounts on behalf of securities
market participants are overseen primarily by two different regulators.
The Federal Reserve oversees bank holding companies and state-chartered
banks that are members of the Federal Reserve System. The Office of the
Comptroller of the Currency examines nationally chartered banks.
Securities Market Organizations and Regulators Have Been Addressing
Threats to Critical Market Operations since 2001:
As we reported in a series of reports issued since the September 11,
2001 terrorist attacks, securities market organizations have made
significant progress in addressing various threats with the potential
to disrupt their operations. [Footnote 11] As we reported in 2007, the
group of organizations that we considered critical to overall
operations of the securities markets--including exchanges, clearing
organizations, and payment processors--have acted to significantly
reduce the likelihood of physical disasters disrupting the functioning
of U.S. securities markets. For example, all these organizations had
developed the capability to perform their critical functions at
alternate sites geographically dispersed from their primary sites. They
all also had improved their physical and information security measures.
The broker-dealers and clearing services banks that account for
significant trading volumes had also taken steps to increase the
distances between their sites for primary and backup operations for
clearance and settlement activities and established dispersed backup
trading locations.
Market participants have also worked with financial regulators and
other organizations on other efforts to improve the overall resiliency
of the financial sector; these include periodically conducting industry-
wide connectivity testing from backup locations. Coordinated by the
Securities Industry and Financial Markets Association and other groups,
these tests verify the ability of market participants to operate
through an emergency using backup sites, recovery facilities, and
backup communications capabilities across the industry; and to provide
participants with an opportunity to exercise and check the ability of
their backup sites to successfully transmit and receive communications
between the backup sites of other market participants. In the 2008
test, more than 250 organizations, including broker- dealers, markets,
service bureaus, and industry utilities participated, with test
participants representing more than 85 percent of normal market volume.
Overall, almost 98 percent of test connections among participants were
successful. Financial market organizations have also taken steps to be
better prepared for physical or information security attacks. For
example, DHS's Office of Infrastructure Protection assisted some
financial market organizations by conducting assessments of the
physical security measures these organizations were taking to prevent
damage by physical attacks, including reviewing these organizations'
facilities and their physical security measures such as surveillance,
perimeter, and intrusion technologies. Officials from Treasury and
representatives of selected financial markets also participated in
exercises conducted by DHS that involved tabletop events that were
intended to create lifelike scenarios of disasters or cyber attacks.
These exercises were to help participants better understand the effect
of cross-sector dependency (or interdependencies) during such events.
To assist in infrastructure protection issues, representatives from a
broad range of financial regulatory agencies formed the Financial and
Banking Information Infrastructure Committee (FBIIC). This group meets
regularly to communicate information and coordinate efforts among the
financial regulators and enhance the resiliency of the financial
sector.[Footnote 12] In addition, representatives of the financial
trade associations and other entities share information relating to
infrastructure protection among financial market participants through
the Financial Services Sector Coordinating Council for Critical
Infrastructure Protection and Homeland Security (FSSCC).[Footnote 13]
Formed in 2002, FSSCC acts as the private sector council that assists
Treasury in addressing critical infrastructure protection issues within
the banking and finance sector. FSSCC works to help reinforce the
financial services sector's resilience against terrorist attacks and
other threats to the nation's financial infrastructure. FSSCC has
published reports summarizing best practices and lessons learned for
issues of common concern to the industry at large. Members of FSSCC
also meet periodically with the financial regulators to share
information about common concerns and challenges. Financial market
organizations also have received consolidated information through other
sources. For example, the Financial Services Information Sharing and
Analysis Center (FS/ISAC) consolidates threat information for the
sector.[Footnote 14]
The financial sector has also taken steps to ensure that key officials
from financial regulators and financial market organizations will be
able to communicate during disasters. Under the Government Emergency
Telecommunications Service (GETS) Program, participating staff receive
a card that provides them with a code that can be dialed to increase
the priority of telephone calls they place during crises. To better
ensure that critical communication among financial market participants
occurs, FBIIC issued an interim policy on the GETS Card Program in July
2002 that outlines how staff from financial institutions can obtain
such cards. To qualify for GETS sponsorship, the FBIIC policy states
that organizations must perform functions critical to the operation of
key financial markets. This priority currently is only available for
voice calls and not for data communications over the Internet. Another
FBIIC telecommunications effort involves the FCC's Telecommunications
Service Priority (TSP) Program, which is used to identify and
prioritize telecommunication services that support national security or
emergency preparedness missions. Under TSP, private-sector
organizations, through the sponsorship of a selected group of federal
agencies, including SEC and the Federal Reserve, can have some of their
key telecommunications circuits added to an inventory maintained by NCS
that will provide increased priority for restoration of these key
circuits in the event of a disruption.
Internet Congestion During a Severe Pandemic That Hampers Teleworkers
Is Anticipated, but Responsible Government Agencies Have Not Developed
Plans to Address Such Congestion and May Lack Clear Authority to Act:
Increased use of the Internet by students, teleworkers, and others
during a severe pandemic is expected to create congestion in Internet
access networks that serve metropolitan and other residential
neighborhoods. For example, localities may choose to close schools and
these students, confined at home, will likely look to the Internet for
entertainment, including downloading or "streaming" videos, playing
online games, and engaging in potential activities that may consume
large amounts of network capacity (bandwidth). Additionally, people who
are ill or are caring for sick family members will be at home and could
add to Internet traffic by accessing online sites for health, news, and
other information. This increased and sustained recreational or other
use by the general public during a pandemic outbreak will likely lead
to a significant increase in traffic on residential networks. If
theaters, sporting events, or other public gatherings are curtailed,
use of the Internet for entertainment and information is likely to
increase even more. Furthermore, the government has recommended
teleworking as an option for businesses to keep operations running
during a pandemic. Thus, many workers will be working from home,
competing with recreational and other users for bandwidth.
According to a DHS study and Internet providers, this additional
pandemic-related traffic is likely to exceed the capacity of Internet
providers' network infrastructure in metropolitan residential Internet
access networks.[Footnote 15] Residential Internet users typically
connect their computers to their Internet service providers' network
through a modem or similar Internet access device. These Internet
access devices route home users' traffic to a network device that
aggregates it with that of other users before forwarding it to the
other parts of the provider's network and its ultimate destination on
the Internet. As shown in figure 3, the traffic aggregating device
differs depending on the technology used for Internet access--DSL, a
cable network, or other means. But all these technologies use network
architectures that basically aggregate the traffic of multiple users on
a single device that then routes it to other parts of the providers'
networks. For example, within a DSL network architecture, the user's
traffic travels on a dedicated pair of copper wires from a home
computer to the provider's location--usually known as a central office-
-which houses a device called the digital subscriber line access
multiplexer (DSLAM). The DSLAM aggregates this traffic and that of
other users of this provider from individual residential neighborhoods
before sending it on to regional networks and eventually to the
national Internet backbone.[Footnote 16] Traffic from home users who
connect to the Internet through a cable provider moves from the home
computer over coaxial cables and fiber optic cables then ultimately to
a network device known as a cable modem termination system (CMTS). The
CMTS also aggregates this traffic with that of other users from other
individual residential neighborhoods and sends it to the regional
networks and the national Internet backbone.[Footnote 17] During a
pandemic, congestion is most likely to occur in the traffic to or from
the aggregation devices that serve residential neighborhoods,
interfering with teleworkers' and others' ability to use the Internet.
Figure 3: Potential Points of Congestion:
[Refer to PDF for image: flowchart]
Source: GAO (based on DHS information).
[End of figure]
Congestion affecting home users is likely to occur because the parts of
providers' DSL, cable, satellite, and other types of networks that
provide access to the Internet from residential neighborhoods are not
designed to carry all the potential traffic that users could generate
in a particular neighborhood or that all connect to a particular
aggregating device for efficiency and cost reasons. Providers do not
build networks to handle 100 percent of the total traffic that could be
generated because users are neither active on the network all at the
same time, nor are they sending maximum traffic at all times. Instead,
providers use statistical models based upon past users' patterns and
projected growth to estimate the likely peak load of traffic that could
occur and then design and build networks based on the results of the
statistical model to accommodate at least this level. According to one
provider, this engineering method serves to optimize available capacity
for all users. For example, under a cable architecture, 200 to 500
individual cable modems may be connected to a provider's CMTS,
depending on average usage in an area. Although each of these
individual modems may be capable of receiving up to 7 or 8 megabits per
second (Mbps) of incoming information, the CMTS can transmit a maximum
of only about 38 Mbps.[Footnote 18] Providers' staff told us that
building the residential parts of networks to be capable of handling
100 percent of the traffic that all users could potentially generate
would be prohibitively expensive.
A 2007 DHS study that was conducted in cooperation with various
government, communication sector, and financial sector entities used
modeling of residential and other network configurations to confirm
that the increased traffic generated in neighborhoods during a severe
pandemic is likely to exceed the capacity of the providers' aggregation
devices in metropolitan residential neighborhoods.[Footnote 19] The
study examined the technical feasibility of the pandemic telecommuting
strategy advocated by the government. The study also focused on
identifying action plans to better prepare the nation for telecommuting
during an influenza pandemic. As part of the study, a model was
developed using data and assumptions from a large U.S. metropolitan
area to represent a typical Internet provider's network configuration,
including devices and network capacities. For cost reasons, the study
used DSL network architecture for the purposes of the congestion
modeling, but the preparers acknowledged that other means of accessing
the Internet had similar architectures and thus the impact of a
pandemic would be similar. The contractors that prepared the study
simulated Internet traffic in amounts that corresponded to the level of
Internet use in a residential neighborhood under three scenarios of
pandemic severity--20, 40, and 90 percent absenteeism from the
workplace. The study's model predicted that at the 40 percent
absenteeism level--the level that health organizations have indicated
is likely under a relatively serious pandemic--the highest point of
congestion across the entire Internet infrastructure could occur within
residential Internet access networks. Specifically, at the 40 percent
absenteeism level, the study predicted that most users within
residential neighborhoods would likely experience congestion when
attempting to use the Internet. Based on our assessment of the study,
we concluded that the methodology applied and the likely congestion
points identified were reasonable. Furthermore, communication sector
representatives we interviewed confirmed the likelihood of Internet
congestion between a user's home and the point at which that traffic
combines with other users at the providers' aggregation devices.
Although this study assessed the impact on a large city, the severity
of congestion could vary across neighborhoods or nationally depending
on the capacities of residential neighborhood Internet access networks,
with cities or areas with larger populations and higher incomes
generally having large broadband capacities and less-populated rural or
poorer areas possibly having less broadband capacity. However, the
study used typical telecommunications network configurations for a
large U.S. city and found that congestion was likely. As a result, we
believe that its findings mean that most other locations in the United
States could experience similar problems.
Although predicting that the most severe congestion would occur within
residential access networks, the study overseen by DHS also noted that
pandemic-related congestion was possible in other parts of the networks
that comprise the Internet. For example, users could experience
congestion at the point at which traffic is transferred between service
providers because of potential differences in transmission capacity.
Additionally, teleworkers connecting to their companies' networks (the
"enterprise" networks) could overload various components of these
networks, such as the devices that provide security--firewalls--or
servers that provide access to various applications because some
businesses' networks may not have scaled these devices to accommodate
the anticipated increase in telecommuting traffic during a pandemic.
The steps being taken by financial organizations to ensure their
enterprise networks are prepared for pandemic levels of use are
discussed later in this report.
Providers' Options for Reducing Internet Congestion Are Limited and
Could Require Government Action:
Providers' options for addressing expected pandemic-related Internet
congestion include providing extra capacity, using network management
controls, installing direct lines to organizations, temporarily
reducing the maximum transmission rate, and shutting down some Internet
sites. Each of these methods is limited either by technical
difficulties or questions of authority. In the normal course of
business, providers attempt to address congestion in particular
neighborhoods by building out additional infrastructure--for example,
by adding new or expanding lines and cables. Internet provider staff
told us that providers determine how much to invest in expanding
network infrastructure based on business expectations. If they
determine that a demand for increased capacity exists that can
profitably be met, they may choose to invest to increase network
capacity in large increments using a variety of methods such as
replacing old equipment and increasing the number of devices serving
particular neighborhoods. Providers will not attempt to increase
network capacity to meet the increased demand resulting from a
pandemic, as no one knows when a pandemic outbreak is likely to occur
or which neighborhoods would experience congestion. Staff at Internet
providers whom we interviewed said they monitor capacity usage
constantly and try to run their networks between 40 and 80 percent
capacity at peak hours. They added that in the normal course of
business, their companies begin the process to expand capacity when a
certain utilization threshold is reached, generally 70 to 80 percent of
full capacity over a sustained period of time at peak hours.
However, during a pandemic, providers are not likely to be able to
address congestion by physically expanding capacity in residential
neighborhoods for several reasons. First, building out infrastructure
can be very costly and takes time to complete. For example, one
provider we spoke with said that it had spent billions of dollars
building out infrastructure across the nation over time, and adding
capacity to large areas quickly is likely not possible. Second, another
provider told us that increasing network capacity requires the physical
presence of technicians and advance planning, including preordering the
necessary equipment from suppliers or manufacturers. The process can
take anywhere from 6 to 8 weeks from the time the order is placed to
actual installation. According to this provider, a major constraint to
increasing capacity is the number of technicians the firm has available
to install the equipment. In addition to the cost and time associated
with expanding capacity, during a pandemic outbreak providers may also
experience high absenteeism due to staff illnesses, and thus might not
have enough staff to upgrade network capacities. Providers said they
would, out of necessity, refrain from provisioning new residential
services if their staff were reduced significantly during a pandemic.
Instead, they would focus on ensuring services for the federal
government priority communication programs and performing network
management techniques to re-route traffic around congested areas in
regional networks or the national backbone.[Footnote 20] However, these
activities would likely not relieve congestion in the residential
Internet access networks.
Providing critical employees direct connections that bypass residential
congestion may be another option for facilitating telework during a
pandemic, but this option can be cost prohibitive to employers and is
not widely used. Specifically, some providers offer network solutions
such as private lines to businesses and governments. Private line
services allow businesses to run their corporate networks and
applications separately from public Internet traffic and could provide
a point-to-point dedicated path between teleworkers' homes and offices,
bypassing the residential neighborhood congestion points. However,
according to provider staff we spoke with, installing private lines in
a residence requires advance planning and is expensive. One provider
noted that a direct connection is not a solution that can be invoked
when the pandemic strikes.
Technically Feasible Options Would Likely Require a Government
Directive:
In the current network environment, providers' capability to address
pandemic-related Internet congestion by prioritizing certain users'
traffic, including that of financial sector teleworkers, is limited.
