Sec. 200.17. Business continuity and disaster recovery  


Latest version.
  • (a) Each licensee shall establish and maintain a written business continuity and disaster recovery (“BCDR”) plan reasonably designed to ensure the availability and functionality of the licensee’s services in the event of an emergency or other disruption to the licensee’s normal business activities. The BCDR plan, at minimum, shall:
    (1) identify documents, data, facilities, infrastructure, personnel, and competencies essential to the continued operations of the licensee’s business;
    (2) identify the supervisory personnel responsible for implementing each aspect of the BCDR plan;
    (3) include a plan to communicate with essential persons in the event of an emergency or other disruption to the operations of the licensee, including employees, counterparties, regulatory authorities, data and communication providers, disaster recovery specialists, and any other persons essential to the recovery of documentation and data and the resumption of operations;
    (4) include procedures for the maintenance of back-up facilities, systems, and infrastructure as well as alternative staffing and other resources to enable the timely recovery of data and documentation and to resume operations as soon as reasonably possible following a disruption to normal business activities;
    (5) include procedures for the back-up or copying, with sufficient frequency, of documents and data essential to the operations of the licensee and storing of the information off site; and
    (6) identify third parties that are necessary to the continued operations of the licensee’s business.
    (b) Each licensee shall distribute a copy of the BCDR plan, and any revisions thereto, to all relevant employees and shall maintain copies of the BCDR plan at one or more accessible off-site locations.
    (c) Each licensee shall provide relevant training to all employees responsible for implementing the BCDR plan regarding their roles and responsibilities.
    (d) Each licensee shall promptly notify the superintendent of any emergency or other disruption to its operations that may affect its ability to fulfill regulatory obligations or that may have a significant adverse effect on the licensee, its counterparties, or the market.
    (e) The BCDR plan shall be tested at least annually by qualified, independent internal personnel or a qualified third party, and revised accordingly.