Unlike other IT areas, where growth in spending by financial-services institutions tends to be stable, business-continuity spending spikes as a result of crises. In 2002, following the Sept. 11, 2001, attacks, it jumped 19%, to $3.4 billion, according to research firm TowerGroup. This year, in response to last summer's blackout, spending is expected to climb 12% to $4 billion. Following the latest threats, TowerGroup expects financial firms' business-continuity spending to climb nearly 10% in each of the next three years, hitting $5.2 billion in 2007.
The financial-services industry swiftly responded to the elevation of the terrorist-threat level last week, setting in motion a full-scale crisis-management plan that's been refined since the Sept. 11 attacks. Hours before the latest threats against specific financial-services buildings in New York, northern New Jersey, and Washington, D.C., were made public on Aug. 1, the Department of Homeland Security notified key financial-services industry representatives. That night, the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security--the main coordinating group between the industry and the government--held a conference call with Treasury Department officials to review what was known about the threat and decide what steps to take. Among those steps was the implementation of added security around the named targets.
Earlier that day, BITS, a banking-industry group that has taken a lead in formulating crisis-management plans, had arranged a conference call among its own members to ensure business continuity and safety of physical assets and personnel. Included on the call were senior executives from the top 100 banks at just below the CEO level--vice chairmen, CIOs, chief technology officers, and chief information security officers.
The terror alert prompted banks to rev up backup and recovery sites. "A half-dozen customers put us on pending alert," says Jim Simmons, CEO at SunGard Availability Services. "The large financial institutions are well prepared. We're concerned with smaller companies."
Since the 2001 attacks closed financial markets for a week, the financial-services sector has taken numerous steps to bolster its already strong business-continuity efforts in the event of a large-scale disaster. Redundant systems, failover switching capabilities, simulations, regular drills and exercises, geographic distance between main and backup sites, and establishment of satellite offices have been tested and retested over the years. "From a back-office perspective, the financial-services industry is extremely resilient," says TowerGroup analyst Virginia Garcia.
Still troubling, though, is the continued geographical concentration of financial-services firms in New York--and terrorists' apparent focus on disrupting financial markets. The headquarters for seven of the top 20 investment-management firms and 14 of the top 20 securities-trading firms are located there, according to TowerGroup. While all these firms have established contingency plans to ensure continued operations, the potential for another attack remains a concern, Garcia says. In particular, she says, it's imperative that senior execs continue to be part of business-continuity planning. Says Garcia, "Whereas in other [IT] segments we see incremental increases in spending year to year, in this market, if something big happens, it gets the attention of high-level executives."