Specifically, provider systems are not designed to identify and provide
priority to individual users when traffic is routed over the Internet
and multiple networks are used for the connection.[Footnote 21]
Furthermore, Internet providers' networks also are not currently
designed to identify particular types of customers connected to the
Internet. For example, the networks cannot distinguish between critical
employees teleworking and recreational users.
Providers identified one technically feasible alternative that has the
potential to reduce Internet congestion during a pandemic, but raised
concerns that it could violate customer service agreements and thus
would require a directive from the government to implement. Although
providers cannot identify users at the computer level to manage traffic
from that point, two providers stated that if the residential Internet
access network in a particular neighborhood was experiencing
congestion, a provider could attempt to reduce congestion by reducing
the amount of traffic that each user could send to and receive from his
or her network. Such a reduction would require adjusting the
configuration file within each customer's modem to temporarily reduce
the maximum transmission speed that that modem was capable of
performing--for example, by reducing its incoming capability from 7
Mbps to 1 Mbps. However, according to providers we spoke with, such
reductions could violate the agreed-upon levels of services for which
customers have paid. Therefore, under current agreements, two providers
indicated they would need a directive from the government to take such
actions.
Shutting down specific Internet sites would also reduce congestion,
although many we spoke with expressed concerns about the feasibility of
such an approach. Overall Internet congestion could be reduced if Web
sites that accounted for significant amounts of traffic--such as those
with video streaming--were shut down during a pandemic. According to
one recently issued study, the number of adults who watch videos on
video-sharing sites has nearly doubled since 2006, far outpacing the
growth of many other Internet activities.[Footnote 22] However, most
providers' staff told us that blocking users from accessing such sites,
while technically possible, would be very difficult and, in their view,
would not address the congestion problem and would require a directive
from the government.[Footnote 23] One provider indicated that such
blocking would be difficult because determining which sites should be
blocked would be a very subjective process. Additionally, this provider
noted that technologically savvy site operators could change their
Internet protocol addresses, allowing users to access the site
regardless. Another provider told us that some of these large bandwidth
sites stream critical news information. Furthermore, some state, local,
and federal government offices and agencies, including DHS, currently
use or have plans to increase their use of social media Web sites and
to use video streaming as a means to communicate with the public.
Shutting down such sites without affecting pertinent information would
be a challenge for providers and could create more Internet congestion
as users would repeatedly try to access these sites. According to one
provider, two added complications are the potential liability resulting
from lawsuits filed by businesses that lose revenue when their sites
are shutdown or restricted and potential claims of anticompetitive
practices, denial of free speech, or both. Some providers said that the
operators of specific Internet sites could shut down their respective
sites with less disruption and more effectively than Internet
providers, and suggested that a better course of action would be for
the government to work directly with the site operators.
Additional Capabilities to Prioritize Traffic or Expand Capacities May
Be Available in the Future:
Providers could help reduce the potential for a pandemic to cause
Internet congestion by ongoing expansions of their networks'
capacities. Some providers are upgrading their networks by moving to
higher capacity modems or fiber-to-the-home systems. For example, some
cable providers are introducing a network specification that will
increase the download capacity of residential networks from the 38 Mbps
to about 152 to 155 Mbps.[Footnote 24] In addition to cable network
upgrades, at least one telecommunications provider is offering fiber-
to-the home, which is a broadband service operating over a fiber-optic
communications network. Specifically, fiber-to-the-home Internet
service is designed to provide Internet access with connection speeds
ranging from 10 Mbps to 50 Mbps.
Although not generally feasible in the current environment, the ability
to prioritize individual user's traffic is envisioned to be technically
possible in future upgrades of the infrastructure of the Internet and
telecommunications networks, but such capabilities are estimated to be
years away. As we recently reported, DHS is working with international
standards bodies to help develop standards that could allow greater
flexibility to prioritize data communications in the future;[Footnote
25] this effort is a part of what is referred to as the Next Generation
Networks.[Footnote 26] However, these capabilities are not expected to
be ready for several years due to the complexity of the systems and the
need to develop standards that work across varying providers'
infrastructures, including internationally. In addition, we reported
DHS had difficulty getting its full budgets approved, which may have
contributed to the delay in developing standards. As a result, the
expanded features of this newer network architecture are not expected
to be a viable solution for addressing pandemic-related Internet
congestion in the near future.
DHS Has Done Some Pandemic Planning but Has Not Taken Actions Needed to
Effectively Address Potential Pandemic-related Internet Congestion:
Although responsible for coordinating protection of the communications-
critical infrastructure sector, which includes the networks that
comprise the Internet, DHS has not yet developed a strategy to address
pandemic-related Internet congestion, coordinated with federal
partners, determined if sufficient authority exists to take necessary
actions, or assessed the need for a public communications campaign to
minimize congestion that is expected to occur during a pandemic. Under
HSPD-7 and the National Strategy to Secure Cyberspace, DHS is the lead
agency for coordinating the protection of critical assets in the
communications sector from attacks.[Footnote 27] Also under these
authorities, DHS is responsible for facilitating a public-private
response to the recovery from major Internet disruption.[Footnote 28]
In addition to being a focal point to the cyber-critical infrastructure
protection effort, DHS has been designated as one of two federal
agencies responsible for coordinating the United States' pandemic
response. As specified in the Implementation Plan for the National
Strategy for Pandemic Influenza, DHS is to coordinate the nation's
response in conjunction with HHS.
DHS has undertaken several pandemic planning activities. As discussed
earlier in this report, DHS and representatives from the government,
communications sector, and financial sector conducted a study to assess
specifically the technical feasibility of the pandemic telecommuting
strategy and identify ways for the nation to better prepare to support
the strategy. In coordination with interagency partners and the
critical infrastructure sector coordinating councils, DHS has completed
individual sector-specific pandemic guidelines and provided Webinars to
sector partners on their respective plans. These guidelines are
intended to assist the sectors and businesses with the sectors' plan
for a severe influenza pandemic, and include some consideration of
potential Internet congestion. For example, the guidelines for the
information technology and communications sectors recommend that
entities in these sectors consider advising employees to limit
household use of streaming video or other bandwidth-intensive Internet
activities. The guidelines also recommend consideration of obtaining
multiple means of accessing the Internet. The guidelines have been
provided to the sector coordinating councils via a secure DHS
information portal, as well as to the members of the National
Governor's Association. DHS officials told us that some of the sectors
have made the guidelines available to the public. More recently, DHS
completed the DHS 2009-H1N1 Implementation Plan, which provides
planning guidance for DHS and identifies specific roles and
responsibilities for the DHS components such as the Office of Policy or
the Transportation Security Administration. According to DHS officials,
the plan also directs all DHS components to develop plans that address
key preparation and response actions, performance of mission essential
functions, workforce protection, continuity of operations, and
communications with key stakeholders during the H1N1 influenza
pandemic.
However, while these planning activities are designed to help
government and private sector partners prepare for a pandemic, they are
limited in addressing the anticipated Internet congestion. Although
serving as the coordinating agency for Internet recovery and pandemic
response, DHS staff told us that their agency does not have a strategy
to address Internet congestion. According to DHS staff, their agency
has not begun developing such a strategy because since the September 11
terrorist attacks, they have had other crises such as Hurricane Katrina
to address. A senior official at a financial markets regulator told us
that leadership by the government had been lacking in addressing this
potential risk to the financial sector. Without action by DHS to
address this potential congestion, employees in critical sectors of the
nation's economy, including those in financial services, might not be
able to effectively telework or otherwise communicate or transmit data
over the Internet.
In addition, although various federal and private sector organizations
would likely be required to coordinate an effective Internet congestion
response strategy, DHS has neither reached out nor coordinated with
other partners, such as other federal or state agencies with
telecommunications oversight authorities, to prepare such a strategy.
As we previously reported, the experience of Hurricane Katrina showed
the need to improve leadership at all levels of government in order to
better respond to a catastrophic disaster.[Footnote 29] As part of
this, the legal authorities, roles and responsibilities, and lines of
authority at all levels of government must be clearly defined,
effectively communicated, and well understood in order to facilitate
rapid and effective decision making. In order to respond effectively to
pandemic-related Internet congestion, DHS will need to effectively plan
and work with other parts of the federal government and possibly state
and local governments and the private sector in its efforts. Other
organizations that could be relevant include FCC, which, as previously
noted, is charged with regulating interstate and international
communications by radio, television, wire, satellite, and cable. DHS
staff representing the Office of Policy acknowledged that such
coordination would be necessary to address Internet congestion
effectively and ensure that the various parts of the federal government
are not conducting conflicting activities. For example, the staff told
us the Department of Education was hoping to have schools use the
Internet during a pandemic to allow students to access remote learning
courses if schools were closed. The staff acknowledged that, as a
result, DHS would have to coordinate with the other relevant agencies
to ensure that their various actions are appropriately taken into
account in developing a congestion plan. According to DHS staff, DHS
has engaged in dialogues with other agencies about pandemic-related
issues on a regular basis. Agency staff once again cited time
constraints and the need to focus on other crises as reasons for not
having discussed the development of a coordinated strategy for
addressing Internet congestion. However, unless DHS starts coordinating
with other federal, state, and even private sector parties on possible
Internet congestion solutions, there may not be sufficient time to
develop a coordinated strategy to address a rapidly emerging severe
pandemic.
Further, although an effective congestion response strategy could
require directing the private sector entities that operate the
Internet's infrastructure today to take actions that could negatively
affect users, DHS has not determined whether it or other agencies have
the necessary authorities to require providers to take such actions. We
previously reported that the authorities of federal government agencies
regarding the Internet were unclear.[Footnote 30] Given the importance
of the Internet infrastructure to our nation's communications and
commerce, we suggested that Congress consider clarifying the legal
framework guiding Internet recovery. Although DHS staff identified a
list of potential authorities that may or may not apply, they told us
they were not able to specify whether their agency had clear or
specific authority to require telecommunications providers to take
actions to address congestion, such as reducing customer transmission
speeds or blocking entertainment Web sites. Instead, DHS's approach
would be to assess the authorities as part of the development of any
such strategy. While this approach could help DHS determine at some
point if it or some other relevant federal agency had adequate
authority to address potential Internet congestion, it would increase
the risk that the federal government will not be able to respond
rapidly or effectively if a pandemic quickly emerges.
Other federal government agencies might have authority to direct
providers to take certain actions during a pandemic, but whether these
are adequate is uncertain. Under the Communications Act of 1934, as
amended (the Act), FCC has authority to regulate the telecommunications
providers specifically and has authority generally with respect to
interstate and foreign communication by wire and radio. According to
FCC staff, there may be actions the FCC could take regarding the
Internet to address threats to national security or public safety.
However, in commenting on a draft of this report, FCC officials noted
that there is an ongoing court challenge to FCC's authority regarding
the Internet. In addition, FCC staff were not sure whether FCC would
have sufficient authority to require private sector organizations to
take all actions that may be deemed necessary in an emergency situation
to relieve congestion and facilitate commerce, including teleworking by
financial sector employees. As part of preparing a national broadband
access plan, FCC has recently sought public comments on options for
prioritizing Internet traffic in a pandemic.[Footnote 31] According to
FCC staff, very few comment letters addressed the prioritization issue.
Based on our review, some service providers expressed interest in the
government considering including a prioritization scheme in the plan.
Additionally, one provider suggested the plan should give providers
flexibility to actively manage networks during a pandemic.[Footnote 32]
Finally, one financial sector organization noted that the plan should
include a prioritization scheme to prioritize Internet traffic based on
how critical it is to national and economic security.
Some observers have suggested that an authority granted to the
President in the Communications Act of 1934 could conceivably be used
to take actions to address Internet congestion during a
pandemic.[Footnote 33] In their view, the President may have, under
certain limited circumstances involving a state or threat of war, the
power to authorize government control of the telecommunications systems
and, if properly invoked and delegated, this might broadly provide
authority for the government to require private sector entities to take
actions intended to address congestion. However, according to FCC staff
we spoke with, while the authority under the Act may grant the
President powers over telecommunication systems during wartime, they
did not know whether such powers could be exercised in a pandemic.
However, until DHS, as the lead agency responsible for coordinating
protection of telecommunications, including the Internet, takes action
to work with other agencies to assess whether sufficient authorities
exist to direct necessary actions by the private sector, the potential
for a timely and effective federal response to congestion is reduced.
Voluntary Reductions in Internet Use May Be an Effective Response to
Congestion, but DHS Has Not Taken Steps to Encourage It:
Although its own study identified voluntary public reduction of
Internet use as an effective means of reducing pandemic congestion, DHS
has not begun steps to assess the feasibility and effectiveness of
obtaining such public cooperation. According to the DHS study and to
providers and others we spoke with, voluntary actions taken by the
general public could have significant potential to reduce the surges in
traffic loads that residential users may experience during a pandemic.
For example, the general public could be asked to limit video
streaming, gaming, and peer-to-peer and other bandwidth-intensive
applications during daytime work hours. They could also be encouraged
to use broadcast news sources in place of online news. A similar
campaign developed by another agency--HHS--to publicize pandemic
awareness strategies showed that such public education efforts can
require months to prepare and cost millions of dollars to test and
implement. For example, as part of creating various radio and
television messages to provide information to the public about how to
prepare for a pandemic, HHS conducted market research using various
techniques, including focus groups, to gauge the public's opinion about
a pandemic. In 2005-2006, when they began this effort, HHS staff stated
that it took the agency about 6 months to develop the public service
announcements (PSA). In 2006-2007 HHS staff spent about 4 months
planning and producing PSAs. The cost of running radio PSAs in 137
cities over an 11-month period in 2007 was about $1.5 million dollars.
DHS staff acknowledged that such a campaign would also require
cooperation and coordination among multiple federal and other agencies
to be effective and avoid conflicting goals and activities. For
example, agencies would need to work together to ensure that some were
not planning to recommend increased use of the Internet to provide
information, education, or for other purposes during a pandemic. For
example, HHS may advocate using the Internet to maintain social ties
during a pandemic, which would make the goal of easing congestion by
staying off-line more challenging. However, DHS staff told us they had
not begun efforts to evaluate the feasibility or effectiveness of such
a campaign or taken steps to begin developing such an effort because
other activities supporting its operational mission have taken
priority. Until DHS takes such action, its ability to implement what
its own study predicted would be an effective tool for reducing
potential Internet congestion in a timely fashion is reduced.
