Feb. 12, 2003 -- At least four major Wall Street firms maintain no backup data centers for disaster recovery, while six other firms' facilities are located within 10 miles of their primary site, according to a new report from the General Accounting Office (GAO).
While noting those potential problems, the GAO's evaluation of Wall Street's resiliency against terrorist attacks found most firms were taking active steps to prepare the financial markets to resume trading in the wake of an attack.
The GAO, the government's internal watchdog, is discussing its report today in a hearing of the House Financial Services committee.
A key topic of discussion in the GAO's 119-page report (PDF) was the location of data centers and need for sufficient distance between primary and secondary data centers to store backup data for the financial markets.
The GAO's review of business continuity programs at 15 major financial institutions echoed concerns raised last fall in a white paper developed jointly by the Federal Reserve, Treasury Department and Securities and Exchange Commission.
But the GAO report went a step further in detailing the number of firms with potential vulnerabilities in their business continuity preparations.
Ten of the 15 firms examined were "at greater risk of being disrupted by wide-scale events because four organizations had no backup facilities and six had facilities located between 2 to 10 miles from their primary sites," according to the GAO.
Of those six, four were "critical organizations" with less than 5 miles separating their primary and secondary data centers, including some as close as two miles.
Regulators worry that such arrangements may not be workable in a terrorism event that causes wide-scale damage.
Last week's escalation of the nation's Terror Alert system to "High" (orange) was prompted at least partly by government concerns that Al Qaeda terrorists may strike using radiological "dirty bombs" or chemical weapons.
In responding to last fall's white paper, Wall Street industry groups said business continuity programs should be guided by current best practices, rather than specific criteria such as a minimum distance between data centers. The Securities Industry Association, in its response to the white paper, argues that this standard is too specific and too costly.
Current real-time mirroring technology also places limits on the distance between the primary and secondary data centers, usually no more than 60 miles.
The GAO report also critiqued plans for staffing backup sites, noting that some Wall Street firms' plans called for employees from one site to relocate to the secondary site.
"Nine organizations had not developed procedures to ensure that staff capable of conducting their critical operations would be available if an attack incapacitated personnel at their primary sites," said the report.
In some cases, the GAO said, the physical security of the disaster recovery sites themselves were problematic, noting that more than half "were unable to control vehicular traffic around their facilities and thus were more exposed to damage than those that did have such controls."