In Case of Emergency: SIFMA’s Industry-Wide BCP Test is a Robust Exercise of Crisis Readiness

As a critical sector as defined by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the industry’s investment in cybersecurity and resiliency broadly has been ongoing for more than two decades and is embedded in how firms and their infrastructure providers operate. The industry routinely engages in a broad array of testing to maintain and enhance defense, resiliency, and recovery both at the enterprise and industry-wide levels. These efforts range from technical defense to exercises and testing to industry and official sector communication and collaboration.

SIFMA’s annual robust industry-wide business continuity test, most recently conducted on October 15, is a critical exercise that highlights our industry’s ability to operate through a significant emergency using backup sites, recovery facilities and backup communications capabilities across the industry.

SIFMA facilitates the annual Industry Test and as well as coordinating the industry testing requirements under the Securities and Exchange Commission (SEC) Regulation Systems Compliance and Integrity (Reg SCI). Reg SCI identifies certain exchanges and clearing utilities as “SCI entities,” and requires that each SCI entity designate members and participants that meet certain criteria like market share to take part in an annual business continuity and disaster recovery test. Reg SCI entities complete their testing requirements in parallel with the SIFMA industry backup test, which we’ve been organizing for well over a dozen years. It is an efficient way to meet testing requirements across firms throughout the industry on a single day of the year.

The objective of the 2022 SIFMA Industry Test was for securities firms and market infrastructure providers and key third parties to test their business continuity and disaster recovery (BC/DR) plans and to exercise and verify their ability to operate through a business continuity and/or disaster recovery event using backup sites, recovery facilities and backup communication capabilities.

Over 90 entities were available for testing, including equities and options exchanges, fixed income markets, market data providers, clearing agencies, payments platforms, and services bureaus, as well as a simulated Treasury auction.  The SIFMA industry test aims to have participation from the third parties securities firms work with across a broad range of products and services, so they participants can complete a robust test covering all business lines and operations.

SIFMA Industry Test participants carry out a range of robust simulated activity, ranging from simulated order entry and market data transmission to simulated post-trade processing and mock auctions for U.S. Treasuries. The scope of testing reflects the services offered by participating test entities and how market participants interact with them in their normal course of business.

The 2022 Regulation SCI BC/DR test was designed to verify that Regulation SCI entities are able to demonstrate that they can support the maintenance of fair and orderly markets in the event the Regulation SCI entities’ business continuity and disaster recovery plans are activated.

In line with these goals, Reg SCI testing included simulated trading days for all Reg SCI exchanges and ATSs, along with simulated post-trade activity for clearing utilities, as well as simulated regulatory trade reporting. Reg SCI testing was carried out with the firms who are identified as designated testers by the Reg SCI entities, as well as others that voluntarily chose to take part.

Across both Reg SCI and the SIFMA Industry Test, the successful test underscores the ability of the securities industry to operate through disruptions and adverse conditions.  On the same day, the Futures Industry Association (FIA) leads the futures test component; on alternate years the Investment Industry Association of Canada (IIROC) coordinates a test of Canadian infrastructure providers.

The scope of participation for test entities in the SIFMA Industry Test is detailed in the Summary of Components document. The document is a spreadsheet which lists all participating test entities, the scope of their testing and what environment they are operating out of, points of contact for advance planning, and pretesting opportunities. This document is regularly updated over the summer and fall leading up to the test.

SIFMA and its members remain diligent and focused on cybersecurity efforts to protect clients, data, networks and operations from diverse cyber threats including theft, disruption and destruction.”

For more information, please visit the SIFMA Industry Test resource page and the Reg SCI Playbook.

Tom Price is a managing director and head of technology, operations and business continuity for SIFMA.