New & Noteworthy

What You Donít Know About Post-9/11 Emergency Regs

Thereís a flood of new rules for business continuity planning and disaster recovery. Are you up to speed?

January 2008
from CPExpress

* Adapted from AICPA CPExpress

Prior to September 11, 2001, the majority of regulations regarding business continuity and disaster recovery were based on backing up and recovering data, and were focused on the needs of financial institutions. Most regulations were based on the Federal Financial Institution Examination Counsel’s Business Continuity Planning Handbook.

But since September 11, 2001, there has been a proliferation of new regulations and guidelines that cover various other industry sectors. Here’s just a partial list of standards and guidelines related to Business Continuity Planning (BCP) that are new or have changed since 2001:


  • FFIEC BCP Handbook
  • Sarbanes-Oxley Act of 2002
  • NASD Rule 3510 & 3520
  • NYSE Rule 446
  • NERC Security Guidelines
  • FERC Security Standards
  • NAIC Standard on BCP
  • 9/11 Commission Final Report
  • NIST Contingency Planning Guide
  • FRB-OCC-SEC Guidelines
  • Fair Credit Reporting Act
  • California SB 1386
  • GAO Potential Terrorist Attacks Guideline
  • Federal and Legislative BC Requirements for IRS
  • NFA Compliance Rule 2-38
  • Interagency White Paper on Sound Practices to Strengthen the US Financial System
  • NY State Insurance Circular Letter 7
  • ASIS
  • NIST
  • State of NY FIRM White Paper on CP
  • NISCC Good Practices (Telecomm)
  • Financial Info Security Management Act of 2002
  • Patriot Act
  • GAO Potential Terrorist Attacks Guideline

While government and industry regulations continue to emerge around the world, the major new trend emerging over the last few years is that BCP is being forced down through a company’s supply chain. Companies are increasingly pushing BCP compliance to vendors and suppliers in all industries. In one example, a paper document manufacturer is being required by banking clients to build a BCP to meet the banking industry’s strict Federal Financial Institutions Examination Council (FFIEC) requirements. This trend can be referred to as Vendor Continuity Planning where companies will no longer accept a simple “yes” or “no” answer to the question “Do you have a BCP?” Companies are now looking for an independent assessment of a vendor’s BCP.

Additional trends emerging over the last few years include:

  • Insurance carriers are increasingly considering BCP when evaluating a company’s Total Cost of Risk (TCoR). In some cases companies have been given discounts for having a BCP, and in other cases companies have been told the carrier will drop coverage unless a BCP is developed. It appears that the insurance carriers will increasingly consider having a BCP as the cost of doing business (i.e., they will not do business with you unless your company has a robust, tested and up-to-date plan).
  • Companies are increasingly looking at the cost of BCP in terms of “budgeted” and “non-budgeted” expenses. Budgeted expenses would include hiring a consultant, pre-build out of internal company space (i.e., wiring the cafeteria to be used as a recovery location in the event of a disaster), and “hot-site” vendor monthly contracts. Non-budgeted items would be those incurred at the time of a disaster, such as declaration fees, overtime, increased travel and lodging, etc.
  • Companies are now mapping their business interruption and extra expense insurance to their BCP recovery strategies. However, it should be noted that not all disasters will be considered “covered” events.
  • Board level concerns over corporate “State of Readiness,” pressure from auditors and perception of BCP as a competitive differentiator.

For more information, visit AICPA CPExpress.