Business Continuity Regulations: USA – All Industries

Laws & Regulations

Impact on Business Continuity  plan (BCP)

Comments

Sarbanes-Oxley Act

Corporate officers are liable for business continuity

Relevant for publicly held companies in the U.S

IRS Procedure 86-19

Requires off-site protection and documentation of computer records of tax information

Records must be available in the event that the primary facility is subjected to unplanned outage

Consumer Credit Protection Act (CCPA) Section 2001 Title 1X

Due diligence for availability of data in Electronic Funds Transfers including Point of Sale

Foreign Corrupt Practices Act 1977

Publicly held corporations must provide “reasonable protection” for IT systems

Holds management accountable

Business Continuity Regulations: USA – Healthcare

Health Insurance Portability and Accountability Act (HIPAA) of 1996

Requires data backup plan, DR plan and emergency mode operation plan

Requires increased budgets, new job descriptions, as well as additional staff and infrastructure

Food and Drug Administration (FDA) Code of Federal Regulations (CFR), Title XXI, 1999

Establishes the requirements for electronic records and electronic signatures

Acceptability of electronic records may require organizations to update BC measures to ensure availability of information

Business Continuity Regulations: USA – Government

Federal Information Security Act (FISMA) 2002

Requires electronic data to be available during a crisis

Emphasis of FISMA is on data security

Continuity of Operations (COOP) and Continuity of Government (COG). Federal Preparedness

Establishes minimum planning considerations for federal government operations

Business Continuity Plan (BCP) maintained at high level of readiness; operational no more than 12hrs after activation

NIST 800-53,Security Controls for Federal Systems, 2005

Mandatory security controls that have specific requirements for continuity planning and testing

Specific details on policy and procedures, plans, training, testing, and updating

FEMA FRPG 01-94

All department heads must plan for continuity of operations

Written documents for BC must be maintained and current

National Institute of Standards & Technology (NIST), SP800-34 2002

Requires electronic data to be available during a crisis. Requires BC/DR and Continuity of Operations (COOP) plans

Business Continuity Regulations: USA – Finance

Federal Financial Institutions Examination Council (FFIEC), 2003-2004

Specifies that Board of Directors is responsible for ensuring that a comprehensive BC plan has been implemented

Covers companies regulated by FDIC, FRB, Treasury Department

Basel II, Basel Committee on Banking Supervision, 2003

Requires that banks put in place BC and DR plans to ensure continuous operation and to limit losses

Best Practice Standard 2007

Expedited Funds Availability (EFA) Act, 1989

Federally chartered financial institutions must have demonstrable BC plans

To ensure prompt availability of funds

GAO/IMTEC-91-56 Financial Markets: Computer Security Controls

Outlines need for risk assessments, data back-up procedures, Business Continuity operations, and security of U.S. Stock Exchanges

Guidelines for stock markets

Business Continuity Regulations: USA – Utilities

North American Electric Reliability Council (NERC) P6T3

Interim provisions if it is expected to take >1hr to implement BC/DR Plan

Details on BC/DR plan for communications, monitoring utilities, training and testing

Governmental Accounting Standards Board (GASB),1999

Requires a BCP to ensure that agency mission continues in time of crisis

Applies to all government

entities that operate utilities

Fed Energy Regulatory Commission(FERC),2003

Mandates recovery plans

Does not apply to Rural Utilities Service (RUS) borrowers and limited distribution co-ops

NERC Urgent Action Standard 1216

DR Plans and procedures must be in place

BC plans only for facilities considered “critical”

Presidential decision directive 13010

BC/DR plans required for all national infrastructures

Business Continuity Regulations: USA – Manufacturing

ISO 9000 Qualifications

Requires incident preparedness, BC/DR plans, testing and assurances

Operational Continuity Management

Business Continuity Regulations: Australia

Protective Security Framework – June 2010

Applies to all Australian Government Agencies and mandates BCM for all agencies

Authority of Australian Government

Prudential Standard  APS232 Business Continuity Management

APRA regulation for BCM in Authorized Deposit-taking Institutions

Australian Prudential Regulation Authority (APRA)

AS/NZS 5050:2010 Business continuity - Managing disruption-related risk

Describes the application of the principles, framework and process for risk management to disruption-related risk

Standards Australia

HB 221:2004 Business Continuity Management Handbook

Process for business continuity management and workbook to assist organizations in implementation

Standards Australia

Business Continuity Regulations: Brazil

NBR15999-1 Gestão de continuidade de negócios - Parte 1: Código de prática

Brazilian Portuguese translation of the English standard BS 25999-1 Business continuity management. Code of practice

Authority of ABNT (Associação Brasileira de Normas Técnicas)

Standard: NC nº06/IN01/DSIC/GSIPR – Gestão De Continuidade de Negócios

Establishing guidelines for BCM, in the bodies and entities of Federal Public Administration

Institutional Security Cabinet – Information Security and Communication Department

Business Continuity Regulations: Canada

Regulation: IDA By-Law 17.19 – Business Continuity Plan Requirement

Establish and maintain a business continuity plan, such that the member can stay in business in the event of a significant business disruption

Authority of OSC (Ontario Securities Commission)

CSA Z1600-08

Canadian standard for integrating business continuity and emergency management programs

Authority of CSA (Canadian Standards Association)

Guideline: Government of Saskatchewan Business Continuity Guide

Business Continuity Guidelines

Authority of Government of Saskatchewan

Business Continuity Regulations: Hong Kong

Regulation: Business continuity planning supervisory policy manual – TM-G-2

Sets out HKMA‘s supervisory policies and practices in order to satisfy the requirements of the Banking ordinance

Authority of The Hong Kong Monetary Authority (HKMA)

HKMA Supervisory Policy Manual, BCP TM-G-2 V1 02.12.02

Requires need for BC plan documentation and testing at least annually

Hong Kong Monetary Authority

Business Continuity Regulations: India

Regulation: India BCP

Enforced by audit, requires need for BC plan documentation and testing for least annually

Authority of 1. Reserve Bank of India (RBI) 2. Securities & Exchange Board of India (SEBI) 3. National Stock Exchange (NSE) 4. Bombay Stock Exchange (BSE)

Good practice: BPO (Business Process Outsourcers)

In IT/BPO organizations, BCM is based on internal business requirements and often global customer specific requirements

Business Continuity Regulations: Japan

Regulation: Business Continuity at Bank of Japan

Assures a consistent approach to operational continuity

Authority of BOJ (Bank of Japan)

Manual for the Development of Contingency Plans in Financial Institutions. Japan FSA

Regular review of plan

Corporate-wide testing at least annually

Authority of FISC (The Centre for Financial Industry Information System)

Business Continuity Regulations: Singapore

Regulation: MAS Business Continuity Management Guidelines

Testing BC plan regularly, completely and meaningfully; developing recovery strategies

Authority of MAS (Monetary authority of Singapore)

Regulation: SGX Member Rules

Rules requiring SGX member firms to develop robust Business Continuity Management (BCM) arrangements

Authority of SGX (Singapore Exchange Limited)

Standards: SS507:2004

Standard for business continuity/disaster recovery service providers

Authority of SPRING Singapore (Singapore productivity and innovation)

Business Continuity Regulations: UK

Regulation: Business Continuity Practice Guide: 2006

Guidance on BC management requirements for regulated firms

Authority of UK Authorities

- Financial Services Authority (FSA)

- HM Treasury

- Bank of England

Standard: BS25999-2 : 2007

Specification for Business Continuity Management

Specifies requirements for setting up and managing an effective business continuity management system

Authority of British Standards Institution