Security managers operating in the financial services sector are urged to look closely at the terms of third party recovery contracts
Last September's horrific attack on the World Trade Centre has forced just about every blue chip concern to reconsider its security policy under a number of headings – the physical protection of buildings and hardware, the safeguarding of files, software and lines of communication and emergency procedures among them, writes Alan Osborn. This is all very necessary, of course – but is it enough?

Speakers and attendees at the two-day conference 'Contingency Planning and Disaster Recovery for the Financial Services Sector', held in central London, suggested that although the finance companies coped quite well post-11 September, serious doubts remain about the sector's robustness in the face of further attacks. The central message is that contingency planning must extend well beyond the mere replacement of buildings and hardware.

John McIntosh, head of security at Charteris and chairman of the second day's proceedings, said that this would mean "looking at the human aspects of disasters, and considering their impact not just within a given company but also in those with which it does business on a regular basis."

Clearly, breaches of security can arise for the customers and suppliers of any company whose systems are compromised by a terrorist attack – but even contingency planning itself can bring with it several security risks.

Since 11 September, the provision of third party recovery contracts – through which companies may lease back-up offices, communication systems and computer facilities in the event of a disaster – has risen sharply. "Such contracts can be useful and cost-effective," said Ian Glover of Insight Consulting, "but there might be pitfalls. For example, how could recovery site providers manage if several clients are making a call on their services at the same time?"

If recovery facilities have to be shared, it's quite possible that employees dealing in highly confidential matters might find themselves sitting cheek-by-jowl with their competitors. "Facilities are nearly always arranged to avoid the leakage of important data," added Glover, "but once a security manager loses full-time and total control over business procedures the suspicions will always be there."

In addition, there will usually be a number of activities which simply cannot be farmed out. Ian Ross, business continuity manager at Merrill Lynch, suggested that while some 80% of disaster recovery involved activities that were common to all firms, his own company had to make special arrangements for the remainder – in this case private dealers' wires – when it was hit in last September's terrorist attack.

Insofar as breaches of security affect a company's profits and market share, they can of course be insured against. This is now a rapidly growing practice, though in many cases the insurer will require proof that a company has taken out a crisis management plan.

Nothing, it seems, is going to come cheap or easy in the post-11 September era.

Source

SMT