A large-scale flu epidemic is a bad time to implement VPNs or work-at-home policies, according to a U.S. Treasury Department official.
The Treasury Department, working in conjunction with the Financial Banking Information Infrastructure Committee (FBIIC), the Financial Services Sector Coordinating Council (FSSCC) and the Securities Industry and Financial Markets Association, tested the business continuity readiness of more than 2,700 participating financial institutions.
The objectives of the exercise, which took place last year between Sept. 24, and Oct. 12, included getting a clearer understanding of the systemic risks to the financial services sector during a pandemic; improving preparedness by testing pandemic plans; and examining the ripple effects on telecommunications, energy, transportation, IT and other service providers.
On each Monday of the three-week exercise, participants received an email describing simulated infection levels, absentee rates for that period, public health alert levels, food supply levels, and economic data about market activity. The same email contained a link to a questionnaire, where participants assessed the pandemic's impact on business operations and specific departments with employees whose last names began with the letter A, E, F, J, K, N, O, Q, T, U, V, X, Y or Z were presumed absent or sick as part of the simulation. Respondents had two days to discuss their answers internally and then respond anonymously.
A press briefing at the end of October didn't shed much light on the impact of a pandemic or the particular challenges banks, credit unions, insurance companies and stock exchanges are up against.
For example, almost 97% of participants said they were able to identify "critical dependencies, gaps, and seams" warranting follow up. To cope, 54.5% said they had established a number of different work at home capabilities; 40.8% divided and dispersed business units; 21.2% entered into agreements with other organizations like joint ventures, outsourcing, etc.; 5% switched some functions to non-U.S. locations; and 2.3% shifted to unlicensed locations. Multiple responses were permitted.
Valerie Abend, deputy assistant secretary for critical infrastructure protection and compliance policy at the U.S. Department of Treasury, said the sponsors are nearly done sifting through more than 400,000 data points from the questionnaires, from which they'll present an "after-action report" on Jan. 28, 2008.
Abend did note one area of concern that emerged from the exercise: telecommuting. "If you're not already doing it, it's pretty hard to implement during a crisis. It's an option for our institutions, but many [financial institutions] haven't really tested their policies," said Abend. "We're not convinced this last mile is going to stand up, even though telecommunications companies have worked hard with financial services sector."
"Financial services, like healthcare, need a robust last mile -- reliable and secure," she added. "And there's a lot of concern there as to whether that can stand up in a pandemic."
Useful or empty exercise?
Safeguarding wealth and protecting markets and financial services companies have been federal government priorities going back at least as far as the superpower nuclear arms race. But emergency response has become more politicized in the post-Katrina era. The SARS outbreak a few years ago, coupled with a potentially virulent avian flu epidemic, have prompted government agencies to work more closely to head off similar situations and criticisms, according to Ken Wilson, president, of Minneapolis-based Wilson Marketing Group Inc., which specializes in pandemic planning and training.
Large companies are more likely to have some sort of pandemic plan in place than medium and small businesses, Wilson said. Small and medium-sized businesses typically "are not prepared, either internally with necessary infrastructure, or on the manpower side," he explained. "What they can do without spending money, they will do. But to get duplicate hardware to support working from home, for example, is another question."
Perhaps an even more troubling issue is the likelihood that many firms are unaware of how critical it is to prepare well in advance of a pandemic. "We have not given any thought to this. Not sure that is a good answer, but [there are] only so many 'disasters' we can manage at once," said the CTO of a major ecommerce site, who asked not to be identified. "We are greatly expanding our remote capacity for business reasons and a side benefit will be [being] better able to address an issue like this."
In industry sectors like financial services, there are government advisories to have some sort of pandemic plan. But industry itself has also become a bit of an enforcer, according to Wilson.
"A lot of large companies are going into their supply chain and saying 'If you want to remain a viable supplier to us, demonstrate that your pandemic plan will work.' So some companies are being forced to do pandemic planning, whether they like it or not."
About the author:
Terry Sweeney is a Los Angeles-based freelance writer and editor, and has covered IT, security and networking for more than 20 years. He can be reached at firstname.lastname@example.org.
How to perform a business impact analysis