Business Continuity Planning

This paper, published in partnership with Protiviti, identifies and examines the operational recovery capabilities that are increasingly becoming standard expectations for third parties providing services to financial institutions.

Financial companies need to collect and share sensitive information to run their everyday business. Members of SIFMA’s Data Protection Working Group have developed a set of principles for the protection of sensitive data that align with the NIST Cybersecurity Framework.

• Data Protection Principles

The Financial Sector Cloud Outsourcing Issues and Considerations document seeks to address challenges related to transparency, resource gaps, exposure to operational incidents originating at cloud service providers (CSPs), and contract negotiation dynamics.

SIFMA, in partnership with Bortstein Legal Group, first developed this paper in 2020 and updated it in early 2024. Since 2020, the use of cloud infrastructure has grown significantly, and the attention of regulators to cloud — and the broader topics of operational risk and technology risk — remains high. In this paper, we examine the regulatory guidance in the United States, the European Union, the United Kingdom, and Canada, relevant to financial institutions’ relationships with providers of cloud services such as ‘Software as a Service’ (“SaaS”), ‘Infrastructure as a Service’ (“IaaS”), ‘Platform as a Service’ (“PaaS”).

Financial Institutions’ (FIs’) growing reliance on cloud services raises regulatory concerns about concentration risk and financial stability. To address this, regulators are mandating portability of data and services between cloud providers. However, this paper details why portability – or any other resiliency solutions – should not be prescribed, and that regulators should take a risk-based approach.

SIFMA’s industry-wide business continuity test is a critical exercise that highlights our industry’s ability to operate through a significant emergency using backup sites, recovery facilities and backup communications capabilities across the industry. SIFMA urges all firms to participate in this important annual event.

Cybersecurity is a top priority in the financial industry to ensure the security of customer assets and information and the efficient, reliable execution of transactions within markets.

• Cybersecurity Resources for Member Firms
• Cybersecurity Issue Page
• Quantum Dawn Cybersecurity Exercises
• GFMA Work on Cybersecruity and Operational Resiliency
• Principles for Data Recovery from a Severe Cyber Scenario
  

In the event of a significant incident that affects or has the potential to affect the operations of the financial system, SIFMA helps to coordinate the financial industry’s business continuity planning efforts.

These efforts are managed through SIFMA’s Emergency Crisis Management Command Center, which identifies the status of industry participants, disseminates vital information and facilitates actions to assist market response and recovery. Coordination is arranged amongst financial firms, exchanges, industry utilities, regulators, government agencies and public sector emergency managers. SIFMA also has an Emergency Site for industry alerts.

• BCP Inquiries: Stephen Byron and Tom Wagner
• Media Inquiries: Katrina Cavalli