Key Securities Market Participants Have Prepared Response Plans, but
Not All Have Documented Staffing Analyses or Plans for Alternatives to
Teleworking:
We reviewed seven organizations whose operations are critical to the
overall functioning of U.S. securities markets and found that all have
developed formal plans that address key elements of pandemic
preparedness. But some have limitations that could increase the risk
that aspects of their operations would be disrupted by a pandemic. In
response to our last report, SEC and the banking regulators issued
guidance to key financial market participants stipulating that an
institution's pandemic plan, at a minimum, must include the following
five key elements:[Footnote 34]
1. a process for monitoring the pandemic's progress and a series of
escalating response steps as various pandemic phases are reached;
2. a preventive program to minimize, to the extent possible, illness
among employees, including social distancing of employees by curtailing
meetings;
3. a documented strategy of facilities or procedures designed to allow
the organization to continue its critical operations in the event that
large numbers of its staff are unavailable for prolonged periods;
4. a testing program to better ensure that the practices and
capabilities that an organization implements to address a pandemic will
be effective and allow it to continue its critical operations; and:
5. an oversight program to ensure ongoing review and updates to the
pandemic plan.
All Seven Critical Organizations Have Escalating Plans and Preventive
Programs:
All seven of the critical financial market organizations we reviewed
have developed formal pandemic plans that call for them to monitor a
pandemic's progress and take escalating steps as the phases of a
pandemic outbreak progress. Health authorities, including WHO and CDC,
have issued phased timelines that track the progress of a pandemic from
earliest detection to widespread global illness.[Footnote 35] Because
being able to operate effectively at the height of a pandemic could
require an organization to have taken steps in advance, an effective
pandemic plan should contain more and stronger measures that would be
taken as the phases of the pandemic progress. Such a strategy provides
sufficient time to take steps that require more planning or lead time,
such as purchasing needed supplies or conducting training in advance of
the actual pandemic. Gradually implementing responses as the pandemic
progresses also could prevent organizations from generating undue
expenses if what appears to be a pandemic early on does not turn out to
be one that significantly disrupts operations.
Our analysis of the seven critical organizations' pandemic plans showed
that each included activities that escalated as the pandemic
progressed. All the organizations are currently monitoring the
information regarding the potential spread of viruses that could lead
to a pandemic through the CDC or WHO Web sites and communicate closely
with local authorities, such as the New York City Office of Emergency
Management. In the early stages of a pandemic these organizations would
take preventive actions, such as monitoring the world pandemic
situation and creating awareness of wellness practices before
widespread outbreaks begin (i.e., WHO Phases 1 through 3). But as the
pandemic levels advance, the organizations' plans generally call for
them to implement more extensive responses, such as relocating staff to
increase social distancing or sending some staff home to telework. For
example, one organization's pandemic plan describes efforts to impose
business travel restrictions; prepare additional communications to
employees, customers, and regulatory bodies; and stock up on additional
critical supplies during WHO Phase 4 in case a pandemic disrupts supply
chains. As the alert level rises to Phase 5, the plan escalates the
actions to initiate daily absenteeism tracking, expand the deployment
of hand-sanitizing gel, and do additional facility cleaning. When WHO
declares a pandemic (i.e., WHO Phase 6), the organizations will take
steps to implement social distancing, such as sending a number of
employees to the backup facility and designating people to work from
home. All of the plans follow this general design, and during the H1N1
outbreak, all the organizations began implementing some of these steps.
In particular, as the alert level escalated from WHO Phase 4 to Phase 5
in April of 2009, several organizations communicated to staff on
additional measures they were taking, which included placing more hand
sanitizers in the workplace and cleaning facilities more often. As WHO
raised its pandemic phase further to the highest level (i.e., WHO Phase
6), indicating that a broad outbreak of an influenza epidemic was
believed to be imminent, organizations, according to SEC staff, were
prepared to take further steps that correspond with an outbreak--such
as performing medical screenings of staff reporting to work--although
such measures ultimately were not necessary due to the milder nature of
the H1N1 outbreak here in the United States.
As a result of their experiences with the recent H1N1 flu outbreak,
some market organizations and financial regulators told us they were
considering developing modified trigger points in the plans that might
not follow the WHO designations exactly. Officials from these
organization said they had made this decision because of their
experience with the relatively benign nature of the H1N1 virus in the
United States. The health authorities' pandemic phases were designed
for a disease that causes high levels of severe illness, and even
deaths, like some of the previous flu pandemics have caused. However,
even though the United States continues to report the largest number of
novel H1N1 cases of any country worldwide, most people who have become
ill in 2009 have recovered without requiring medical treatment. As a
result, staff from several of the critical market organizations did not
need to fully implement their plans at that time because their
employees were not seriously ill, if at all, and the plans could be
modified to adapt to such a scenario.
Our analysis indicated that all seven critical organizations also had
fully addressed another key element of pandemic planning by instituting
preventive programs intended to reduce the impact of a pandemic on
their organizations. Because an organization has a much greater chance
of continuing operations during a pandemic if fewer of its employees
are ill, an effective pandemic plan should include a preventive program
to reduce the likelihood of employees becoming sick. The steps the
organizations took included providing information and educational
campaigns to keep employees informed of pandemic news and developments.
For example, during the recent H1N1 outbreak, staff at these seven
organizations developed memos to employees on the status of the
outbreak and steps the organizations were taking based on news and
briefings from the federal, state, and local authorities. Further, all
the organizations have developed internal Web sites to educate
employees on general information on preventing spread of disease,
including hand-washing techniques and coughing etiquette and provided
personal hygiene items such as hand sanitizers and masks. In addition,
three of the organizations prepared extensive education outreach
campaigns (e.g., hand-washing awareness week) shortly after the
financial regulators' pandemic planning requirements were issued, in
mid-2007. Most of the organizations have also developed policies
regarding restricting travel as a way to reduce illness among their
employees. For example, the organizations' plans typically called for
curtailing international travel at WHO Phase 4, and some required staff
returning from abroad to quarantine themselves for a period, such as 7
days, to lower the chance of spreading illness.
Critical Organizations Reviewed Have Plans to Continue Operations with
High Absenteeism, but Some Have Limitations in Their Staffing Plans and
Teleworking Alternatives:
All seven critical securities market organizations we reviewed have
developed plans with procedures intended to allow them to continue the
functions critical to their operations despite high levels of
absenteeism, but not all have fully analyzed or thoroughly documented
their staffing levels or developed formal alternatives if teleworking
proves unfeasible due to Internet congestion. Although congestion
during a pandemic could interfere with individuals' ability, including
teleworkers and others, to access the Internet, the primary
communications of the critical markets organizations would not be
affected because these organizations and their participants communicate
via high-capacity, proprietary networks that do not traverse the public
Internet infrastructure.[Footnote 36] According to the health
authorities, one of the most significant challenges of a pandemic will
be staffing shortages due to absenteeism caused by employees either too
ill to work, taking care of ill family members, or afraid to come to
work because of the chance of infection. Unfortunately, organizations
could also permanently lose critical staff if the pandemic causes
significant levels of deaths. Therefore, a responsive pandemic plan
should include procedures for ensuring that an organization can
continue performing its critical functions even with as much as a 40
percent reduction in its workforce for a prolonged period--the level
that the federal government has advised should be used for planning for
a severe pandemic.
In general, the seven critical organizations that we reviewed all
intend to use existing geographically dispersed facilities to increase
the distance among staff who perform critical functions. Staff from all
seven critical organizations are spread among facilities located across
the United States, including data centers, which are monitored by
computer operators, and office or business centers with key staff that
assist customers. Each of these organizations has created duplicate
sites with redundant staffed data centers and locations or space for
other critical staff. For example, officials from one organization told
us that their three facilities are considerably distant from each other
(i.e., hundreds of miles) in order to mitigate the effect of natural
disasters, power and telecom outages, and other wide-scale regional
disruptions, including a pandemic. The organizations plan to use these
geographically dispersed sites to maximize social distancing and
increase their ability to continue operating during a pandemic. Having
sites with staff that perform critical functions in more than one
location also provides these organizations with pools of cross-trained
employees that they can draw on during a pandemic. For example, one
organization's pandemic plan relies on staff performing critical
activities that are evenly divided across two geographically distant
facilities in different regions of the country. This organization also
has an alternate facility in the same metropolitan area as its primary
location. Under its plan, during the final stage of a pandemic, when
the United States is experiencing sustained transmission of the
disease, some staff from its primary site are to report to the nearby
alternate facility to do their critical activities, thus allowing the
organization to increase the physical distance between the individual
members of its critical staff.
Staffing Analyses or Documentation Can Be Improved:
Although each organization has developed plans for continuing
operations during a pandemic, our analysis indicated that three of the
seven have not fully analyzed or documented the number of staff able to
perform critical functions who would be available during a pandemic.
With the federal government indicating that organizations should plan
for absenteeism of 40 percent at the peak of a severe pandemic, under
such circumstances approximately one in every three of an
organization's employees could be ill or caring for ill family members.
Although regulators' guidance does not specify the extent of cross-
training required, we believe that, at a minimum, an organization would
need two staff capable of performing each critical activity to allow
for one to be absent while the other continues working. Organizations
should probably have three staff capable of performing or cross-trained
to take over these tasks to provide additional assurance that enough
staff would be available. For example, the federal guidance on
continuity of operations planning recommends that organizations should
probably have three staff capable for key positions.[Footnote 37]
Because these organizations have multiple operating sites with staff
located in each that are capable of performing many of their critical
activities, they have some assurance that they likely have enough
employees to continuing operating during a pandemic. But, not all
organizations have fully analyzed or documented the number of staff
that could be available across all critical positions and tasks. All
the organizations have identified their critical functions and all have
lists of at least some of the essential staff for each of the
departments performing those functions. Four critical organizations
have developed lists that show the current staff for each critical
function, backup staff, and sufficient numbers of staff who are cross-
trained or already know these functions who could serve as additional
backup support. One of these organizations rotates the performance of
its critical functions through three geographically distant operation
sites on an ongoing basis, ensuring a large group of cross-trained
staff. For example, this organization has a list of 36 staff for one of
the critical departments, all of whom are trained to perform functions
normally requiring 8 staff. Thus the organization has 8 backup staff as
well as 20 additional trained staff that it can draw upon. Another of
the four organizations identified seven essential services that its
organization needs to perform and prepared listings for each of these
departments that identify the primary staff performing the functions,
the backups for these staff, and additional staff that are
knowledgeable or cross-trained to perform these duties. For example,
one of the essential departments has a list of 19 staff that are
trained to perform one set of critical functions that normally require
only 5 employees--a surplus of 14. In addition, this organization cross-
trained an additional 7 staff to serve as further backup support.
Henceforth, these organizations identified additional staff beyond the
primary and backup employees for each critical function--producing more
than two staff capable of performing each critical activity--to have
greater assurance of being able to perform their critical functions.
The importance of sufficiently analyzing and documenting the adequacy
of critical staffing was demonstrated by one of the critical
organizations that has comprehensively identified its staff and
backups. This organization participated in an industry-wide pandemic
exercise that revealed it needed to identify even larger numbers of
trained staff for some departments. The exercise simulated the impact
of a pandemic by declaring that all staff with last names beginning
with certain letters would be unavailable for work. Although at one
point in the exercise the scenario called for 40 to 50 percent
absenteeism, this organization found that in one of its critical
departments, as many as 78 percent of its staff were projected to be
unavailable.[Footnote 38] As a result, this organization has re-
examined its staffing arrangement to identify staff that currently
perform other activities that could be used to perform critical
functions if needed. The results from the exercise demonstrated the
need to determine, in advance of an outbreak, sufficient numbers of
staff capable of performing critical functions.
In contrast, three of the seven critical organizations have not fully
developed lists of staff capable of performing critical functions. For
example, at one organization each critical department listed essential
staff, but only at a managerial level (e.g., vice president of a
department, and one backup) but did not identify staff that perform the
department's functions on a day-to-day basis. The other two
organizations created lists of essential staff by department, but the
lists were completed only during the recent H1N1 outbreak rather than
in advance. None of these three organizations listed primary, backup,
or other staff for the critical functions. Officials at one of these
organizations told us they have staff at several geographic locations
and that business continuity tests for one of their critical
departments demonstrated they can operate their organization's critical
information systems. As a result, they said that the geographic
distance among locations and testing efforts provided them with a group
of cross-trained staff that would be sufficient to continue operations
even if 40 percent were absent. While this provides some assurance that
this organization may be able to withstand a pandemic, as one
organization learned, undergoing more extensive analysis and
documentation allows organizations to identify gaps in staffing levels
that would be unique to a pandemic, when large numbers of staff could
be unavailable for prolonged periods. In addition, such analyses
identify all critical tasks and those staff capable of performing them-
-primary, backup, and additional cross-trained staff--providing these
organizations with greater assurance that adequate numbers of staff
exist for each task within its critical departments. Until these
organizations fully document their staffing analyses to ensure they
have sufficient depth of staff capable of performing critical
functions, some aspects of these organizations' operations may be
affected during a pandemic.
Alternative Strategies to Teleworking Should Be Considered:
In addition to better analyzing and documenting their staffing plans,
some of the organizations that intend to use teleworking as part of
their strategy for continuing operations during a pandemic need to
address limitations in their teleworking plans. As noted previously,
the critical market organizations included in our review generally rely
on proprietary communications networks that will not likely be affected
by any pandemic-related congestion. However, five of the seven critical
organizations plan to have some of their critical staff telework during
a pandemic, and the readiness of these organizations to successfully
have employees telework varies. Based on our reviews, only one of the
five organizations fully developed suitable alternatives to teleworking
in case of Internet congestion. This organization identified hotels
with increased broadband Internet access capability in the employees'
residential neighborhoods that staff could report to in order to
improve their ability to telework. Another of the five organizations
developed a plan for some of the critical staff that would be
teleworking to come into one of its facilities that is currently
prepared as a backup site. This facility is currently ready for
operations and has ample space to provide adequate social distance for
employees that find they cannot successfully telework due to
congestion. However, the organization has not made adequate
preparations for some critical staff in another geographic area to
telework during a pandemic. If these employees are not able to
telework, the organization plans to have them report to its office
there and work in an unused part of the facility. But it has not
outfitted this area with additional workstations that would allow its
staff to work there effectively.
Furthermore, three of the critical organizations whose plans include
possibly having some of their critical employees telework have not
fully developed plans for alternatives to teleworking should congestion
arise. Our review of their plans show that the three organizations have
not designated the necessary positions or employees who would telework.
