The Impact of Rule 446

In June of 2004, the SEC approved a pair of nearly identical measures that mandated business continuity planning measures for financial sector participants - this had acutally been in the works for some time. The NYSE adopted a version called Rule 446 and the NASD came out with Rules 3510 and 3520. The new rules require members of these organizations to adopt business continuity standards. This is significant because as more and more firms look to adopt some kind of business continuity plan, they often find themselves having little idea where to start or how long the process might take. These rules begin the needed process of developing some kind of standardized way to approach BCP. The implications of these rules will undoubtedly be felt in other sectors.

In fact one of the main beneficiaries of these rules will be small to medium-sized enterprises (SMEs), who until now are saddled with the need to adopt business continuity planning programs, but lack the resources to hire full time risk managers. The need for SMEs to adopt business continuity protocols will be driven by a number of factors, including legislation, but in the short to medium term, this will also be driven by the need to comply with stricter underwriting standards in the insurance industry. A few facts from this article are noteworthy:

"A significant number of randomly selected firms did not have business continuity plans. Of particular concern, many smaller and midsize firms did not store backup data and systems in a separate geographic location from primary systems and records"

"Many smaller firms that typically focus more exclusively on recovery of the IT environment than on recovering all critical business processes may face substantial work to expand their plans to meet new standards"

We'll be keeping a close eye on how SMEs keep up with a whole lot of change that will be coming down the pipe over the next several months.