BCP and DRP Best Practices and Lessons Learned from Hurricane Sandy

In response to the damage and business interruptions caused by Hurricane Sandy, the SEC (Securities and Exchange Commission’s Office of Compliance Inspections and Examinations), FINRA (the Financial Industry Regulatory Authority), and CFTC (the Commodity Futures Trading Commission’s Division of Swap Dealers and Intermediary Oversight) performed a joint review of the BCPs (Business Continuity Plans) and DRPs (Disaster Recovery Plans) of affected organizations and firms.

Mobile and Redundant Facilities and Services

Among the observable best practices and lessons learned, business continuity relies heavily on independence from geographical restraints. Multiple redundant facilities and services are highly recommended. Remote access is also critical for business continuity.

Vendor Relationships

Reliance on vendor supplies and services should be categorized according to risk, and alternatives should be established. This ties in with the best practices of examining SLAs (Service Level Agreements) and the BCPs, DRPs, and accreditation reports of approved vendors.

Contact and Communication

Access to contact information (primary and alternative) is essential to business continuity. Since normal means of communication may be disrupted by a disaster, alternative means and methods of communication should be established prior to implementation of the BCP or DRP.

Review and Testing

Best practices also dictate that the BCP and DRP should be fully tested at least annually. Results should be documented and reviewed for continuous improvement, and training should be conducted at least annually or upon any significant change.


The conclusion of the post Hurricane Sandy review encourages organizations to consider implementing these best practices and lessons learned to improve their BCPs and DRPs.