Determining the total number of teleworkers in advance of an outbreak
would allow the organizations to confirm that their network systems can
fully support that number, which would likely be higher than it might
be in the course of a normal work day, and that these employees have
full access to all the applications or systems they need in order to
perform their critical duties effectively from home. These
organizations have also not developed and assessed the feasibility of
alternatives to teleworking in their plans. For example, one of these
organizations told us that, if congestion occurs, they would bring
staff back into their facilities and have them conduct their work
wirelessly. However, they have not documented this in their planning or
tested the feasibility of this approach for all potential critical
activities. The other two organizations have not determined in their
plans what steps they would take to respond to congestion problems
experienced by their teleworking employees. Until all the critical
organizations develop additional measures to ensure they have viable
alternative strategies if teleworking proves difficult, they might be
at greater risk of having some aspects of their operations disrupted
during a pandemic.
Critical Organizations Reviewed Have Tested Plans and Ensured Ongoing
Review to Varying Extents:
Our analysis shows that while all seven of the critical organizations
we reviewed participated in an industry-wide pandemic scenario test,
some have not conducted similar tests internally. All of the
organizations reported that they participated in a 3-week industry-wide
pandemic exercise, sponsored jointly by FBIIC, FSSCC, Treasury, and the
Securities Industry and Financial Markets Association, which began in
September 2007.[Footnote 39] The exercise simulated a pandemic
occurring in three waves and reaching an absenteeism rate as high as 49
percent.[Footnote 40] As previously mentioned, each scenario update
included an absenteeism distribution specified by first letters of
employees' last names, as a way to approximate the scenario's target
absenteeism rate. The scenario updates were provided to participants 1
week in advance so that each organization had adequate time to review
its human resources records, identify the absent individuals, and
determine the distribution of the absent employees among their various
departments and units as appropriate. This method provided a probable
picture of the range of absent employees, which could be from the
lowest levels to the top of an organization. Organizations that did not
want to carry out such a review of their records were allowed to simply
use the provided absenteeism rate (25 percent, 49 percent, and 35
percent) for each scenario update.
Officials from the critical organizations indicated that the exercise
was useful in planning for a possible pandemic. As noted previously,
one organization participating in this exercise experienced as much as
78 percent absenteeism in some of its departments--higher than the
expected 49 percent projection--and has taken steps to identify
additional staff capable of performing its critical functions.
Officials from another organization said the exercise highlighted
variation in human resource policies--for example, in the distribution
of antiviral medication and the use of hazard pay across regional
offices. As a result, the organization convened relevant staff to
discuss consistent policy issues and infrastructure resiliency across
regions. In addition to the industry-wide effort, three of the
organizations have conducted or plan to conduct additional internal
pandemic tests to ensure readiness. One of the organizations has
conducted pandemic exercises for managers and staff at each facility,
using a set of questionnaires corresponding to various scenarios.
Another organization told us that it planned to conduct a full-day
pandemic response test at all of its facilities in 2009. However, four
of the organizations have not run internal pandemic scenario tests. As
discussed earlier, the results from the industry-wide test demonstrated
the need for the critical organizations to assess their staffing,
backup, and cross-training levels to ensure they are sufficient to meet
the organization's needs during a pandemic. Internal pandemic scenario
tests would give organizations just such an opportunity.
In addition to pandemic scenario testing, all seven organizations have
tested their abilities to run critical applications and functions at
their alternate backup facilities as part of their business continuity
testing. These efforts will provide further assurance that these sites
will be viable for use during a pandemic. Some of the organizations
rotate operations between the primary and the backup facility on a
regular basis, while others operate certain processes simultaneously at
the primary and the secondary facilities. For example, one of the
organizations conducts six remote-site recovery tests per year,
simulating failure of applications. Meanwhile, another organization has
begun recovery testing by alternating its full production cycle between
the two key facilities. Further, all but one of the five firms that
intend to employ teleworking as part of their pandemic plan have
assessed their work-from-home capabilities--an essential part of
planning for extensive teleworking to ensure that the organizations'
telecommunications systems can support the large amounts of traffic
that would be generated. One organization in particular tested work-
from-home infrastructure to ensure continuity of daily production as
early as mid-2007 and continues to test connectivity as its
telecommunications infrastructure is upgraded. Another organization
told us it conducted several work-from-home tests in 2008, including
server stress test and tests featuring full-volume transaction levels.
This kind of testing is critical to pandemic planning, especially for
those organizations that intend to have some of their critical staff
work from home.
Our analysis also indicates that six of the seven of the organizations
have procedures in place to ensure their pandemic plans are being
reviewed and updated. Because pandemic plans should be sufficiently
flexible to effectively address a wide range of possible effects that
could result from a pandemic, ongoing review and updates will ensure a
plan has up-to-date policies, standards, and procedures. Officials from
the six organizations told us that the pandemic plans are reviewed on a
regular basis, either at the business-department level or in some cases
by the audit committee or the Board of Directors. For example, at one
organization the audit committee reviews the pandemic plan and reports
its assessment and findings to the Board of Directors on an annual
basis. At another organization, the departmental plan is prepared by
the department manager and is approved by the director. However, at one
organization executives have seen the pandemic plan, but it has not
been formally approved. This organization told us it recently
instituted a pandemic flu committee that will formally review and
approve the pandemic plan. Regular review and approval by senior
management helps to ensure that adequate resources are dedicated to
implementing the plan. Furthermore, with the changes occurring across
financial organizations due to the recent market turmoil, regular
review helps an organization confirm that its plan is still aligned
effectively to its organizational structure.
SEC Has Taken Significant Steps to Assess Securities Market
Organizations' Pandemic Preparedness, but Could Do More:
As the regulator that oversees stock and options exchanges, clearing
organizations, and broker-dealers, SEC has taken various actions to
ensure that market organizations are preparing for a pandemic,
including issuing guidance and conducting examinations of market
participants' preparations, but could take additional steps to better
oversee firms' readiness.[Footnote 41] To ensure the readiness of the
participants in the securities markets, SEC has issued various
communications that provided guidance outlining its expectations for
these entities' pandemic preparation efforts. For example, in April
2006, SEC sent a letter to securities exchanges and clearing
organizations advising them to plan for a pandemic and make
preparations intended to keep the markets operating. SEC's letter noted
that the organizations' existing business continuity programs were
usually designed to address a discrete event and therefore could prove
inadequate to address the potentially long-lasting impact of a
pandemic. SEC staff also spoke at conferences, meetings with market
participants, and other forums, such as those sponsored by industry
trade associations, to share information about pandemic issues.
Although securities regulators had taken various actions to help the
financial markets prepare, our 2007 report indicated that additional
actions could further improve the financial market's readiness to
withstand an influenza pandemic.[Footnote 42] In response to our
recommendation, SEC provided more specific guidance between July and
October 2007 to the securities exchanges, clearing organizations, and
broker-dealers that indicated that these organizations' pandemic plans
include various key elements, such as procedures for continuing
operations during even severe pandemics, and that the plans be in place
by the end of 2007.
To ensure that securities market organizations are taking adequate
steps to be ready for a pandemic, SEC has been conducting examinations
of various market participants' preparations that cover, among other
things, pandemic preparedness plans. To assess the extent to which
securities exchanges, electronic markets, and clearing organizations
are adequately managing risks to their operations, staff from SEC's
Division of Trading and Markets regularly conduct examinations through
its Automation Review Program (ARP).[Footnote 43] Since beginning this
program in the late 1980s, SEC has issued guidance and conducted
examinations that address operations risk issues at these
organizations, including reviewing physical and information security
and business continuity planning. As of September 2009, 22 securities
exchanges, electronic markets, and clearing organizations were subject
to ARP's guidance and examinations, including five of the organizations
whose operations we consider critical to the securities
markets.[Footnote 44]
As part of the ARP examinations, SEC staff have been addressing these
organizations' pandemic preparedness during their reviews of business
continuity issues. During these examinations, SEC staff were using an
examination module, adapted from the Federal Reserve, to assess whether
these organizations have developed plans that adequately address the
five key elements of a pandemic plan, including whether the
organizations identified their critical staff, had procedures for
reducing the likelihood of their staff becoming ill, and tested their
plans. From January 2007 to June 2009, SEC's Division of Trading and
Markets staff had conducted nine examinations addressing business
continuity planning and pandemic preparedness at the critical
organizations included in our review. Although examiners generally
found in the 2007 examinations that organizations were in various
stages of pandemic preparations, and in some cases had not addressed
all the required elements of a pandemic plan, our review of the
examination reports that SEC conducted in 2008 and 2009 indicate that
these organizations improved their plans to better address the key
elements of pandemic preparedness. However, after examining one of the
organizations in October 2008, SEC staff made various recommendations
to direct this organization to improve its pandemic planning. For
example, SEC recommended that the organization's plan better address
the impact of staff reductions on its operations and that it test its
pandemic procedures.
SEC Examinations of Organizations' Staffing Analyses Could Go Farther:
Although SEC has conducted inspections to ensure that critical
organizations are preparing plans that address all the key pandemic
areas, SEC's examination reports did not always cite as deficiencies
the limited analysis or documentation of these organizations' staffing
levels. The pandemic assessment questions used by SEC staff addressed
issues related to staff dependencies, including whether the
organizations identified their key functions and staff for these
functions and conducted cross-training of staff to ensure that
sufficient staff would be available during a pandemic. However, as
noted earlier, our reviews of the critical market organizations
indicate that three of the five critical securities market
organizations have not adequately documented the number of staff who
could perform critical functions if many of the staff that currently
perform those functions are unavailable during a pandemic. Our reviews
of SEC's examination reports show that SEC staff identified weaknesses
in the staffing analysis at one of these critical organizations but not
at the other two. SEC staff acknowledged that ensuring adequate numbers
of critical staff is important. But they said they had not expected the
organizations to document the adequacy of their staffing for all their
positions because staff in critical departments were likely to be
interchangeable and thus could fill in for each other. Moreover, in
their opinion, specific staffing lists could quickly become out of date
given the higher rate of staff turnover at these organizations during
this current financial crisis.
Although we agree that the critical organizations may have staff
throughout their organizations that could step in for ill employees
during a pandemic, until such staffing depth is better assessed and
documented, these organizations cannot be fully assured of their
ability to operate during such an event. As we noted previously, even
organizations that created listings of the staff capable of performing
critical functions found during testing that what they thought was
sufficient depth in staffing was actually inadequate in some
departments. In addition, this current period of increased staff
turnover among financial organizations likely further increases the
risk that an organization could have thinner staffing for some key
positions that might not be identified until a pandemic is occurring.
As a result, until SEC staff take steps to ensure that these
organizations better document the adequacy of the depth of their
critical function staffing, some aspects of these organizations'
operations could be disrupted during a severe pandemic.
SEC Examinations of Teleworking Could Address Alternatives:
Although SEC's ARP staff's reviews address the extent to which the
critical organizations plan to have employees telework during a
pandemic, their examinations thus far have not included checking for
viable alternate strategies if Internet congestion occurs. SEC staff
told us that as part of their pandemic examinations at securities
market organizations, they were reviewing various teleworking issues by
addressing the relevant questions in their examination module regarding
whether the organizations had remote access arrangements and whether
the organizations had assessed the capacities of their communications
links. The SEC module also asks whether an organization analyzed the
locations of its staff's homes to see if there were large numbers of
staff that may be trying to connect from a single area and thus be more
vulnerable if congestion or disruption occurs in that area. However,
neither the SEC staff's examination module nor the examination reports
we reviewed address whether these organizations developed formal plans
for what to do with their teleworking staff if congestion prevents that
strategy from being viable. As noted earlier, our reviews of the
critical organizations indicate that not all have developed adequate
alternative strategies in the event that staff are unable to telework
effectively. Until SEC staff take steps to ensure that all
organizations develop such strategies, the risk exists that a pandemic
could disrupt some areas of these organizations' operations.
SEC Has Also Taken Steps to Assess the Pandemic Preparedness of Some
Broker-Dealers:
In addition to taking steps to assess the readiness of securities
exchanges, electronic markets, and clearing organizations to continue
operating during a pandemic, SEC staff have been reviewing the
preparations of large broker-dealers whose activities are important to
overall market functioning. In the aftermath of the September 11, 2001
terrorist attacks, SEC and the banking regulators made coordinated
efforts to ensure the resiliency of the U.S. securities markets with
respect to clearance and settlement activities. As the attacks showed,
the inability of individual securities market participants to promptly
clear and settle transactions can pose significant financial risks to
other participants. In response, SEC, the Federal Reserve, and the
Office of the Comptroller of the Currency jointly issued the
Interagency Paper on Sound Practices to Strengthen the Resilience of
the U.S. Financial System (Sound Practices) in April 2003.[Footnote 45]
The Sound Practices paper establishes business continuity expectations
for the clearance and settlement activities of organizations that
support critical financial markets. These organizations include the
core clearing and settlement entities that process securities
transactions (core organizations) and firms that play a significant
role in critical financial markets (significant firms)--generally
defined as those firms whose participation in the markets results in
their consistently clearing or settling at least 5 percent of the value
of the transactions in any of the product markets specified in the
paper.[Footnote 46] Since issuing the paper, these regulators have been
conducting examinations of the clearing organizations, significant
broker-dealers, and clearing banks that are subject to these practices
to ensure they have in place business continuity arrangements
sufficient to meet various recovery goals for their clearance and
settlement activities.[Footnote 47]
All of the recent examinations that SEC staff conducted under the Sound
Practices effort also addressed the pandemic preparations for the
significant number of broker-dealers whose role in the critical
financial market activities were deemed significant for selected
securities and other product markets. In early 2008, staff in SEC's
Office of Compliance Inspections and Examinations, which is responsible
for conducting examinations of broker-dealers, mutual funds, and
investment advisers, conducted reviews of the then-largest existing
broker-dealers. Because of these entities' high trading volumes in
various securities or other products, the markets could be
significantly affected if they were unable to clear and settle their
transactions. As part of these reviews, SEC staff obtained
documentation on how these broker-dealers were addressing the key
elements of pandemic planning. Based on these assessments, SEC staff
found that the largest broker-dealers appeared to be implementing
pandemic plans that generally addressed the key elements.[Footnote 48]
However, as part of conducting some operations risk examinations of a
broader group of broker-dealers during 2008, SEC staff also examined
the extent to which four midsized firms that cleared trades for other
broker-dealers had begun preparations for a pandemic. During these
reviews, SEC staff found that, unlike the larger firms, three of these
four clearing broker-dealers had no formal pandemic plans in place.
