Financial Information Forum 2
continue to allow firms significant leeway to develop BCP response plans based upon a firm’s business
profile. Notably, upon review of FINRA Rule 4370, FIF member firms have noted that the flexibility of the
current rule has allowed both the industry and FINRA to develop and adjust BCP plans based upon
changes in the threat landscape, the advent of new technology, and change in the size and scope of a
particular business. Additionally, FIF believes that an overly prescriptive rule governing BCP
responsibilities will result in the inability of both FINRA and the industry to learn from and leverage the
experience of similarly situated businesses in augmenting and improving BCP response plans.
Therefore, FIF believes that the flexibility embedded in FINRA Rule 4370 should remain.
Additional Guidance
FIF encourages FINRA to provide industry members with additional guidance in the form of FAQs,
webinars, and best practice guides that can be leveraged to improve existing BCP response plans. As
noted above, the threat landscape has evolved significantly in recent years. Malicious 3
rd
parties
continue to develop and improve upon strategies designed to disrupt business operations, natural
disasters have grown more ubiquitous (i.e. Hurricane Sandy), and technical/systems outages remain a
threat to business activity. To better inform industry members as to how to best prevent against the
disruption of business activity due to a BCP event, FIF recommends the following:
• FAQs – FIF recommends that FINRA issue additional FAQs designed to leverage and
communicate to the industry the best practices FINRA has gathered as a result of BCP plan
assessments. FIF continues to believe that firms should have access to and benefit from the
collective experience and knowledge of their industry peers in formulating their own BCP
response plans. Complete and robust FAQs that provide industry members with additional
guidance on best practices including but not limited to 1) data protection and failover testing; 2)
internal and external communication between employees, counterparties, vendors, and
government officials/regulators during a BCP event; 3) interfirm employee education; and 4)
assessment of mission critical systems. Should additional FAQs be published, FIF encourages
FINRA to engage in industry outreach sessions to better educate firms as to how to best
implement industry best practices at their firms. FIF believes that the availability of FAQs that
incorporate best practice recommendations gathered by FINRA during years of exams will allow
firms to implement a more mature, efficient, and effective BCP response plan. Specifically, FIF
recommends that FINRA should consider updating the following guidance:
o Regulatory Notice 13-25: Should FINRA elect to provide industry members with
additional FAQs, FIF recommends that FINRA consider updating FINRA Regulatory Notice
13-25 issued in response to Hurricane Sandy. FIF believes that since the threat
landscape has shifted significantly during intervening six years following the publication
of Regulatory Notice 13-25, Regulatory Notice 13-25 should be updated to include
greater detail, especially with respect to cybersecurity. Additionally, FIF recommends
that any updates supplementing the guidance provided within Regulatory Notice 13-25
should be harmonized with any subsequent guidance issued by the Securities and
Exchange Commission (“SEC”) and the Commodity Futures Trading Commission
(“CFTC”);
o Small Firm Business Continuity Plan Template: FIF recommends that FINRA consider the
review of and providing updates to the Small Firm Business Continuity Plan Template,
last updated in May of 2010. Given the significant changes in the threat landscape and
potential mechanisms available to firms to better protect against BCP events, FIF
believes that more modernized recommendations should be considered for