NASD PROPOSED RULE ON BUSINESS CONTINUITY PLANS AND EMERGENCY CONTACT INFORMATION

[14667] April 24, 2002 TO: BROKER/DEALER ADVISORY COMMITTEE No. 11-02 RE: NASD PROPOSED RULE ON BUSINESS CONTINUITY PLANS AND EMERGENCY CONTACT INFORMATION The National Association of Securities Dealers (NASD) has published for comment a proposed rule (a copy of which is attached) that would require all NASD members, presumably including mutual fund principal underwriters, to create and maintain written business continuity plans.1 In addition, the proposed rule would allow the NASD to collect additional information about NASD member firms to assist the NASD in the event of future significant business disruptions. Comments on the proposed rule are due to the NASD by May 13, 2002. If there are comments you would like us to consider including in a letter to the NASD, please contact Peter Salmon at (202) 326-5869 (email: salmon@ici.org) or Frances Stadler at (202) 326-5822 (email: frances@ici.org) by Wednesday, May 1st. According to the Notice, in order to fully understand the ability of NASD members to respond to significant disruptions such as those resulting from the events of September 11th, the NASD administered a survey to a sample cross-section of its membership. While the survey revealed some positive results, it also revealed that a significant number of the NASD members surveyed did not have business continuity plans. The survey results also revealed some sub- optimal procedural practices in the storage of backed up data and recovery systems. Based on the survey findings, discussions with the General Accounting Office and the Securities and Exchange Commission, and the experiences of September 11th, the NASD is soliciting comments on the attached proposed rule. The proposed rule provides that “the requirements of a business continuity plan are flexible and may be tailored to the size and needs of a member.”2 At a minimum, however, each plan would be required to address: (1) data back-up and recovery; (2) all “mission critical 1 NASD Notice to Members 02-23 – Request for Comment (April 2002) (“Notice”) 2 The Notice specifically seeks comments on the scope of business continuity plans. 2 systems”3; (3) financial and operational assessments; (4) alternate communications between customers and the firm; (5) alternate communications between the firm and its employees; (6) business constituent, bank and counter-party impact; (7) regulatory reporting; and (8) communications with regulators. Each NASD member would be required to conduct a yearly review of its business continuity plan and make the plan available for inspection by NASD staff. The proposed rule also would require member firms to provide additional information on the NASD’s Member Firm Contact Questionnaire and keep that information updated. The Notice further indicates that the NASD is contemplating acting as a voluntary repository service for its members’ business continuity plans. Peter Salmon Director - Operations/Technology Frances M. Stadler Deputy Senior Counsel Attachment (in .pdf format) 3 The proposed rule would define “mission critical system” to mean “any system that is necessary, depending on the nature of a member’s business, to ensure prompt and accurate processing of securities transactions, including order taking, entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts and the delivery of funds and securities.”