FINRA Has Also Taken Steps to Assess Broker-Dealer Readiness for a
Pandemic:
In addition to the broker-dealers overseen by SEC, we also reviewed
FINRA, the self-regulatory organization that oversees most broker-
dealers in the United States. FINRA oversees broker-dealers, including
"introducing" firms that accept customer orders and "clearing firms"
that process introducing firms' orders. Prior to H1N1 and our
inquiries, FINRA had not fully assessed the pandemic readiness of
broker-dealers, including clearing firms. However, since then, FINRA
administered a voluntary survey of significant firms, in which a
majority of the firms reported they are engaged in some level of
pandemic planning. The results of the survey will be used to identify
areas for improvement moving forward, including a new examination
module that addresses pandemic readiness. For further information on
FINRA's activities, see appendix II.
Conclusions:
The increased demand on the Internet resulting from the number of
students, workers, and other family members at home during the day
during a severe pandemic is expected to create congestion by exceeding
the current capacity of Internet providers' network infrastructure in
residential neighborhoods. Telecommunications providers will have
limited options to expand network infrastructure during an outbreak,
and possible network management techniques would likely require
government action in order for providers to avoid violating existing
customer service agreements. DHS is the federal agency responsible for
working with the private sector to ensure that the critical
communications sector, which includes the networks that comprise the
Internet, is protected from attacks and other disasters. Although DHS
has taken some actions relating to pandemic and possible Internet
congestion, it has not taken the necessary steps to develop a strategy
for addressing such congestion.
In addition, developing an effective Internet congestion response plan
will likely require coordination with various other federal agencies,
including the Department of Education, HHS, and FCC. As the experience
of Hurricane Katrina showed, working in advance of a crisis to
understand the proper roles and responsibilities of various federal and
other entities is important for ensuring an effective response, but DHS
has not taken extensive actions to coordinate with other relevant
federal and private sector entities about actions that could
potentially reduce Internet congestion and how best to respond. In
addition, an important step for ensuring the federal government is
prepared to address pandemic-related Internet congestion will be
identifying whether any federal entity currently has the needed
authority to take any actions determined to be necessary. However,
whether DHS, FCC, or others have sufficient existing authorities to
direct private sector Internet providers to take the actions necessary
to relieve congestion is not clear. Similarly, although its own study
showed that obtaining public cooperation in reducing nonessential use
of the Internet could greatly resolve the potential pandemic-related
congestion, DHS has not taken steps to assess the effectiveness and
feasibility of mounting such a campaign to begin developing one. Until
DHS develops an effective response strategy, coordinates with federal
and other partners on actions to take, determines whether sufficient
authorities to act exist or are sought, and evaluates the need for a
public campaign, employees in critical sectors of the nation's economy,
including those in financial services, might not be able to effectively
telework or otherwise communicate or transmit data over the Internet
during a pandemic.
Seven critical securities market organizations that we reviewed have
taken significant steps to better ensure they would be able to continue
operating during a pandemic, including by developing plans that address
the key elements of pandemic planning. However, some of these
organizations could better document the adequacy of their staffing
levels and ensure they have prepared viable alternatives in the event
that their teleworkers experience Internet congestion. SEC has taken
various steps, including issuing guidance and conducting examinations,
to ensure that financial market organizations, including those critical
to the overall functioning of the markets, are prepared to continue
operating during a pandemic. However, taking additional steps during
their examinations to ensure that these organizations have fully
documented the adequacy of their staffing analyses, developed formal
alternatives to teleworking, and tested these would provide greater
assurance that the financial markets' full range of operations will not
be disrupted by a pandemic.
Recommendations for Executive Action:
To better ensure that securities market participants as well as
organizations in other critical sectors of the economy will continue to
have access to the Internet during a pandemic, we recommend that the
Secretary of Homeland Security take the following four actions:
* develop a strategy outlining actions that could be taken to address
potential Internet congestion,
* coordinate with other relevant federal and private sector entities
about actions that could potentially reduce Internet congestion,
* work with other federal partners to determine if sufficient authority
exists for one or more relevant agencies to take any contemplated
actions to address Internet congestion, and:
* assess the effectiveness and feasibility, and undertake if warranted,
a public education campaign to reduce such congestion.
To better ensure that important securities market participants are
making adequate preparations for pandemic, we recommend that the
Chairman, SEC, ensure that SEC staff take steps to ensure that critical
financial market organizations are fully documenting the adequacy of
their staffing levels to withstand high absenteeism and have formally
developed alternative strategies in the event that congestion limits
teleworking effectiveness.
Agency Comments and Our Evaluation:
We provided a draft of this report to the Secretary of Homeland
Security, the Secretary of Health and Human Services, the Secretary of
the Treasury, the Chairman of the Board of Governors of the Federal
Reserve System, the Chairman of the Financial Industry Regulatory
Authority, the Comptroller of the Currency, the Chairman of the
Securities and Exchange Commission, and the Chairman of the Federal
Communications Commission for their review and comment. In her letter,
SEC's Chairman noted that she shares our concern that Internet
congestion could impair certain aspects of the securities markets
during a pandemic (see app. IV). She noted that she also agrees that
critical market organizations can take steps to improve their existing
pandemic plans. Accordingly, the Chairman indicated that SEC will issue
letters to these organizations recommending that they further document
their staff cross-training arrangements and their plans to maintain
operations if Internet congestion impairs their ability to rely on
telework for support functions. Further, SEC staff will review
compliance with this recommendation in future examinations of these
organizations. The Chairman also noted that SEC is prepared to assist
other agencies to help address the problem of potential Internet
congestion.
In a written response to a draft of this report, the Director of DHS's
Departmental GAO/OIG Liaison Office concurs in part with our
recommendations that DHS should, among other things, develop a strategy
outlining actions that could be taken to address potential Internet
congestion. The Director's letter states that the agency agrees to take
these steps to mitigate the impact of any pandemic-related congestion
on the systems that the federal government uses to communicate critical
national security/emergency preparedness (NS/EP) information, but that
addressing Internet congestion for other communications, as a general
matter, does not fall within DHS's responsibilities, and that DHS does
not have the responsibility for developing an Internet congestion
strategy separate and apart from assuring NS/EP communications. While
we agree that DHS should ensure that NS/EP communications are
maintained, DHS has been broadly tasked with leading efforts to prevent
disruptions to the nation's overall telecommunications infrastructure
and is the agency best positioned to do so. As discussed in this
report, federal policies and plans assign DHS lead responsibility for
facilitating a public/private response to and recovery from major
Internet disruptions. DHS was designated under HSPD-7 as the lead
agency for coordinating the protection of the communications sector--a
role it plays for several of the other sectors that have been
identified as the nation's critical infrastructures and key resources.
As lead agency for this sector, DHS is to conduct vulnerability
assessments and encourage risk management strategies to protect and
mitigate against attacks. HSPD-7 also notes that agencies are
responsible for working with their sectors to reduce the consequences
of catastrophic failures not cased by terrorism. Similarly, the 2009
National Infrastructure Protection Plan notes that risk in the 21st
century results from a complex mix of man-made and naturally occurring
threats and hazards, including terrorist attacks, accidents, natural
disasters, and other emergencies. Under this plan's risk analysis and
management framework, sector-specific agencies are to combine
consequence, vulnerability, and threat information to produce
assessments of risks to a sector and enhance protection by setting
goals and objectives, establishing priorities for mitigating risks, and
implementing protective programs and resiliency strategies. Based on
the study that DHS itself led, congestion resulting from a pandemic
appears to be one of the threats for which DHS is tasked with ensuring
an adequate governmental response. Furthermore, for example, The
National Strategy to Secure Cyberspace notes that the Internet is at
the core of the information infrastructure upon which we depend,
connecting millions of other computer networks and making most of the
nation's essential services and infrastructures work. According to this
strategy, DHS has important responsibilities to develop plans to secure
these key resources and infrastructures and provide assistance to the
private sector and other government entities with respect to recovery
plans for failures in critical information systems. DHS has already
been working to address threats to the Internet, for example, by
establishing an Internet Disruption Working Group to work with the
private sector to establish priorities and develop action plans to
prevent major disruptions of the Internet and to identify recovery
measures in the event of a major disruption. DHS also has an ongoing
relationship with the communications sector coordinating council, which
consists of various private sector telecommunications providers, that
could assist in assessing and developing solutions to this issue. As a
result of these responsibilities and its existing capabilities, we
believe that DHS is the appropriate agency to take the lead in
developing a strategy to address potential pandemic-related Internet
congestion and to coordinate with other relevant federal and private
sector entities about actions that could reduce such congestion.
DHS also commented that congestion that affects the Internet outside of
NS/EP communications falls within the operational and administrative
interests of other federal agencies. While we agree that other
agencies, such as FCC, should play a role in addressing the potential
negative impact on our nation's commerce and economy from pandemic-
related Internet congestion, under the existing governmental policies,
DHS is the agency that is specifically tasked with addressing threats
that have the potential to disrupt the critical communications sector.
Furthermore, this report notes the uncertainty that exists over whether
FCC has the authority to act to address Internet-related congestion
problems. The uncertainty of roles and authorities regarding this issue
is the reason we recommended that DHS work with other federal partners
to determine if sufficient authority exists for one or more relevant
agencies to take any actions necessary to address Internet congestion
that may occur during and because of a severe pandemic crisis. While
other agencies could play critical roles in addressing this issue, we
believe that DHS, as the communications sector lead agency, should
provide this leadership and coordinate a response. The Director's
letter also includes some additional technical comments that we address
as appropriate in appendix V.
We also received technical comments from FCC and HHS, which are
incorporated as appropriate in the report.
We are sending copies of this report to the Secretary of Homeland
Security, the Chairman of the Securities and Exchange Commission, and
other interested parties. The report will be available at no charge on
the GAO Web site at [hyperlink, http://www.gao.gov].
If you or your staff have any questions regarding this report, please
contact Mathew Scire at (202) 512-8678 or sciremj@gao.gov; David Powner
at (202) 512-9286 or pownerd@gao.gov; or Nabajyoti Barkakati at (202)
512-4499 or barkakatin@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this report. Key contributors to this report are listed in
appendix IV.
Signed by:
Mathew J. Scire Director, Financial Markets and Community Investment:
Signed by:
David A. Powner Director, Information Technology Management Issues:
Signed by:
Nabajyoti Barkakati, Chief Technologist Director, Center for Technology
and Engineering:
List of Requesters:
The Honorable Henry Waxman:
Chairman:
The Honorable John D. Dingell:
Chair Emeritus:
The Honorable Joe Barton:
Ranking Member:
Committee on Energy and Commerce:
House of Representatives:
The Honorable Barney Frank:
Chairman:
Committee on Financial Services:
House of Representatives:
The Honorable Bennie G. Thompson:
Chairman:
Committee on Homeland Security:
House of Representatives:
The Honorable Rick Boucher:
Chairman:
The Honorable Cliff Stearns:
Ranking Member:
Subcommittee on Communications, Technology, and the Internet:
Committee on Energy and Commerce:
House of Representatives:
The Honorable Edward J. Markey:
House of Representatives:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
Our objectives were to determine (1) the potential impact of a severe
pandemic on the Internet and the actions telecommunications providers
and government agencies are taking to address possible congestion, (2)
the adequacy of the actions that securities market organizations are
taking to prepare pandemic plans, and (3) steps that securities and
other regulators are taking to assess the readiness of securities
market organizations to continue operating during a pandemic.
To describe the potential impact of a pandemic on the Internet and the
actions that communications providers and relevant government agencies
are taking to address possible congestion, we interviewed staff from
two communications providers and two cable providers that are among the
largest providers of Internet access service in the United States, as
well as two industry associations representing such providers. In
addition, we interviewed relevant officials at the Department of
Homeland Security (DHS), Federal Communications Commission (FCC), and
the Department of the Treasury to discuss their efforts and authorities
to address potential Internet congestion. We also interviewed
representatives from telecommunications and Internet providers that are
members of the U.S. Communications Sector Coordinating Council that
provides input to DHS regarding critical infrastructure protection
issues. We also interviewed staff at the Department of Health and Human
Services (HHS)--including staff from the Centers for Disease Control
and Prevention--to learn about their efforts to educate the public
about pandemic strategies. To assess the potential Internet congestion
that could occur during a pandemic, we conducted a literature search
and reviewed relevant studies and reports. Specifically, we reviewed a
study conducted by DHS in cooperation with various government,
communication sector, and financial sector representatives.[Footnote
49] The study evaluated the technical feasibility of the pandemic
strategy advocated by the government and identified action plans to
better prepare the nation for telecommuting during a pandemic
influenza. Our review of the study included an evaluation of the
study's methodology, and interviews with the DHS staff who oversaw the
research on this study, including the Director and Chief of Staff of
the Office of Cyber Security and Communications. To confirm the
accuracy of the study's findings, we interviewed communication sector
representatives who participated in the study. We also reviewed after
action reports from two pandemic exercises--one sponsored by the
Financial Services Sector Coordinating Council, Financial and Banking
Information Infrastructure Committee, and the Securities Industry and
Financial Markets Association, and another conducted by the United
Kingdom financial sector to test the financial sectors' resilience to
pandemic influenza.
To assess the actions that critical securities market organizations and
key market participants are taking to prepare pandemic plans, we
reviewed the actions of seven organizations--including exchanges,
clearing organizations, and payment processors--whose ability to
operate is critical to the overall functioning of the financial
markets. To maintain the security and the confidentiality of their
proprietary information, we agreed with these organizations that our
report would not discuss their efforts to address pandemic readiness
and ensure business continuity in a way that could identify them. To
assess how these organizations ensure they can continue operations in
the face of a pandemic outbreak, we discussed their business continuity
and pandemic preparedness plans with their staff and visited their
facilities. We reviewed and analyzed their pandemic plans and
supporting business continuity documents and compared the plans to the
key elements that banking and securities regulators have issued as
guidance to financial organizations regarding pandemic planning. In
evaluating these organizations' pandemic readiness, we attempted to
determine whether these organizations' pandemic plans adequately
address the five elements required by the regulators, including: (1) a
process for monitoring the pandemic's progress and a plan that
escalates response steps as various pandemic phases are reached; (2) a
preventive program to minimize, to the extent possible, illness among
employees, including social distancing of employees by curtailing
meetings; (3) a documented strategy of facilities or procedures
designed to allow the organization to continue its critical operations
in the event that large numbers of its staff are unavailable for
prolonged periods, including an analysis of staffing levels needed for
critical functions and, as applicable, an alternative to teleworking;
(4) a testing program to ensure that the practices and capabilities
will be effective and allow it to continue its critical operations; and
(5) an oversight program to ensure ongoing review and updates to the
pandemic plan.
To assess financial regulators' efforts to assess the readiness of
securities market organizations to continue operating during a
pandemic, we reviewed relevant regulations and guidance and interviewed
officials at the Securities and Exchange Commission (SEC), the Board of
Governors of the Federal Reserve System (Federal Reserve), and the New
York Federal Reserve Bank, the Office of Comptroller of the Currency,
and the Financial Industry Regulatory Authority (FINRA). We also
collected and reviewed data and reports from SEC, FINRA, and the
Federal Reserve on the examinations they conducted of exchanges,
clearing organizations, and broker-dealers. Furthermore, we reviewed a
random sample of exams conducted by FINRA of business continuity
practices at clearing firms that provide order routing and post-trade
clearance and settlement processing for other broker-dealers
(introducing firms) from 2006 through 2008. We randomly selected 9
firms of varying sizes from a total population of 56. To assess whether
the level of preparations varied by firm size, we reviewed examinations
for 3 large firms (that provided clearing for 100 or more other broker-
dealer firms), 3 medium-sized firms (those that cleared for between 20
and 99 firms), and 3 small firms (those clearing for 19 or fewer
firms). We also interviewed officials at one of the larger clearing
firms.
We conducted this performance audit from June 2008 to October 2009 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
[End of section]
Appendix II: FINRA Efforts to Oversee Pandemic Readiness of Broker-
Dealers:
Although the Financial Industry Regulatory Authority (FINRA)--the self-
regulatory organization that oversees most broker-dealers in the United
States--undertook some actions to improve broker-dealers' awareness of
the potential impact of a pandemic, it has only recently begun to take
steps to more fully ensure such firms are making adequate preparations.
In addition to oversight by the Securities and Exchange Commission
(SEC), FINRA oversees broker-dealers conducting business domestically
in the United States. The broker-dealers that FINRA oversees include,
but are not limited to, two different types:
Introducing broker-dealer firms whose staff open customer accounts and
accept orders to buy and sell securities, but whose firms are not
usually members of the exchanges or clearing organizations.
Clearing firms that maintain accounts at the central securities
clearing organization and process trades on behalf of their own
customers as well as those for the customers of the introducing brokers
that use them for trade execution or clearing processing. Clearing
firms also maintain the cash and securities holdings for their
introducing firms' customers.
According to data from FINRA, as of June 2009, 56 firms that clear for
other broker-dealers (clearing firms) were operating in the U.S.
markets, with some clearing for hundreds of firms but many clearing for
less than 20 firms.[Footnote 50]
Although most broker-dealers are not required to recommence operations
after disasters, FINRA expects its member firms to have business
continuity plans that, among other things, assess how pandemic risks
could affect the firm. Unlike the core exchanges and clearing
organizations and critical broker-dealers covered by the Interagency
Paper on Sound Practices to Strengthen the Resilience of the U.S.
Financial System, which SEC requires to be able to resume operations on
the same business day on which a wide-scale disruption occurs, broker-
dealers have the option of recommencing their operations or shutting
down if they are unable to continue.[Footnote 51] Since 2004, FINRA has
had rules that require broker-dealers to have a business continuity
plan in place that describes how the firm will: maintain appropriate
backup and recovery functions for critical data; alternate
communications between the member and the employees; and maintain all
mission critical systems, such as those that process taking orders, and
clearing and settling securities trades.[Footnote 52] As a result, at a
minimum the FINRA business continuity rule requires all of its member
broker-dealers to have adequate plans for ensuring customers have
prompt access to their funds and securities in the event that the
broker-dealer discontinues business operations.[Footnote 53] Although
FINRA's business continuity rules were issued before a pandemic was
widely recognized as a potential threat to the financial markets, the
organization issued guidance in 2006 that encourages broker-dealers to
ensure that they assess whether or not their business continuity plans
would be suitable for prolonged, widespread public health emergencies,
such as a pandemic outbreak.[Footnote 54] Also in 2006, FINRA requested
comment on potential regulatory relief granted in response to a
pandemic.[Footnote 55] FINRA officials told us they have also
emphasized the importance of addressing pandemic as part of business
continuity planning to the broker-dealer staff that attend industry
conferences and workshops.
However, prior to June 2009, FINRA had not begun to actively assess the
readiness of broker-dealers, including clearing firms. FINRA examines
firms on a rotational basis--depending on the risk level and complexity
of firms' operations--every 1, 2, or 4 years for compliance with a
broad range of regulatory issues, including business continuity
planning. According to data submitted to us by FINRA, across the 56
firms that clear for other broker-dealers, their staff conducted 40
examinations for compliance with the business continuity rules in 2006,
39 in 2007, 46 in 2008, with 33 completed or scheduled for 2009. When
FINRA conducts the business continuity examinations, the inspectors use
1 or more of 13 business continuity planning examination modules to
guide the inspection. However, the initial set of business continuity
examination modules that FINRA staff have been using in their
examinations to assess firms' compliance with the business continuity
rule did not include questions related to pandemic preparedness.
In addition, our own review of FINRA-conducted inspections found that
FINRA officials have not been addressing pandemic issues to a great
extent in business continuity examinations conducted through June 2009.
We reviewed FINRA business continuity exams from 2006 to 2008 for a
randomly selected sample of 9 of the 56 clearing firms that clear for
other firms to assess the extent to which pandemic issues were being
addressed. To assess whether the level of preparations varied by firm
size, we reviewed examinations for 3 large firms (that provided
clearing for 100 or more introducing brokers), 3 medium-sized firms
(those that cleared for between 20 and 99 firms), and 3 small firms
(those clearing for 19 or fewer firms). Our review found that the
inspections for 8 of the 9 firms showed evidence the FINRA examiner
reviewed the firm's plan for compliance with the 10 business continuity
elements required to be addressed by FINRA's business continuity rule.
However, we found limited evidence that the examiners reviewed pandemic
readiness at the firms. For three of the firms, the examination
documentation included some general discussions about these firms'
pandemic planning, and in three cases we saw evidence that pandemic
plans were included in the documents reviewed by the FINRA examiners.
Although the full extent to which clearing firms are ready to continue
operating during a pandemic has not been assessed, some evidence raised
concerns that not all are making adequate preparations. We did not
attempt to systematically determine clearing firms' pandemic readiness,
but we did interview staff at one of the largest clearing firms. This
firm's staff described a pandemic plan and procedures that appeared
reasonably likely to be able to continue operations even in the face of
significant absenteeism. However, as noted earlier, a limited review by
SEC staff conducted in 2008 found that three of four midsized clearing
firms have not developed plans for continuing operations during a
pandemic. If clearing firms such as these are not able to continue
operating, customers of the introducing broker-dealers that use the
clearing firms experiencing such problems potentially could find access
to their funds and securities curtailed for significant periods of
time. For example, FINRA staff told us transferring the customer
accounts of broker-dealers that cease operations can take several days
or weeks, depending on the circumstances.
In response to the recent H1N1 outbreak and our inquiries in relation
to this review, FINRA staff told us they have begun various efforts to
more broadly assess the readiness of broker-dealers, including clearing
firms, for a pandemic. Beginning in June 2009, FINRA conducted a
voluntary survey of broker-dealer firms to determine preparedness for a
pandemic. The survey included questions asking, among other things,
whether the firm has conducted a review of the potential impact of a
pandemic, and whether the firm has a business continuity plan
specifically addressing a pandemic, and if so, how that plan is being
tested. The survey results show that almost all respondents report
having conducted a review of the potential impact of a pandemic, and
have business continuity plans that specifically address pandemic
preparedness. FINRA is using the results of the survey to develop
additional guidance on pandemic preparedness practices for the
industry. In addition, FINRA staff told us they have developed a new
examination module that addresses pandemic preparedness. This module
requires their examiners to determine whether the firm's business
continuity arrangements for resuming business operations appear
reasonable given the conditions likely to prevail during a pandemic.
For example, the module directs the examiner to review the firm's
business continuity planning to determine if the procedures address
risks associated with pandemic, such as taking steps to limit the
spread of influenza among its staff, and assessing the firm's
operational capabilities using teleworking and the impact of requiring
employees to work remotely. The new module was piloted by FINRA
examiners during the summer of 2009, and then, once revised as needed,
will be used in upcoming exams. FINRA officials told us they will
conduct a pandemic preparedness review at all the firms that clear for
other broker-dealers by the end of 2011.
[End of section]
Appendix III: Steps Taken by Bank Regulators to Assess Pandemic
Preparedness in Key Clearing Banks:
Banking regulators for the key clearing banks have taken actions to
assess pandemic readiness among banks, including those that clear
transactions for the securities markets. The Federal Reserve and the
Office of Comptroller of the Currency issued guidance in 2006 that call
for all banks under their supervision to include the unique impacts of
a pandemic in their business continuity planning.[Footnote 56] Similar
to securities regulators, the bank regulators had taken actions to help
banks and thrifts address pandemic efforts in our last review. For
example, in a joint notice from the regulators that oversee banks and
thrifts, the agencies indicated that their institutions should review
the U.S. government's national pandemic strategy to consider what
actions may be appropriate for their particular situations, and whether
such actions should be included in their event response and contingency
strategies.[Footnote 57] Furthermore, banking regulators had also begun
to review pandemic planning in the context of their ongoing supervisory
activities. However, in response to the recommendation we made in our
2007 report, the Federal Reserve and the Office of the Comptroller of
the Currency subsequently notified institutions that play systemically
important roles in securities and other markets that these entities
should have plans that address even severe pandemics. In addition, the
Federal Financial Institutions Examination Council issued an updated
examination manual regarding information technology and business
continuity issues that includes steps that banks should be taking
related to pandemic planning.[Footnote 58]
Banking regulators have also been conducting reviews to ensure that
banks are preparing for possible pandemics, and through these efforts
confirmed that the critical market institutions under their supervision
met the 2007 deadline to have a pandemic plan in place, and that those
plans include the required elements. For example, the Federal Reserve
began a series of reviews--using a set of questionnaires to collect
information on the planning elements established in the guidance--in
January 2008 to assess the progress made by the top 15 banking
organizations in the country and concluded that considerable progress
has been made among its member banks in pandemic planning. The review
objectives were to provide a broad perspective of the state of pandemic
preparedness at systemic institutions, identifying trends within the
pandemic preparedness planning process, and to provide peer
benchmarking attributes to the participating institutions. Office of
the Comptroller of the Currency officials told us they continue to
monitor progress on pandemic planning in national banks through ongoing
supervision rather than targeted exams, and they have been evaluating
the banks' efforts using the newly issued business continuity planning
guidance that includes the requirements for pandemic plans.
[End of section]
Appendix IV: Comments from the Securities and Exchange Commission:
United States:
Securities And Exchange Commission:
Washington, D.C. 20549:
THE CHAIRMAN:
September 23, 2009:
Mr. Mathew J. Scire:
Director, Financial Markets and Community Investment:
United States Government Accountability Office:
441 G St., NW:
Washington, DC 20548:
Dear Mr. Scire:
This letter responds to your request, dated September 10, 2009, to
review and comment on the draft Report entitled Pandemic Preparedness:
Kev Securities Market Participants Are Making. Progress, but Agencies
Could Do More to Address Potential Internet Congestion and Encourage
Readiness (GAO-10-08).
Thank you for the opportunity to comment on the draft GAO Report. We
appreciate the Report's acknowledgement that significant progress has
been made by critical securities market organizations to continue
operations during a pandemic or other wide-scale disruption. In
particular, the Report recognizes that critical market organizations
have devoted considerable. resources since September 11, 2001, to (1)
develop and maintain proprietary communications networks independent of
the public telecommunications networks and the Internet; (2) establish
geographically diverse backup sites to maintain critical functions
during a wide-scale disruption, including a pandemic; (3) expand their
existing business continuity plans to address the pandemic threat; and
(4) test their plans during an extensive industry-wide pandemic
exercise in late 2007.
While the key securities exchanges and clearing organizations use
proprietary networks that bypass the Internet, nevertheless we share
the GAO's concern that Internet congestion could significantly impair
some aspects of the securities markets during a pandemic. Internet
congestion could severely impair the ability of investors and market
professionals to access current market data and place orders. We
therefore agree with GAO that more needs to be done to address
potential Internet congestion, and we are prepared to continue to
assist the appropriate agencies to address this problem.
In addition, we agree with GAO that critical market organizations can
do more to make their existing pandemic plans even better. Accordingly,
the Commission staff plans to issue letters to critical market
organizations recommending that they further document their staff cross-
training arrangements and their plans to maintain operations if
Internet congestion impairs their ability to rely on telework for
support functions. Further, we will incorporate a review of their
compliance with this recommendation in our future examinations of these
organizations.
Thank you again for the consideration that you and your staff have
shown to our staff and the opportunity to comment on this draft Report.
if it would be useful to elaborate on the discussion in this letter,
please contact Jamie Brigagliano, Co-Acting Director, Division of
Trading and Markets, at (202) 551-5700, or John Walsh, Acting Director,
Office of Compliance Inspections and Examinations, at (202) 551-6471.
Sincerely,
Signed by:
Mary L. Shapiro:
Chairman:
Appendix V: Comments from the Department of Homeland Security:
Note: GAO comments supplementing those in the report text appear at the
end of this appendix.
U.S. Department of Homeland Security:
Washington, DC 20528:
Homeland Security:
October 14, 2009:
Mathew J. Scire:
Director:
Financial Markets and Community Investment:
Center for Technology and Engineering:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Scire:
Re: GAO 10-08, Key Securities Market Participants Are Making Progress,
but Agencies Could Do More to Address Potential Internet Congestion and
Encourage Readiness
The Department of Homeland Security (DHS) appreciates the opportunity
to review and comment on the U.S. Government Accountability Office's
(GAO) draft report referenced above. The GAO came to several
conclusions with regard to the current state of Internet congestion and
readiness. The Department recognizes the nature of Internet congestion
and will continue working with Federal and industry stakeholders to
solicit and share best practices.
DHS is responsible for specific national security/emergency
preparedness (NS/EP) communication functions and mission, which include
planning for, developing, and implementing enhancements to the national
telecommunications infrastructure to achieve measurable improvements in
survivability, interoperability, and operational effectiveness under
all conditions and seeking greater effectiveness in managing and using
national telecommunication resources to support the Federal Government
during any emergency. The Department agrees that strong cooperation
between the private and public sectors is essential to support those
functions, which among others, is the responsibility of the National
Coordinating Center (NCC).
The NCC leverages its unique joint government/industry structure and
all-hazard emergency response capabilities to coordinate the
initiation, restoration, and reconstitution of Federal Government
national security and emergency preparedness telecommunications
services both nationally and internationally. Internet congestion, as a
general matter and with regard to non-NS/EP communications, does not
fall within the Department's responsibilities. The Department believes
GAO's recommended actions fall within the operational and
administrative interest of other Federal Agencies. Therefore, the
Department concurs with GAO's recommendations that the Secretary should
do the following, insofar as they relate to the maintenance of
nationally critical communications, that is, NS/EP communications:
(1) Develop a strategy outlining actions that could be taken to address
potential Internet congestion;
(2) Coordinate with other relevant federal and private sector entities
about actions that could potentially reduce Internet congestion;
(3) Work with other federal partners to determine if sufficient
authority exists for one or more relevant agencies to take any
contemplated actions to address Internet congestion; and
(4) Assess the effectiveness and feasibility, and undertake if
warranted, a public education campaign to reduce such congestion.
With regard to implementing these recommendations for NS/EP
communications, the Department is currently working to enhance its
programs to assure NS/EP communications under all conditions, including
a pandemic. Additionally, under the National Response Framework, the
Department will continue to work with departments and agencies in
support of Emergency Support Function #2 (ESF#2) - Communications,
specifically, to support the restoration of the communications
infrastructure, facilitate recovery from cyber attacks, and coordinate
Federal efforts during incidents requiring a coordinated federal
response.
General Comments:
* DHS is not responsible for addressing Internet congestion caused by
an increase in high-bandwidth Internet applications and services, or
increased use over time that eventually exceeds the Internet service
providers' capacity. These latter examples are real-world concerns,
but, absent an adverse effect on NS/EP communications, they are not
within DHS' general purview to address.
* DHS responsibility for NS/EP does not include managing the Internet
during a pandemic; moreover, DHS does not have the responsibility for
developing an Internet Congestion strategy separate and apart from
assuring NS/EP communications. DHS agrees that its strategy for
assuring NS/EP communications should include addressing the possible
consequences of a pandemic.
* The report gives the impression that there is potentially a single
solution to Internet congestion that DHS could achieve if it were to
develop an appropriate strategy. All users which rely on the Internet,
including the financial services sector, should not expect that
Internet congestion problems will be easily solved, and should develop
pandemic continuity of operations plans that do not rely on unimpeded
Internet access. An expectation of unlimited Internet access during a
pandemic is not realistic, any more so than an expectation that traffic
congestion on hurricane evacuation routes can be completely avoided.
This is not to say that DHS has not taken steps to share best practices
and explore other options for reducing congestion during a pandemic or
a hurricane. But users should base their own plans and activities on
realistic expectations, rather than assuming that anticipated
congestion problems can be readily addressed.
* Page: 14:
Issue: Furthermore, the government has recommended teleworking as an
option for businesses to keep their operations running during a
pandemic. Thus, many workers will be performing their work from home
and will be competing with recreational and other users for band width.
See comment 1.
DHS Response: Recommending that individuals telework (in extremis
situations) is appropriate. Government, industries, and citizens have
the responsibility for planning and implementing necessary actions
prior to or during an event, and telework is an appropriate option to
be considered. In this regard, Internet congestion is analogous to the
telephone congestion that individuals experience during high volume
days (e.g., day after Thanksgiving). In these situations,
communications providers have mechanisms to reduce congestion to
maintain agreed-upon service levels as well as other contractual
obligations. Similarly, although pandemic-related congestion could last
longer, and the Internet falls under a different set of policy
restrictions than the telephone network, it is important that
communications providers develop plans, considering best practices
developed by industry and/or suggested by government, for maintaining
service. And government must continue to develop plans and implement
programs to assure the availability of NS/EP communications under all
conditions, including pandemic, which is an ongoing program of work for
the NCS.
* Page: 17:
Issue: A 2007 DHS Study that was conducted in cooperation with various
government, communications sector, and financial sector entities used
modeling of residential and other network configurations to confirm
that the increased traffic generated in neighborhoods during a pandemic
is likely to exceed the capacity of the providers' aggregation devices
in metropolitan residential neighborhoods.
See comment 2.
DHS Response: The study did not include the effect of network
management (FCC Memorandum Opinion and Order FCC 08-183 network
management options) on reducing Internet congestion. Internet network
management techniques are available to Internet providers. The study
only states, "Remote network management tools may be important for
network service providers to continue to operate with a reduced
workforce."
* Page: 24:
Issue: For example the guidelines for information technology and
communications sectors recommend that entities in these sectors
consider advising employees to limit household use of streaming video
or other bandwidth-intensive Internet activities.
See comment 3.
DHS Response: While this statement is correct, the guidelines and
recommendations may or may not correct Internet congestion, depending
on citizens' compliance. DHS suggests the following be added to clarify
for accuracy:
FCC Opinion and Order FCC 08-183 indicates that there are several
methods available that an Internet provider can use for network
management. Paragraph 49 indicates that "Comcast could throttle back
the connection speeds of high capacity users (rather than any user who
relies on peer-to-peer technology, no matter how infrequently). Or
Comcast can work with the application vendors themselves..."
* Page: 24:
Issue: Because the practices suggested in these documents sometimes
discussed proprietary information, they were only made available to
sector council members.
See comment 4.
DHS Response: The Alliance for Telecommunications Industry Solutions'
(ATIS) Network Reliability Steering Committee (NRSC) recently released
a set of Pandemic Planning recommendations. This document includes a
compilation of existing ” as well as newly-developed ” industry
consensus best practices to ensure service provisioning and business
continuity in the event of a pandemic outbreak. The guidance includes
56 voluntary best practices that continue the U.S. communications
industry's nearly 20-year history of collaboration among experts to
promote the health of the nation's public networks. The Best Practices
are available at: [hyperlink,
http://www.atis.org/nrsc/Docs/NRSCPandemicChecklistFinal.pdf].
* Page: 27:
See comment 5.
Issue: Finally, one financial sector organization noted that the plan
should include a prioritization scheme to prioritize Internet traffic
based on how critical it is to national and economic security.
DHS Response: The report should note that FCC principles might impede
such prioritization, depending upon their scope and application. See
FCC Policy Statement FCC 05-151, which states, "As a result, the
Commission has jurisdiction necessary to ensure that providers of
telecommunications for Internet access or Internet Protocol- enabled
(IP-enabled) services are operated in a neutral manner."
* Page: 28:
Issue: Although its own study identified voluntary public reduction of
Internet use as an effective means of reducing pandemic congestion, DHS
has not begun steps to assess the feasibility and effectiveness of
obtaining such public cooperation.
See comment 6.
DHS Response: The Office of the Manager, National Communications System
(OMNCS) actively promotes the issuance of consumer practices through
industry providers. Specifically, ATIS (see general comment #10)
released best practices. In such cases, industry provides
recommendations to its customers and can follow up with public service
announcements advising consumers of recommended activities. Such
activities help to mitigate the risks from events such as a pandemic.
* Page: 29:
Issue: However, DHS staff told us they had not begun efforts to
evaluate the feasibility or effectiveness of such a campaign or taken
steps to begin developing such an effort because of the demands of
other crises.
See comment 7.
DHS Response: This mischaracterizes the Department's previously stated
position. The Department's position is that there are activities
supporting our operational mission that must take priority over a
public service campaign on this topic. Please also refer to the second
and third general comments above.
* Pages: 33-34:
Issue: Although congestion during a pandemic could interfere with
individuals' ability, including teleworkers and others, to access the
Internet, the primary communications of the critical market
organizations would not be affected because these organizations and
their participants communication via high-capacity, proprietary
networks that do not traverse the public Internet infrastructure.
See comment 8.
DHS Response: The report does not explain to what extent congestion of
the public Internet infrastructure would affect the financial services
sector. Moreover, the report does not discuss the contractual
obligations that are in place between the service provider and its
customers. The report should address this issue. Pages 39-41 partially
address this issue, saying that firms are assessing their work-from-
home capabilities, but the report does not describe the results of this
assessment. We appreciate the opportunity to review and comment on this
draft report and we look forward to working with you on future homeland
security issues.
Sincerely,
Signed by:
Jerald E. Levine:
Director:
Departmental GAO/OIG Liaison Office:
The following are GAO's comments on the Department of Homeland
Security's letter dated October 14, 2009.
GAO Comments:
1. The likely usefulness of teleworking as a way for government
agencies and businesses to continue operations during a pandemic is one
of the reasons we believe that DHS should take the lead in addressing
potential Internet congestion that could arise during a severe
pandemic, including working with private sector providers to encourage
them to take proper steps to be prepared not only to ensure that NS/EP
communications are not affected, but that any adverse impact on all
other communications is also mitigated.
2. Although not citing the FCC opinion and order by number, our report
does discuss some of the network management techniques noted by those
documents that providers might be able to use to relieve pandemic-
related congestion. However, as our report notes, these techniques may
have limitations in resolving the type of congestion envisioned to
occur in residential neighborhoods. In addition, providers told us that
they would require government direction to implement such techniques to
reduce congestion, which is why we recommend that DHS begin taking
steps to determine what strategies, actions, and authorities are needed
to address this issue so that if it appears that private sector
providers must be asked to take steps, such direction can come from the
appropriate government source.
Furthermore, as the report notes, providers told us their remote
network management tools may be a way for them to continue their
operations with reduced workforces resulting from pandemic-related
absenteeism and that these tools could be used to re-route traffic
around congested areas in regional networks or the national backbone,
but not to relieve congestion in the residential neighborhoods.
3. As our report states, the DHS study of the impact of pandemic on
Internet access notes that obtaining the cooperation of the general
public in limiting bandwidth-intensive Internet activities was shown by
the study's modeling to be an effective way to relieve congestion.
Uncertainty over whether such cooperation could be obtained is the
reason that we recommend that DHS assess the effectiveness and
feasibility of implementing a public information campaign, and if
warranted, begin developing one. Regarding DHS's suggested addition of
the techniques noted in the FCC order, as we noted above, we discussed
these techniques with providers and learned they may have limitations
in addressing the type of congestion envisioned to arise in a pandemic
and providers would likely require government direction to take such
actions.
4. This comment was sent to us earlier as a part of DHS's technical
comments and we have revised the text to note that some of this
information has been made available publicly. The best practices that
DHS cites in response would likely improve telecommunication providers'
readiness for a pandemic, but likely would not be sufficient to relieve
the congestion in residential neighborhoods.
5. This statement was intended to serve as an example of the types of
comments FCC received regarding the prioritization issue. We did not
assess whether this suggestion was feasible or comports with other FCC
practices.
6. As noted above, the best practices DHS cites could assist providers
in being better prepared for a pandemic. However, they are not likely
sufficient to address residential neighborhood congestion, which is why
DHS's own study also proposed best practices for enterprises,
teleworkers, and the public. Providers did not provide us information
on any steps they were taking to advise the public about practices that
could relieve congestion during a pandemic. In fact, one provider told
us a good approach to manage Internet congestion effectively would be
for the government to work with providers to publicize appropriate best
practices and issue related guidance. As a result, we recommend that
DHS assess the effectiveness and feasibility of such practices and
implement such a campaign if warranted.
7. We changed the language in this report to note that DHS has not
taken action related to evaluating a public education campaign because
other activities supporting its operational mission have taken
priority. Nevertheless, we believe that such activities should be
undertaken to address potential pandemic-related congestion.
8. As this report discusses, much of the securities market's critical
communication would not be affected by congestion of the public
Internet infrastructure because it travels over dedicated proprietary
networks. However, financial sector organizations are planning to use
teleworking to varying degrees as part of their plans to continue
operations during a pandemic. As a result, these staff, as a well as
the staff of other U.S. federal, state, or local governments and
private businesses that plan to use teleworking from home during a
pandemic would be affected by the congestion that is envisioned to
affect residential neighborhoods. As a result, we recommend that DHS to
take actions to address this issue.
Furthermore, our report discusses securities market organizations'
activities to prepare themselves to effectively telework during a
pandemic and describes the limitations we found in these efforts. As a
result, we made recommendations to SEC to further improve its
oversight, which it has agreed to implement.
[End of section]
Appendix VI: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Mathew J. Scire, (202) 512-8678 or sciremj@gao.gov David A. Powner,
(202) 512-9286 or pownerd@gao.gov Nabajyoti Barkakati, (202) 512-4499
or barkakatin@gao.gov:
Acknowledgments:
In addition to the contacts named above, Cody Goebel and Michael
Gilmore, Assistant Directors; Chir-Jen Huang; Yola Lewis; Kristeen
McLain; Marc Molino; Carl Ramirez; Linda Rego; and Hai Tran made major
contributions to this report.
[End of section]
Footnotes:
[1] In the aftermath of the September 11, 2001 attacks, we conducted a
series of reviews that examined the steps being taken by securities
market participants to improve their physical security, information
security, and business continuity capabilities. See GAO, Potential
Terrorist Attacks: Additional Actions Needed to Better Prepare Critical
Financial Market Participants, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-03-251] (Washington, D.C.: Feb. 12, 2003); Potential
Terrorist Attacks: Additional Actions Needed to Better Prepare Critical
Financial Market Participants, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-03-414] (Washington, D.C.: Feb. 12, 2003). These reports
were addressed to different parties but provide identical information.
Also see Financial Market Preparedness: Improvements Made, but More
Action Needed to Prepare for Wide-Scale Disasters, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-04-984] (Washington, D.C.: Sept.
27, 2004); Financial Market Organizations Have Taken Steps to Protect
against Electronic Attacks, but Could Take Additional Actions,
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-679R] (Washington,
D.C.: June 29, 2005); Financial Market Preparedness: Significant
Progress Has Been Made, but Pandemic Planning and Other Challenges
Remain, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-399]
(Washington, D.C.: Mar. 29, 2007).
[2] Although the current pandemic is caused by a strain of the H1N1
influenza virus, experts remain concerned that other influenza viruses-
-such as the H2N2, H5N1, and H7N7--also have the potential to cause a
pandemic.
[3] Homeland Security Council, National Strategy for Pandemic Influenza
Implementation Plan (May 2006).
[4] The White House, Homeland Security Presidential Directive/HSPD 7:
Critical Infrastructure Identification, Prioritization, and Protection
(December 2003). While HSPD-7 identifies 17 critical infrastructure
sectors, the directive allows for DHS to identify gaps in existing
infrastructure sectors as well as establish new sectors to fill these
gaps. Under this authority, DHS established an 18th sector--critical
manufacturing--in March 2008.
[5] DHS also is the lead federal agency for nine other critical
infrastructure sectors.
[6] Both of these offices are within the Office of Cybersecurity and
Communications, which is a part of the National Protection and Programs
Directorate.
[7] The White House, National Strategy to Secure Cyberspace
(Washington, D.C., February 2003).
[8] 47 U.S.C. § 151 et. seq.
[9] Although some of the seven organizations that we have considered
critical to the markets' overall ability to function may have lessened,
each continues to play an important role. As a result, we continue to
use this group of organizations during our assessment to provide
continuity to this report and to those that we issued previously.
[10] Since the passage of the Securities Exchange Act in 1934, 15
U.S.C. § 78a et seq., the stock and options exchanges have acted as
self- regulatory organizations by ensuring that the broker-dealers that
traded on their markets complied with the rules of their market and
with the securities laws in general. SEC also is responsible for
ensuring that the requirements of these laws are followed.
[11] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-251],
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-414], [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-04-984], [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-05-679R], and [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-07-399].
[12] FBIIC members include Commodity Futures Trading Commission,
Conference of State Bank Supervisors, Farm Credit Administration,
Federal Deposit Insurance Corporation, Federal Housing Finance Board,
Federal Reserve Bank of New York, Federal Reserve, National Association
of Insurance Commissioners, National Association of State Credit Union
Supervisors, National Credit Union Administration, North American
Securities Administrators Association, Office of the Comptroller of the
Currency, Office of Federal Housing Enterprise Oversight, Office of
Thrift Supervision, SEC, Securities Investor Protection Corporation,
and Treasury.
[13] Under the framework established by DHS's National Infrastructure
Implementation Plan, each of the critical infrastructure sectors has
both a government council and a private sector council to address
sector-specific planning and coordination. FBIIC and FSSCC serve the
banking and financial sector in that capacity.
[14] FS/ISAC was established in response to Presidential Directive 63
(1998). That directive--which has since been superseded by 2003
Homeland Security Presidential Directive 7--mandated that the public
and private sectors share information about physical and cyber security
threats and vulnerabilities to help protect the U.S. critical
infrastructure. The White House, Presidential Decision Directive/NSC-
63: Critical Infrastructure Protection (May 1998).
[15] According to one provider, this additional traffic in residential
neighborhoods may not result in an increase in Internet traffic overall
because it may be traffic that would have otherwise come from
businesses in other parts of the Internet access networks, but during a
pandemic would originate in the residential access portions of the
networks instead.
[16] A DSLAM is a network device, usually at a telephone company
central office, that receives signals from multiple customer DSL
connections and puts the signals on a high-speed backbone line by
channeling many inputs onto one output.
[17] According to one provider, in a cable environment both the
incoming and outgoing traffic share a fixed amount of bandwidth as it
moves over coaxial cables between the modems and a node onto fiber.
Eventually, traffic aggregates at a port on a CMTS. A CMTS is a device
located in a cable operator's local network that acts as the gateway to
the Internet for cable modems in a particular geographic area.
[18] Network performance is measured in bits per second or bps. One
megabit per second equals 1 million bps. Due to the historically
incoming-focused nature of Internet usage, according to one provider,
cable networks typically provide one 6-megahertz (MHZ) channel with a
capacity of 38.2 Mbps in the incoming direction.
[19] Department of Homeland Security, Pandemic Influenza Impact on
Communications Networks Study (Washington, D.C., December 2007).
[20] These programs include GETS, TSP, and the Wireless Priority
Service, which are intended to ensure that (1) emergency response
personnel are able to communicate with the federal, state, and local
leadership for decisions involving emergency response and (2)
telecommunications services are restored or added on a priority basis
during disasters.
[21] According to one provider we spoke with, they have a specialized
congestion management system that is capable of temporarily
deprioritizing some users' traffic during times of congestion. This
practice is based on identifying users that are contributing
significantly to congestion. However, this capability is not
technically feasible to identify and prioritize traffic based on a list
of specific users.
[22] Pew Research Center, The Audience for Online Video-Sharing Sites
Shoots Up (July 2009).
[23] A fuller discussion related to the legal authorities surrounding
the Internet follows in the next section of this report.
[24] This specification is known as the data over cable service
interface specification or DOCSIS. Currently, cable providers are
generally using DOCSIS 1.0, 1.1, and 2.0. Cable providers are deploying
the upgraded specification, which is known as DOCSIS 3.0. This
standard, which includes incoming and outgoing channel bonding permits
dramatic capacity increase--four channels, each capable of 38 Mbps
downloading capacity.
[25] GAO, Emergency Communications: National Communications System
Provides Programs for Priority Calling, but Planning for New
Initiatives and Performance Measurement Could Be Strengthened,
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-09-822] (Washington,
D.C.: Aug. 28, 2009).
[26] According to the President's National Security Telecommunications
Advisory Committee Next Generation Networks Task Force Report (March
2006), the Next Generation Networks represent the set of converged
networks expected to arise that will transparently carry many types of
data and communications and allow delivery of services and applications
that are not coupled to the underlying network.
[27] The White House, National Strategy to Secure Cyberspace
(Washington, D.C., February 2003).
[28] We previously reported that DHS had initiated efforts to refine
high-level disaster recovery plans but the components of these plans
that pertain to the Internet were not complete. Additionally, while DHS
had undertaken several initiatives to improve Internet recovery
planning, much remained to be done. Specifically, some initiatives
lacked clear timelines, lessons learned were not consistently being
incorporated in recovery plans, and the relationships between the
various initiatives were not clear. We recommended that DHS take
various actions to improve these plans and obtain input from Internet
providers. DHS concurred with the recommendation. GAO, Internet
Infrastructure: DHS Faces Challenges in Developing a Joint Public/
Private Recovery Plan, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-06-672] (Washington, D.C.: June 16, 2006).
[29] GAO, Catastrophic Disasters: Enhanced Leadership, Capabilities,
and Controls Will Improve the Effectiveness of the Nation's
Preparedness, Response, and Recovery System, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-06-618] (Washington, D.C.: Sept.
6, 2006).
[30] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-672].
[31] Federal Communications Commission, In the Matter of A National
Broadband Plan for Our Future Notice of Inquiry, GN Docket No. 09-51
(April 2009).
[32] At the time of our review, FCC had received over 10,000 comments.
We searched FCC's Electronic Comment Filing System for comments that
were filed on behalf of certain telecommunication and cable providers
and communication and financial sector organizations using terms such
as priority, pandemic, and public safety as our search criteria. If our
search resulted in a record for a specific provider or organization, we
reviewed these excerpts.
[33] See 47 U.S.C. § 606.
[34] Of the seven critical organizations, five are overseen by SEC and
two are under the purview of the banking regulators. The guidance
issued by SEC was a letter to the organizations, not a formal rule, but
the organizations were expected to comply with its requirements by year-
end 2007.
[35] WHO defines the phases of increasing public health risk associated
with the emergence of a new influenza virus and tracks the status of
virus transmission using a six-phase scale. The interpandemic period
includes WHO Phases 1 and 2; the pandemic alert period includes Phases
3, 4, and 5; and the pandemic period is WHO Phase 6. Specifically, WHO
Phase 1 exists when no new influenza virus subtypes have been detected
in humans. WHO Phase 2 occurs when a circulating animal influenza virus
subtype is identified that poses a substantial risk of causing human
illness. WHO Phase 3 is reached when a human infection with a new
subtype is identified but no human-to-human spread is occurring. WHO
Phase 4 is reached when small clusters of limited human-to-human
transmission are occurring. WHO Phase 5 is reached when large but
localized clusters of human-to-human spread are occurring. Lastly, WHO
Phase 6 is a pandemic occurring with increased and sustained
transmission in the general population. The U.S. Government Stages,
first published in the National Strategy for Pandemic Influenza
Implementation Plan (2006) also changed in accordance with the spread
of the disease. HHS officials indicated that the U.S. Government Stages
were therefore not appropriate to use in measuring the H1N1 outbreak of
2009, due to its low lethality, and removed the Stages from the
government's Web site, [hyperlink, http://www.flu.gov]. HHS officials
told us they do not have plans for revising the U.S. Government Stages
at the time of this report.
[36] For example, stock and options exchanges receive trade orders from
broker-dealers over the Secure Financial Transaction Infrastructure,
which is a network created to provide a more reliable and "survivable"
private communications network that links exchanges, clearing
organizations, and other financial market participants. This network
employs redundant equipment throughout, and carries data traffic over
redundant fiber-optic rings that have geographically and physically
diverse routes. The clearing organization for stocks has set up a
similar proprietary network.
[37] Federal Guidance To Assist States In Improving State-Level
Pandemic Influenza Operating Plans (March 2008).
[38] This absenteeism model uses the first letters of employees' last
names, relying on U.S. Census figures for the distribution. This method
provided a realistic picture of the range of absent employees, which
could be from the lowest levels to the top of an organization.
[39] The Financial and Banking Information Infrastructure is chartered
under the President's Working Group on Financial Markets and is charged
with improving coordination and communication among financial
regulators. The Financial Services Sector Coordinating Council is a
group of over 30 private sector firms and financial trade associations
that works to help reinforce the financial service sector's resilience
against threats to the nation's financial infrastructure. The
Securities Industry and Financial Market Association is a nonprofit
organization that brings together the shared interest of more than 650
securities firms, banks, and asset managers. Its mission is to promote
policies and practices that work to expand and perfect markets, foster
the development of new products and services, and create efficiencies
for member firms.
[40] Spread of the pandemic scenario for the exercise is described as
follows: At the start of the prephase scenario, clusters of a highly
human-to-human transmissible strain of the H5N1 virus were confirmed in
Africa, the Middle East, Europe, and South Asia. By 6 weeks (scenario
update 2), the virus had reached pandemic levels across the United
States, and corresponding absenteeism rates reached a peak of 49
percent. Eight weeks later (scenario update 3), the United States and
other areas affected early in the pandemic were entering a recovery
period, and the number of reported cases began to peak in South
America, northeast Asia, the Pacific, and the Australian continent.
[41] The banking regulators, who oversee the clearing banks that
maintain accounts on behalf of securities market participants, have
taken similar actions. Given that our review of the pandemic plans of
the two critical market organizations overseen by the banking
regulators indicates that these organizations have plans that meet the
required criteria without limitations, we did not assess the banking
regulators' activities related to pandemic preparedness. Furthermore,
we did not conduct on-site independent reviews to verify the bank
regulators' assessments of banks' readiness. However we did interview
banking regulators about their supervisory efforts in the area of
pandemic preparedness, and present that information in appendix III.
[42] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-399].
[43] SEC published its Automation Review Policy in 1989, to oversee the
operational risks at the securities exchanges and clearing
organizations. The Policy advised self-regulatory organizations
prospectively of SEC's expectations on how these organizations should
address information dissemination and physical security and business
continuity challenges. Automated Systems of Self-Regulatory
Organizations, Securities Exchange Act Release No. 34-27445, 54 Fed.
Reg. 48703 (Nov. 24, 1989).
[44] The other two of the seven organizations that we consider critical
to the market are under the purview of the banking regulators.
[45] 68 Fed. Reg. 17809 (Apr. 11, 2003).
[46] "Core clearing and settlement organizations" include government or
private sector entities that provide clearing and settlement services
that are integral to a critical market. Among the specific product
markets included in the paper are those for government and corporate
securities, commercial paper, foreign exchange, and others. Id. at
17811.
[47] Core clearing and settlement organizations are to strive to
recover these activities within 2 hours of a disastrous event, and
significant firms are to strive to recover these activities within 4
hours. Id. at 17812-17813.
[48] Unlike the critical market organizations, we did not conduct on-
site independent reviews to verify the SEC's assessments of the broker-
dealers' readiness; for more on this, see appendix I.
[49] Department of Homeland Security, Pandemic Influenza Impact on
Communications Networks Study (Washington, D.C., December 2007).
[50] In addition to the 56 firms that clear for other broker-dealers,
according to FINRA there are 149 firms that are "self-clearing,"
meaning they clear transactions, but exclusively for themselves or
their customers.
[51] Under existing securities laws, most broker-dealers cannot be
mandated to continue operations. Instead such decisions would be a
business decision by such firms. However, a small number of firms have
been designated as significant based on their trading volumes in
various product markets. These firms are required to be able to
reconstitute those parts of their operations needed to complete
clearing and settlement of their transactions in these markets within 4
hours to avoid causing potential systemic problems for the markets as a
whole.
[52] These rules were issued by FINRA's predecessor organizations: NASD
Rules 3510 (Business Continuity Plans) and 3520 (Emergency Contact
Information), and NYSE Rule 446 (Business Continuity and Contingency
Plans). FINRA has since established a consolidated rule book,
integrating rules from both entities, including those covering business
continuity and emergency preparedness. FINRA determined that the NASD
Rules 3510 and 3520 and NYSE Rule 446 were duplicative, and as a
result, effective November 11, 2008, FINRA deleted NYSE Rule 446 and on
August 28, 2009, SEC approved FINRA's recommendation to combine and
adopt NASD Rules 3510 and 3520, as amended, as FINRA Rule 4370 in the
Consolidated FINRA Rulebook. See Securities Exchange Act Release No. 34-
60534, 74 Fed. Reg. 44410 (Aug. 28, 2009).
[53] See NASD Notice to Members No. 04-37, "SEC Approves Rules
Requiring Members to Create Business Continuity Plans and Provide
Emergency Contact Information" (May 2004).
[54] This guidance was issued by FINRA's predecessor organization,
NYSE, as NYSE Regulation Information Memo No. 06-30 "Guidance
Pertaining to Business Continuity and Contingency Plans Relating to a
Potential Pandemic" FINRA (May 2006).
[55] This notice was issued by FINRA's predecessor organization, NASD.
NASD Notice to Members No. 06-31 "NASD Requests Comment on Regulatory
Relief that Should Be Granted in Response to a Possible Pandemic or
Other Major Business Disruption" (June 2006).
[56] This report is concerned with clearing banks--those institutions
that clear trading transactions for the markets. Therefore we do not
discuss other banking regulators, such as the Federal Depository
Insurance Corporation, or state banking regulators.
[57] Interagency Statement on Pandemic Planning (Dec. 18, 2007).
[58] Federal Financial Institutions Examination Council is a formal
interagency body empowered to prescribe uniform principles, standards,
and report forms for the federal examination of financial institutions
by the Board of Governors of the Federal Reserve System, the Federal
Deposit Insurance Corporation, the National Credit Union
Administration, the Office of the Comptroller of the Currency, and the
Office of Thrift Supervision, and to make recommendations to promote
uniformity in the supervision of financial institutions. FFIEC IT
Examination Handbook, Business Continuity Planning, BCP (March 2008).
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: