SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC
PROTECTING OUR
FINANCIAL INFRASTRUCTURE:
PREPARATION AND VIGILANCE
Wednesday, September 8, 2004
U.S. House of Representatives,
Committee on Financial Services,
Washington, D.C.
The committee met, pursuant to call, at 10:07 a.m., in Room 2128, Rayburn House Office Building, Hon. Michael Oxley [chairman of the committee] presiding.
Present: Representatives Leach, Bachus, Kelly, Biggert, Miller of California, Capito, Tiberi, Brown-Waite, Frank, Maloney, Gutierrez, Ackerman, Sherman, Lee, Inslee, Hinojosa, Lucas of Kentucky, Matheson, Miller of North Carolina, Emanuel, Scott, and Bell.
Mrs. KELLY. [Presiding.] This hearing of the committee will come to order.
This morning the committee convenes to continue its ongoing oversight of preparedness incident recovery and critical infrastructure protection issues. I thank Chairman Oxley for holding this hearing.
At the heart of critical infrastructure is the safety and soundness of the financial services sector which drives every aspect of our economy. Earlier this Congress, the Oversight and Investigations Subcommittee held a hearing to examine the state of readiness of the financial services sector and the critical infrastructure that allows it to serve our country. In that hearing, the subcommittee learned about many promising steps that have been taken by our financial caretakers, as well as the constant assessment and improvements that still must be performed.
Page 2 PREV PAGE TOP OF DOC
Over the last several years, our country has experienced many extraordinary events that have threatened the safety of the American people and of our financial system, from the horrific attacks of September 11, 2001 to the blackouts and hurricanes, but fortunately our markets have experienced remarkably quick recoveries, illustrating the tremendous resiliency of the financial system and the U.S. economy.
As a result of these events, it is apparent that the technology age we live in, which allows us to provide services and access information in a heartbeat, is both a boon and one of our greatest vulnerabilities. It is imperative that we continually revise our efforts to protect data systems and the infrastructure that allow them to operate, which are ever more entwined and dependent on one another.
Today, this review could not be any more timely. Last month, Department of Homeland Security Secretary Tom Ridge issued a warning of possible al Qaeda terrorist attacks to our financial institutions, including the Prudential Financial, the Citigroup Center Building, and the New York Stock Exchange, as well as the International Monetary Fund and World Bank buildings. The committee is very interested in the steps that have been taken to protect our financial infrastructure since the threat level was elevated to code orange for the financial services sector in New York City, Northern New Jersey and here in Washington, D.C.
As terrorists continue to target our economy and financial institutions, we must ensure our financial infrastructure is strong enough to withstand diverse types of attacks. We must ensure that all our systems, whether financial, energy, transportation or telecommunications, are able to operate under extraordinary circumstances.
The committee is pleased to have with us this morning Federal Reserve Board Chairman Mark Olson, who has been a leader in these efforts in his role at the Fed. We also welcome the Assistant Secretary for Financial Institutions at the Treasury Department, Wayne Abernathy, who also serves as the department's sector coordinator for critical infrastructure protection. And joining us is the Assistant Secretary of Homeland Security for Infrastructure Robert Liscouski, who is responsible for the department's efforts to identify our critical infrastructures and propose protective measures to keep them safe from terrorist attacks.
Page 3 PREV PAGE TOP OF DOC
Keeping our financial systems functioning and safe requires a high degree of coordination between many different and important parties, both public and private. The committee is also pleased to have with us witnesses on our second panel who are leaders in protecting critical financial services assets from major disasters, including several individuals from the great State of New York. These witnesses, along with others in the private sector and the government who could not be represented here today, are working in the field every day to protect our financial systems.
The committee thanks all of our witnesses today for your appearance, and we look forward to your testimony. Together, we hope that we can ensure that our financial systems are functioning smoothly under all circumstances and the American people should have full confidence in the financial services sector.
[The prepared statement of Hon. Sue W. Kelly can be found on page 57 in the appendix.]
Mrs. KELLY. I would like to now recognize my colleague, Ms. Maloney.
Mrs. MALONEY. Thank you very much. I join you in thanking Chairman Oxley and Ranking Member Frank and my colleague from the great State of New York for chairing this meeting. I welcome all of our witnesses, who include a number of organizations that I am privileged to represent. Some of them are my constituents.
In New York City, the heart of the nation's financial infrastructure, we can vividly remember what it was like to have that infrastructure damaged by terrorist attack just 3 years ago. We know very well the extraordinary lengths that many of New York's fine institutions, some of which are represented here today, went to ensure that the financial markets functioned as soon as possible to protect not only the U.S. economy, but that of the world from irreversible harm. I do not think any of us will forget the anticipation, the anxiety before the big boards opened up again and were there to serve the people. These terrible events demonstrated clearly that the protection of our financial infrastructure is essential to the nation's financial system. Unfortunately, they also demonstrated that we were ill-prepared for an attack on it.
Page 4 PREV PAGE TOP OF DOC
So my fundamental question today, to each of the private sector witnesses represented today, is what would happen differently today. My even more basic question to Treasury, the Fed and Homeland Security is who would be in charge of the government response. I would like to hear that there is an established, tested and proven system of coordination and a clear line of authority and accountability so that decisions can be made in a prompt and informed manner, but I am not sure that that is the case.
We have several new committees, the Financial and Banking Information Infrastructure Committee, the Financial Service Sector Coordinating Council, and the Financial Services Information-Sharing and Analysis Center. But how exactly do they work in practice? Who makes the final call? Who staffs these committees? And who is responsible for carrying out their decisions?
I would like to hear how our response system held up last month when the terror level was raised for financial institutions in New York City and elsewhere. I would also like to hear how that system is working now to ensure a speedy and sufficient response to the danger posed by Hurricane Frances to the financial institutions in its path. We, this committee, know the government is capable of a sustained and coherent response to threats to the financial infrastructure.
As those of us who have served on this committee know, we were prepared for the Y2K threat. There were many hearings, the government response, and many oversight hearings. But as the 9/11 Commission reports, that effort relaxed after the millennium passed and the government was not well coordinated nor was key information properly shared among various agencies or with the private sector in the months leading up to September 11.
One year after September 11, this committee asked the General Accounting Office to report on what additional steps had been taken to protect the financial infrastructure since that catastrophe. The GAO report, which was the last government report issued on this subject in February of 2003, gave regulators and firms a mixed assessment, criticizing them for having focused on clearing and settlement activity, to the exclusion of trading and retail firms.
Page 5 PREV PAGE TOP OF DOC
Our Oversight Committee reviewed the ground again in October of 2003 in the context of the August 2003 blackout, and we had the pleasure of hearing from many of our panelists today. As a New Yorker, I am proud of the way in which the public and private financial sectors of my city worked together to respond to these two tremendous disasters and are continuing to work with the federal government.
Such efforts demonstrate that our cities are prepared to protect their financial industry and that the calls some have made for financial institutions to create backup locations hundreds of miles away from an urban area are totally misguided. They can have them in a different area of the urban area. Congress and the federal government should support the hubs of our nation's finance by providing additional homeland security funding to them and by assisting them in identifying and protecting the critical elements of our financial infrastructure that they possess.
So as we sit here today, we have recent reminders of how crucial it is constantly to review and refine the safeguards of our financial infrastructure. I look forward to hearing from our witnesses what they have done to protect the physical body of the nation's financial system from harm, and what we can do to be of assistance in that effort.
I thank all the panelists for being here and yield back my balance.
Mrs. KELLY. Thank you very much.
Mr. Bachus?
Mr. BACHUS. I thank the Chairman.
I would say in response to what Ms. Maloney said, that of course the structure for responding to a terrorist attack actually was established back in 1998 by Presidential Decision Directive 63, signed by President Clinton. Then it was refined by Executive Order by President Bush right after 9/11. I think that the experience that we had on 9/11, that experience was that our financial markets are very resilient and that we were in fact prepared for something which is almost impossible to be prepared for, something we never faced before. But the financial markets functioned very well, and showed a great amount of resilience.
Page 6 PREV PAGE TOP OF DOC
Despite the infrastructure damage to the World Trade towers and actually the physical loss of the facilities, the market operations recovered very quickly. I think we are all amazed at how quickly they responded. I think that is very good news. The GAO did make certain recommendations, but again a lot of what you all focused on was because really you were directed to focus on those things. I think all in all, clearing and settlement, if you do not focus on those things, you have a real problem. As far as retail firms and trading organizations, I think since the last year and a half, and we are going to hear from our second panel, you have done a great deal to focus on that. I know the latest threat is what the two speakers before are focused on, was actually car bombs or a bomb which would take out some physical structure.
But you are actually, our first panel, you are the designated people under the presidential directives to be in charge, and the designated agency for our financial institutions is the Treasury Department, working with other organizations. So I think the underlying message ought to be that financial institutions, our financial markets performed very well under a tremendous attack. The market did not recover, but that was a result of just market factors and facing a new threat, and the facts of uncertainty in the world, not anything to do actually with the inability of the markets to operate.
I would also say, and I am sure that there will be a question addressing this, there are certain things that you have asked us to do, and one of them is the netting provisions, which in the Congress, we passed it out of the House, but the Senate has never taken it up. You have identified that as one of your top priorities in case of another financial attack. So this Congress really has failed to do some of the things that you have said are most important.
So with that, I end my comments, but I applaud the administration for everything they have done.
[The prepared statement of Hon. Spencer Bachus can be found on page 50 in the appendix.]
Page 7 PREV PAGE TOP OF DOC
Mrs. KELLY. Thank you very much.
Mr. Hinojosa?
Mr. HINOJOSA. Thank you, Chairwoman Kelly.
I want to thank you and Ranking Member Frank for holding this very important hearing today.
The United States needs to remain prepared for any and all terrorist attacks following the horror that we endured on 9/11. We need to remain vigilant to ensure that similar attacks never happen again on U.S. soil.
As I noted during the committee's hearing on the 9/11 Commission report during the August recess, we here in the United States need to focus on increasing the security of our own documentation such as driver's licenses, passports, and visas in order to prevent such terrorists from entering the United States again. The 9/11 Commission Vice Chairman Lee Hamilton agreed that we need to increase the security of our own documentation and such measures should include requiring biometric information and security features such as fingerprints, digitized photos, holograms and serial numbers on these types of documents, and increasing the technology with which financial institutions can verify IDs.
Prior to 9/11, the United States consulate that required biometric information from individuals seeking entry into the United States was the U.S. consulate in Mexico. Such biometric data and more is now included as part of the 12 security features Mexico added to the matricula consular ID card in 2002. As the Washington Times noted some time ago, the updated matricula consular ID card is more secure than many of our U.S. documents. Perhaps we should emulate the security features incorporated into the card as we create a new, more secure system of documentation in the United States.
The U.S. was very lucky that the 9/11 terrorist attacks did not completely halt the free flow of the U.S. capital markets for very long. Granted, the New York Stock Exchange and others closed down for a short time, and certain Federal Reserve Bank airplanes were unable to fly for a time due to the flight restrictions following the terrorist attacks. These Federal Reserve flights are an integral part of the payment clearinghouse system in the United States. Nonetheless, I was very impressed by the ability of the New York Stock Exchange to adapt quickly to the terrorist situation and to accommodate the trades of so many exchanges on its own system in the days following 9/11.
Page 8 PREV PAGE TOP OF DOC
I ask that the balance of my opening statement be included, Madam Chair.
[The prepared statement of Hon. Rubén Hinojosa can be found on page 55 in the appendix.]
Mrs. KELLY. Of course. We would be glad to include the opening statement of anyone of the members of this committee, and it is so moved.
Mr. Leach, have you an opening statement?
Mr. LEACH. Just briefly. Just very briefly let me mention a couple of things by perspective. As everybody in banking knows, a century ago a famous bank robber once commented that, why do you rob banks? You do it because that is where the money is. But the interesting aspect about the modern financial system is that financial institutions and trading institutions are not where the money is. It is simply where assets are traded and kept track of. Great violence applied to a bank; great violence applied to a trading institution in one sense does not destroy a lot of assets. It destroys to some degree or disrupts tracking mechanisms, but if there is good redundancy, the system itself can be not harmed gravely. So redundancy is really the issue.
Secondly, I think that we ought to beware that even though it is true that Congress has really been slacking in its discipline in not putting forth a netting bill, which is a very important bill and one which I have long advocated, and it is not done largely because we have problems that related to inter-institutional committees of jurisdiction, but hopefully it will happen this year. But the big issue is, what happens if there is a calamity? Here, the great aspect of perspective is that we have had for many decades authorized an institution of the United States Government, the Federal Reserve, to liquefy any calamity anywhere in the world, but particularly in the United States. So if something awful were to happen to a financial institution, the Fed is there to make sure the system can be sustaining.
I only say this because acts against the financial community are acts of barbarism, but they are not acts that bring down the American system. They are simply acts of barbarism. Everybody in the private and public sector has to be very concerned that we get any system that goes down, up and running again, but that can happen. The American system will not be affected as a country. It will simply be a disruption. That is the way we have to work at it because we cannot perfectly protect anybody and anything.
Page 9 PREV PAGE TOP OF DOC
Let me just in conclusion say, because I tried to discount the importance of the netting bill, let me raise its importance again. It is really irresponsible that Congress has not acted yet to put forth a bill that settles derivatives-type trading instruments on an orderly basis instantaneously. We are obligated to do that and I am hopeful that that will happen this fall.
Thank you, Madam Chairman.
Mrs. KELLY. We turn now to Mr. Gutierrez.
Mr. GUTIERREZ. Good morning and thank you, Madam Chairman, for calling this hearing on protecting our nation's financial infrastructure. I am particularly pleased that we will be hearing from Brian Tishuk of ChicagoFIRST, an organization composed of Chicago's primary financial institutions that was formed to address these various issues.
ChicagoFIRST is an excellent example of a public-private partnership that should serve as a model for other regions. We will be hearing in detail about the formation of the organization, which was not an easy task. We will also hear about their recent tabletop exercise which tested the partnership's ability to function under the threat of a terrorist attack. At the appropriate time, I will be asking the Department of Homeland Security about certain matters in the written testimony, specifically the fact that ChicagoFIRST has discussed with DHS its interest in hardening Chicago in general and the financial district specifically.
As part of that, ChicagoFIRST has recommended funding for certain equipment being sought by both the City of Chicago and ChicagoFIRST; the placement of a DHS center in Chicago; and has asked for DHS's help in procuring security clearances for certain financial representatives so that they can participate more actively in the protection of the city's financial infrastructure. These recommendations and requests have apparently gone unheeded and no answers have been forthcoming from Homeland Security to ChicagoFIRST. I will be asking DHS, though it has been helpful to ChicagoFIRST, if it could take more of an initiative to reaching out to financial centers other than Chicago to promote regional partnerships.
Page 10 PREV PAGE TOP OF DOC
I wish to thank my colleague, Congressman Emanuel, for his request that ChicagoFIRST testify before us, and I look forward to the testimony, as well as the testimony of the other witnesses.
Thank you, Madam Chairman.
Mrs. KELLY. Thank you very much, Mr. Gutierrez.
Mr. Scott.
Mr. SCOTT. Thank you very much, Chairlady.
This is a very timely hearing, and I, like many people across this nation, am quite worried about another possible attack. I certainly want to thank Chairman Oxley and Ranking Member Frank, Ms. Kelly, for holding these hearings today.
The recent warnings of attacks on financial services targets caused no disruption to financial activity. However, concrete Jersey barriers have multiplied around New York and Washington. While these temporary barriers provide some cosmetic protections against potential terrorist attacks such as car bombs, what about suicide bombers who could very well just be walking Wall Street or any of the streets in the area or any of the streets in Washington, D.C., and get very close to us, as we have seen from other places around the world?
To be prepared, to be vigilant, we need to know concretely, what is the role of our Federal Reserve? What is the role of our Treasury Department? How are their roles coordinated with our basic intelligence agencies of the CIA, the FBI and the Defense and State Departments's intelligence agencies, of what is happening around the world in other financial capitals? I would be very interested to hear your response in terms of our reshuffling the deck on our intelligence operations to see if our financial services industry's intelligence apparatus will work better under a new general authority of an intelligence czar.
I think further also we have to work to prevent attacks by monitoring and by detecting terrorists. Let us take a look at certain organized crime groups that work concretely with terrorist organizations. I think also that we are going to have to look at other areas, our computer systems, our telecommunications networks, our electrical power grids, our transportation systems, how all of those work. Also, terrorist organizations may be targeting cities other than New York and Washington, D.C. And maybe they may be even more likely targets, regional financial centers like Atlanta, Chicago, San Francisco, and Houston.
Page 11 PREV PAGE TOP OF DOC
It is important that the financial infrastructure include regional plans to address these threats. For example, federal agents recently arrested a man from Pakistan who was videotaping buildings in several southern cities, including my own city of Atlanta. And other regional threats, that would be power failures, natural disasters.
Certainly, as Congress reviews the financial services industry's readiness to respond to attacks, we must also work to ensure that any attacks do not cause long-term damage on creditworthiness of innocent consumers. And then finally looking at the world, and the impact of how, for example, a terrorist attack on a financial center such as Tokyo or Paris would have on our financial system, this particularly in view of the fact that we are the world's leading financial center.
These and many other questions I look forward to examining. I think this is a very important hearing this morning, and I look forward to each of your testimonies.
Thank you, Madam Chair.
Mrs. KELLY. Thank you, Mr. Scott.
Without objection, all members' opening statements will be made part of the record.
We turn now to our first panel. We have three witnesses on our first panel: The Honorable Mark W. Olson, member of the Board of Governors, Federal Reserve. We have the Honorable Wayne Abernathy, Assistant Secretary of the Treasury for Financial Institutions, Department of Treasury. And we have the Honorable Robert Liscouski, Assistant Secretary of Homeland Security for Infrastructure Protection.
Without objection, your written statements will be made part of the record. You will each be recognized for a 5-minute summary of your testimony. I am sure that all of you have testified in front of these committees before, so I do not need to explain the lighting system.
Page 12 PREV PAGE TOP OF DOC
Mr. Olson, let us begin with you.
STATEMENT OF HON. MARK W. OLSON, MEMBER, BOARD OF GOVERNORS, FEDERAL RESERVE SYSTEM
Mr. OLSON. Thank you very much, Chairwoman Kelly. We thank you, Ranking Member Frank, Chairman Oxley and members of the committee for holding this hearing. I agree with all of the members who have acknowledged that this is an important subject and a very timely subject.
A number of questions have come up. I would be happy to address them as the questioning goes around, but let me just open by talking about three specific points that I would like to highlight. First, many of you started your opening remarks by talking about the efforts of 9/11. Of course, that was what constituted the start of a new era for us in terms of our recognition of both the exposure to terrorism activities and other threats to the financial services system.
The Federal Reserve, of course, responded that day by providing, among other things, $100 billion of liquidity into the financial services system, as Congressman Leach alluded to in his opening remarks. I think that the resilience of the system at that point was demonstrated by a number of facts. Number one, the fact that the Fed over the course of a 5-day, in fact even a several-week period, responded in a different way providing either liquidity or overdraft protection or responding to changing needs as a result of the excesses of float that were building up in some parts of the system.
We also initiated the swap lines for currencies with other central banks, indicating the cooperation internationally that we have been able to achieve and had achieved up to that point. Beyond that point, the Fed then began to look at its own resiliency. We initiated 40 different efforts to test our own ability to provide financial services, the redundancy necessary to provide the financial services, and the ability to sustain operations over a period of time.
Page 13 PREV PAGE TOP OF DOC
I would point out that on 9/11, the Federal Reserve Bank of New York did not close; that last weekend with the hurricane in Miami, the Miami Fed and Jacksonville Fed did not close. So we have a very strong track record of being able to meet those needs.
Beyond our own efforts, of course, an interagency team produced a white paper involving the Fed, the Comptroller of the Currency, and the SEC, where we identified the requirements of the critical financial institutions in order to meet clearing and settlement responsibilities on an ongoing basis, and in order to meet the critical functions of the financial services network. For each of the institutions that have been identified, a target deadline has been set to achieve the level of readiness which is anticipated either in 2005 or 2006, depending on their starting points.
Additionally, and this is the point that a number of you alluded to, there is a heightened level of cooperation among the federal agencies and within the private sector. The Treasury Department has been designated as the lead as sector liaison, and we have been happy to work with them. I think the resilience of it and the importance of it was brought out in response to the elevation to code orange under the direction of Homeland Security. In our judgment, that worked very well and we achieved a state of readiness very rapidly after the information was made available.
Indeed, Congresswoman and members of the committee, we feel that the financial institutions sector has progressed in a very significant way over the course of the past several years, particularly the last 3 years, and it continues to improve. It is a moving target, as we learn more about the potential threat. As Congressman Scott suggested, we need to adjust as new information is produced, and we have done so.
I would be happy to answer questions when my time comes.
[The prepared statement of Hon. Mark W. Olson can be found on page 125 in the appendix.]
Page 14 PREV PAGE TOP OF DOC
Mrs. KELLY. Thank you very much, Mr. Olson.
Mr. Abernathy.
STATEMENT OF HON. WAYNE ABERNATHY, ASSISTANT SECRETARY FOR FINANCIAL INSTITUTIONS, U.S. DEPARTMENT OF TREASURY
Mr. ABERNATHY. Chairwoman Kelly, Ranking Member Frank, members of the committee, I am pleased to tell you that the financial services sector is in a state of advanced readiness and preparation, and that it handled well the recent information about terrorist targeting of specific institutions. Customers were able to continue business as usual. While there was concern, there was no crisis. There was no panic, but rather activation of planned steps to mitigate exposure to risks. I applaud our intelligence and law enforcement agencies for obtaining this vital information and promptly sharing it with the affected institutions.
President Bush has led the development and implementation of an effective program to defend our country against terrorism. Protection of our financial infrastructure is a key element of that program and much valuable work has already been done. That is because we have long known in general what recent information has reaffirmed with specificity, that our financial institutions are being targeted by our enemies. They are under assault every day. Most of these assaults are in the nature of electronic or cyber attacks such as computer viruses, trojans, worms and various forms of financial fraud, including fishing and spoofing. These assaults have progressed from computer hackers and pranksters into theft, and now we believe on to schemes to disrupt organizations and operations.
Some of these attacks have their sources in organized crime. Increasingly, still more sinister actors are involved. I do not say this to be alarmist, but rather to make the point that our financial institutions have for some time now been operating in a dangerous environment, and they are becoming increasingly adept at doing so successfully. This success is a result of careful organization and hard work by the private sector and government agencies at all levels.
Page 15 PREV PAGE TOP OF DOC
The organized government effort today is based upon a directive from President Bush, Homeland Security Presidential Directive 7. This is a flexible, coordinated program that works well in marshaling resources and activities. HSPD-7 places upon the Department of Homeland Security the central responsibility for coordinating the overall national program. The directive relies upon specific agencies to take the immediate lead, ensuring that critical protection efforts will be led by departments that have the expertise and experience. Treasury is the lead agency for the banking and finance sector.
Nearly all of the financial infrastructure is owned by the private sector. We work closely with the private sector through reliance upon several organizations. Chief among these is the Financial Services Sector Coordinating Council or FSSCC, the chairman of which is appointed by the Treasury secretary. The current chairman is Don Donahue, a senior officer of the Depository Trust & Clearing Corporation in New York City. The FSSCC is made up of entities and trade associations representing virtually every financial institution in the nation.
Alongside the FSSCC is the Financial Services Information-Sharing and Analysis Center, or FS-ISAC, the chief communications system for the sector on a wide variety of threats and challenges. Last year, Treasury devoted $2 million to develop and implement a plan for broadening the reach of the FS-ISAC. In the last couple of weeks, Federal Housing Finance Board Chairman Alicia Castaneda and I sent a joint letter to each of the federal home loan banks encouraging them to join the FS-ISAC. We continue to encourage all financial institutions to sign up.
Under the sponsorship of the President's Working Group on Financial Markets, and chaired by the Treasury, the Financial and Banking Information Infrastructure Committee, or FBIIC, brings together representatives of all of the federal and state financial regulators. A cardinal rule of the FBIIC and the key to its success and achievement over the last several years is the principle of responsibility. The FBIIC does not try to take over the responsibility or interfere in the work of any agency. What the FBIIC provides is a means of coordinating efforts, sharing best practices, pooling talents and resources, facilitating communication, encouraging wherever possible and cajoling where necessary.
Page 16 PREV PAGE TOP OF DOC
While terrorist threats themselves are bad news, I see much good news in our latest experience. Our antiterrorism efforts are bearing fruit, providing valuable information that is being applied and acted upon appropriately by the financial sector just as soon as it is made available, without disruption or degradation of services. The success of the collective actions of the federal, state and local governments and the preparedness and response of the private sector are progressively denying terrorists their objective, their goal of disrupting our free markets. Freedom and free markets are the targets of the terrorists, and we are showing that we can harness the power of free people and free institutions to defeat the terrorists.
So in conclusion, there is much work yet to do, but tremendous work has already been done. Our markets are deeper, more resilient than ever before, and they are becoming more so every day.
Thank you.
[The prepared statement of Hon. Wayne Abernathy can be found on page 59 in the appendix.]
Mrs. KELLY. Thank you, Mr. Abernathy.
Mr. Liscouski.
STATEMENT OF ROBERT LISCOUSKI, ASSISTANT SECRETARY, INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION, DEPARTMENT OF HOMELAND SECURITY
Mr. LISCOUSKI. Good morning and thank you, Chairwoman Kelly and Ranking Member Frank and distinguished members of the committee. It is a pleasure to be before you this morning to discuss the protections that we have with the financial services sector. I am going to address some of the comments specifically in the question-answer period, but I would like to give an overview of where we are today in working with the Department of Treasury and the Fed.
The Office of Infrastructure Protection specifically has focused on monitoring and assessing threats and vulnerabilities to all sectors, including the banking and the financial services sector. Before I begin, I would like to recognize the efforts of the Department of Treasury and the Fed, and commend them for their leadership to organize and take the first steps to protect the financial infrastructure prior to September 11.
Page 17 PREV PAGE TOP OF DOC
Subsequent to the creation of the Department of Homeland Security, the Treasury Department and the Fed have been key partners with DHS in continuing the execution of our efforts to protect our critical infrastructure. In preparation for responding to threats and elevated threat levels, my office and the directorate for which I work, IAIP, has been building and coordinating a two-way exchange of information with the public and private sectors. These efforts have also included building relationships with the private sector and government entities, as well as implementing and integrating technical and information-sharing solutions.
The financial services sector has developed two effective mechanisms for two-way information sharing. The Financial Services Sector Coordinating Council, the FSSCC, as Assistant Secretary Abernathy just described, consists of senior representatives of major financial institutions representing a cross-section of the financial industry. The second component, the Financial Services Information Sharing and Analysis Center, the FS-ISAC, provides a mechanism for gathering and analyzing and appropriately sanitizing and subsequently disseminating information to and from its members and the federal government. The FS-ISAC conducts threat intelligence conference calls periodically at the unclassified level for subscriber members. With IAIP providing input, these calls cover physical and cyber-threats and vulnerabilities and incidents that have recently occurred. It includes suggestions and recommended proactive actions that can be taken to mitigate the threats.
Sector coordinating councils and their ISACs maintain and provide DHS with distribution lists, which allow them to quickly disseminate threat warnings, alerts and advisories to members of their sectors. Information provided by the sectors is incorporated into the situational awareness picture, together along with the intelligence community's information and the law enforcement community concerning possible threats to the nation's critical infrastructures.
The sectors are also capable of initiating crisis conference calls within an hour of notification via a crisis alert. In addition, DHS has established close working relationships with the appropriately cleared senior sector members such as the financial services sector to provide classified information relevant to the threat environment.
Page 18 PREV PAGE TOP OF DOC
The interconnected and interdependent nature of our infrastructure makes our physical and cyber-assets difficult to separate and therefore it would be ineffective and inefficient to address them in isolation. Consequently, my office integrates both the strategy and the tactics necessary for the appropriate protection of the cyber, physical and people assets in concert. In working with the infrastructure protection office of the United States secret service, for example, it recently joined forces with the Carnegie-Mellon University Software Engineering Institute's CERT Coordination Center, CERT/CC, in order to conduct an analysis of the insider threat.
The insider threat study is a collaborative effort to better understand the insider activities affecting information systems and data in critical infrastructure sectors, to include the banking and finance sector. The insider threat study examined incidents involving employees who intentionally exceeded or misused an authorized level of system access that affected the organization's data, daily business operations, systems security, or other areas via computer. The study focused on online behaviors and communications in which the insiders engaged prior to the incidents.
On August 24 of this year, the first part of the report was released to the public sector. It is referenced as the Insider Threat Study Elicits Cyber-Activity in the Banking and Finance Sector. This portion of the report focused on individuals who have had the access and perpetrated harm using information systems in the banking and finance sector, which includes credit unions, banks, investment firms, credit bureaus, and the financial institutions. The findings highlighted in this area of the report are of great benefit to the financial sector and provided concrete examples of how insiders accomplish their activities and offered suggestions on what security and policy procedures might deter or prevent future activity.
I would like to discuss now the latest series of threats against U.S. financial institutions spurred by ongoing concerns over al Qaeda's interest in targeting U.S. critical infrastructure, as well as recent intelligence revelations of detailed reconnaissance of several U.S. financial institutions. The level and specificity of information found was alarming, prompting DHS to recommend raising the threat level of orange for the financial services sector in New York, Northern New Jersey and Washington, D.C. on August 1. This was the first time the level had been changed for an individual sector and geographic-specific location.
Page 19 PREV PAGE TOP OF DOC
In response to the heightened threat level, IAIP acted on several fronts in coordination with Treasury and Fed to address the threat. Conference calls were arranged between DHS, industry leaders, chief security officers, state and homeland security officials, and local law enforcement officials, and with numerous financial institutions. Our relationship and communications with the private sector security leadership for the affected institutions particularly were key to our overall approach on how to effectively manage the threat situation.
We provided immediate alerts to the financial sector regarding the threat and we continued to work with the industry to ensure that all targeted financial institutions were individually briefed. IAIP coordinated with federal, state and local law enforcement entities to ensure that the appropriate information was exchanged between government and the private sector.
We also polled the various financial institutions to determine what additional protective measures were needed for implementation as a result of the heightened alert period. We dispatched personnel immediately to the facilities in Washington, New York and Northern New Jersey to conduct site-assist visits, which would evaluate the recommended security measures in collaboration with local law enforcement officials and asset-owners and operators to ensure that the appropriate vulnerabilities were identified and remediation measures were taken.
In addition to the site-assist visits, IAIP personnel have been working with the individual facilities and local law enforcement to create buffer zones around the most critical facilities. These are community-based efforts focused on rapidly reducing vulnerabilities outside the fence of an institution or facility to select critical infrastructure components in key resources. We work closely with the law enforcement community and the private sector to ensure that these plans and implementation strategies are effective and efficient.
As I have discussed with you today, IAIP has taken many actions to secure the financial services sector, in partnership with treasury and the Fed, and we have laid a foundation for a true partnership with the public and private sector. Based on this foundation, with continued dedication we will continue to work to protect the nation's critical infrastructure.
Page 20 PREV PAGE TOP OF DOC
Thank you for the opportunity today and look forward to your questions.
[The prepared statement of Robert Liscouski can be found on page 109 in the appendix.]
Mrs. KELLY. Thank you very much, Mr. Liscouski.
I would like to ask you about a question you just brought up. Mr. Liscouski, you mentioned the Carnegie study, and you talked about the insider threat. My first question, does it make any difference? You talked earlier about the department working with financial institutions and software companies to identify vulnerabilities and to design enhanced software assurance practices. Does it make any difference if these vulnerabilities are international or if they are home-grown?
Mr. LISCOUSKI. The concern you raise is a valid one, particularly because of the way software is deployed throughout our critical infrastructure at-large and particularly in the banking and finance sector. Let me just preface my remarks by saying a holistic security program has to consider all elements of security. So it is a physical security approach, cyber as well as personnel security. The software assurance practices that you are discussing also include insurance that software is developed and engineered to the appropriate specs and standards and there are quality assurance conducted on software before it is shipped out.
So when we talk about internationally developed software or that which is outsourced internationally versus that which is developed here in the United States, the first point in securing an institution, whether it be a banking institution or other critical infrastructure component, is to ensure that the appropriate procedures and mechanisms, the people and process part of the security approach, is taken.
We cannot take a slice of that pie and examine it independently for its vulnerabilities without examining the interdependencies of the entire process. So we alleviate those concerns by assuring that best practices are followed within institutions, within critical infrastructure components, and good policies and procedures and security practices are set up, so we can mitigate the potential effects of any software vulnerability, irrespective of whether it is internationally developed or developed by an international company abroad or domestically.
Page 21 PREV PAGE TOP OF DOC
So the insider threat study looks at ways that those exploits could be manifested or can be exploited, and it looks at ways that security procedures and processes can be put in place to help mitigate that risk.
Mrs. KELLY. What recommendations did the study make? Have you additional recommendations? Would you care to share that with the committee?
Mr. LISCOUSKI. Yes, ma'am. I would refer to the report specifically. I apologize for not having a copy in front of me, but my recollection of the report, and I can validate this in writing to you later, it did not specifically address software development in the context of insider threat. It looked more from the perspective of the insider threat as a trusted user on a system, and therefore someone who potentially could abuse their trusted access internally to an organization.
So in the context of that part of the study, there were a variety of recommendations made for procedures and policies which would limit a person's access, but yet balancing the need for conducting business. So it focused on behavioral aspects of insiders that might foretell that there was a problem, as well as recommended policies that could help mitigate those threats.
Mrs. KELLY. Thank you. I want to ask one other question of you, sir. What sorts of warning signs should financial institutions be looking for in the case of both physical and cyber attacks? Are there warning signs out there that these institutions should be looking for?
Mr. LISCOUSKI. Yes, ma'am. I think this past month, in August and the end of July when we received the threat information is a good indicator or a good example of how those warning signs can be manifested. What we learned from the casing reports that were exploited from the information we received that resulted in the threat warning going up was that there is oftentimes detailed surveillance occurring at financial institutions and other critical infrastructure components which are observable behaviors. And subsequently, as we have indicated, these precursors or pre-incident indicators of terrorist activity resulting in surveillance, anomalous types of activities that can be observed need to be communicated.
Page 22 PREV PAGE TOP OF DOC
So what the lesson from that was that that information was shared with the private sector, the banking institutions in this case and the financial institutions, to be shared with their security personnel, and those folks were in a position to observe anomalous behavior and report that back. So the types of attacks that we are concerned about in this particular case were typically kinetic or bombing types of attacks, those which would require a breach of a perimeter and some sort of pre-operational surveillance to identify the vulnerabilities of a particular institution. Those things are all observable, and if they are observed and reported, we can get an indication of what is occurring pre-incident, just as an example of something that was shared.
Mrs. KELLY. You looked at bombing attacks, did you say, but you have also looked at the cyber-threats. So you have looked at both sides of what is happening.
Mr. LISCOUSKI. That is correct. In the context of the recent threat, the job of my office is precisely looking at the nexus of all threats, irrespective of if they seem to be dominated by a physical threat as in this case initially. We take a very detailed look at the cyber-environment to see if there is any activity that would indicate that a specific institution is being targeted as a result of various types of probing. So we consider all the threats, either cyber or physical or the people aspect of it, in concert when we get threat information.
In this particular case, we had no evidence that there was a cyber-threat manifesting itself in the context of this particular physical threat.
Mrs. KELLY. Thank you very much.
My time is up. We turn now to Ms. Maloney.
Mrs. MALONEY. I would like to ask the Fed, Honorable Mark Olson, the white paper you discussed focuses on clearing and settlement. Are you planning a companion piece focusing on the areas that the GAO noted were left out? They cited trading and retail firms.
Page 23 PREV PAGE TOP OF DOC
Mr. OLSON. A number of things have happened since the GAO study, or at least concurrent with the GAO study. Primarily among those was the release of an FFIEC best practices, that focused on those issues. So in addition to the clearing and settlement, there has been an internal effort within the regulatory agencies focused on the trading platforms and the retail platforms.
Mrs. MALONEY. I would like to ask the Homeland Security Assistant Secretary, Robert Liscouski, I understand that we were lucky in that the targets identified in the recent terror alert were not facilities whose destruction would pose a systemic risk to our financial structure. Rather, they were highly visible targets whose destruction would likely cause a large loss of life and have a symbolic value of attacking some of the most successful institutions in our financial services.
As you know, many of those targets are in cities. I would like to say that, especially New York City was cited in the last terrorist threat. Even worst, I believe, is that the facilities whose destruction would pose a systemic risk to our financial infrastructure are also largely located in major cities like the one I am privileged to represent, New York City.
My question is, how does this square with a formula for funding homeland security protections under which, to give one example, New York, according to the congressional survey, CRS report, ranks number 35? Yet in our area, certainly financial infrastructure, both the systemic structures that could cause disruption to our services, and certainly the ones that even the terrorists cite that are symbolic, are in New York City and other large places. So I wonder why this is happening? I commissioned a CRS study myself which showed that New York City has gotten about 30 cents per person for every dollar, and other states have received much, much more.
So just focusing on the infrastructure of our financial services, it seems incredibly unfair that New York City, which is cited by terrorists and also cited in intelligence briefings, is having the systemic structure that could really permit damage.
Page 24 PREV PAGE TOP OF DOC
Mr. LISCOUSKI. Ma'am, I am not familiar with the results of the study you cited. I would be happy to get back to you with the exact dollars that have been distributed to New York City. I do not have that in my data here. I can tell you I am working with the New York City Police Department and the homeland security adviser in New York, as well as the private sector institutions. They have a very robust capability to respond to that threat.
As you well know, recently with the most recent threat situation we had in New York, the Department of Homeland Security as well as the New York City Police Department and the state police in New York responded very aggressively and very robustly to that particular threat. They were not impeded at all. We work very closely with the city in providing the appropriate level of resources they need to supplant their efforts. Again, I will get back to you in writing if you prefer, to respond to the exact dollar figures that have been provided. I just do not have that information.
Mrs. MALONEY. Even the 9/11 Commission report noted that the funding formulas for high-threat homeland security, they called it ''pork barrel'' politics, and certainly it should be based on need. I would appreciate your getting back to me.
Mrs. KELLY. Thank you very much. Ms. Maloney, your time is up.
Mrs. MALONEY. The light is not red yet.
Mrs. KELLY. Oh, I am sorry. I thought it was.
Mrs. MALONEY. Okay. I would like to ask Mr. Olson, did the events of 9/11 reveal a need for either new powers for the Fed or a need for new arrangements with the private sector, for example, foreign banks?
Mr. OLSON. Clearly, Congresswoman, we recognized that following 9/11 one of the most important things that we needed to have happen is that the Fed needed to be designated as an enforcement agency. That was accomplished in the Patriot Act. Congress responded very rapidly to that important need.
Page 25 PREV PAGE TOP OF DOC
I think the response to 9/11 suggested to us is that there was a need to consider the risks at a level at which we had never considered them before, which is exactly what your opening series of questions was designed to get at, the most chilling of which was up to that point most business continuity plans were made presuming that the people would still be there. Post 9/11, that was the one thing that changed and the one thing that was different, and the one thing that we now anticipate seeing both from our own perspective and when we examine financial institutions.
The CHAIRMAN. [Presiding.] The gentlelady's time has expired.
The gentlelady from Illinois, Ms. Biggert.
Mrs. BIGGERT. Thank you very much, Mr. Chairman, and thank you members of the panel for your testimony and efforts to help America's financial sector prepare to withstand catastrophic events.
I am going to address my first question to Mr. Liscouski. I also am from Illinois, as the Chairman just said, and we do have concerns here about ChicagoFIRST. We will hear testimony later, so I do not want to say too much about it. I am concerned, and I would like to ask you what the Department of Homeland Security is doing to promote and encourage the infrastructure preparedness in the financial service sector, particularly with ChicagoFIRST, which was a group formed by the financial sector in Chicago in the outlying areas after September 11.
I think the achievements that they have found in a regional way that they have to really have at their tabletop to have 27 financial institutions serving the City of Chicago, all of the agencies, the Federal Bureau of Investigation, Federal Deposit Insurance Corporation, FEMA, financial and banking information infrastructure.
What seemed to be missing there with all of these agencies was really the Department of Homeland Security stepping up to the plate and really being there for that, and to see how that works. Because I think that we see this as a model that can be used across the country. It seems that there has not been much support from the Department of Homeland Security.
Page 26 PREV PAGE TOP OF DOC
Mr. LISCOUSKI. Congresswoman, thank you for your question. Actually, I would like to just add some more context to that, because I believe that since we have started up we have provided a lot of support to the financial sector, and particularly to the Chicago Mercantile Exchange and others where we have done tabletop exercises. So I think maybe a lack of initial visible support was just a function of the way we were starting up our organization.
Since that time, in the past year and a half, we have been working very closely with the sectors, particularly in the Chicago area. I think at the first tabletop, ChicagoFIRST was just standing up, so it might have been a little bit too early at that point. I can give you more details on that. But as you well know, working with Treasury and other members of the financial sector, we stood up at the Financial Services ISAC to conduct a number of tabletop exercises, all geared at the financial sector. We broadened the financial sector's tabletop exercises to not just include the cyber aspects, but now physical aspects. We are taking that on the road so we now can do more interdependent sector-type of tabletop exercises, just not uniquely those positioned for the financial services sector.
We are working very closely with the U.S. Secret Service, which is part of DHS as you well know. We have a very close working relationship with the investigative division of the U.S. Secret Service in remediating and working real-time on investigations and identifying various vulnerabilities in the financial sector, and quickly remediating those vulnerabilities in a virtual sense, working with banks and other financial institutions as they are found.
So while we have been building up our processes within DHS, I would remind you we have been around for about a year-and-a-half now. My department really was something that came up virtually with very little infrastructure of its own. As we have been building it and building partnerships, I think we have a very effective and very good story to tell there. So as I pointed out, we are funding many different types. These tabletop exercises are a prime way for us to be able to ensure that we have best practices and effective measures for protection of the financial sector.
Page 27 PREV PAGE TOP OF DOC
ChicagoFIRST has been on our list now to work with. We understand that there is a request for some financing outside the FS-ISAC. We are working with them to examine that, maybe not as quickly as they would like at this point, but as in all things they do take some time, so we are examining those opportunities. I would suggest to you that we will find ways that we continue to work with the financial sector.
Mrs. BIGGERT. I know that the testimony in the next panel will address those issues and say that they really have received no communication from the department as far as their inquiries into the funding, into procuring security clearances for key financial representatives, so that there can be a deeper collaboration. It seems to me that this does seem to be a real model, and I would hope that you would work closely with them and use them.
Mr. LISCOUSKI. Sure. I will take that under advisement and I will look into that specifically and get back to you. Thank you.
Mrs. BIGGERT. All right. Thank you.
And then Mr. Abernathy, certainly the Department of Treasury has been involved with ChicagoFIRST, too. Could you tell me a little bit about how you have worked with the ChicagoFIRST?
Mr. ABERNATHY. We certainly agree with you, Congresswoman Biggert, that ChicagoFIRST is a model to be taken around the country. We were involved with the ChicagoFIRST from its beginnings. In fact, one of my senior staffers is currently the head of ChicagoFIRST, Brian Tishuk. He was very much involved when he was working for Treasury in helping to get ChicagoFIRST organized.
But I want to give the chief credit to the financial community in Chicago that came together and realized that they have some very important national financial assets in that city that need protecting, and the best way to protect them is to coordinate efforts, to team up and to recognize that when it comes to protecting the financial infrastructure, it is not a matter of competition. It is a matter of coordination and cooperation.
Page 28 PREV PAGE TOP OF DOC
What we are now in the process of doing is working together with the Financial Services Roundtable's BITS organization, another industry-coordinating organization, to document how ChicagoFIRST was put together, how it works, and put together what we call a cook book that we would then like to take to the other financial centers around the country and have them apply it as appropriate in those cities.
Mrs. BIGGERT. Thank you very much. I yield back, Mr. Chairman.
The CHAIRMAN. The gentlelady yields back.
The gentleman from Georgia, Mr. Scott.
Mr. SCOTT. Thank you very much, Chairman Oxley.
I have a couple of questions. First Governor Olson, in your testimony you stated that vulnerabilities continue to pose challenges to the financial system and that sound practices will be able to help recover from a widescale disruption. Yet you mention that sound practices addresses only recovery, and not prevention of a terrorist attack. I would like for you to talk about that for a moment, and particularly answer this question in light of that. Is the Federal Reserve currently involved with providing information or sharing information with law enforcement agencies to help prevent attack? What is the Federal Reserve doing in working with our other intelligence agencies to prevent the attack? Answer that one first.
Mr. OLSON. Sure. It is an excellent question and it gets to the heart of what we spend a great deal of our time doing. In the post-9/11 era, we in particular have strengthened the resiliency. We have increased our focus on prevention. We begin with a premise that our number one priority is our people, so you cannot focus on your people without focusing primarily on prevention. So what we have done is we have looked at our perimeter security, and we have significantly upgraded both the quality and the quantity of our protection force, not simply at the Fed in Washington, but also throughout the Federal Reserve System.
We have increased our communication with law enforcement agencies and with other governmental agencies. We have monitored information carefully. The reason I bring that point up is because when we reviewed the information that was intercepted in the last several months, we have discovered how much information that was intercepted was information that was already on the public record. So we choose not to be real specific in a public forum. But you and other members of this committee are entitled to a lot more information on what we are doing, and we would be very happy to provide a private briefing for you on what we are doing in that area, because your questions are right on point. Much of what we are doing, particularly in the way of perimeter security, is involved in protection.
Page 29 PREV PAGE TOP OF DOC
Mr. SCOTT. Thank you very much. I would be interested in that other detail.
Mr. OLSON. I have one more follow-up, because I would be remiss if I do not speak to it. The telecommunications area is one that we are still working on because of the interdependency of both the financial institutions and the interconnectivity among the private sector telecommunication companies. We are working jointly with that industry to try to assure a greater protective capability, but that is a subject which we will continue to focus on and hopefully the Congress will too.
Mr. SCOTT. Thank you, Governor.
Assistant Secretary Abernathy, in your testimony you said that most of the assaults on our nation's financial institutions are cyber attacks, computer viruses and organized crime. Could you share with this committee how those three areas impact our readiness for these terrorist attacks, organized crime, cyber attacks and computer viruses? And have you seen any evidence that terrorists have been sophisticated enough to mimic these types of attack? And how are they coordinating it, especially with organized crime?
Mr. ABERNATHY. Congressman, you have zeroed in on what I think is probably the number one area of concern and effort in terms of responding to existing vulnerabilities. We have done a good job as far as I think can be done with regard to the physical security. But with regard to the danger to the systems, the question is, what are the vulnerabilities to these cyber-attacks? As I mention in my testimony, we have seen them evolve from the pranksters into organized crime, and now we are beginning to see what we think is a pattern suggesting that it is going beyond organized crime to perhaps terrorists or others that are not interested in stealing the money so much as trying to keep the systems from operating.
We have been working very carefully with the financial institutions themselves, as well as the computer experts, the makers of software, the designers of the hardware, and the designers of the systems, to create a more resilient system to respond to those kinds of cyber-attacks that might occur.
Page 30 PREV PAGE TOP OF DOC
Mr. SCOTT. When you say ''organized crime,'' are we talking about American organized crime? Are we talking about international organized crime?
Mr. ABERNATHY. It is both, sir. Now, American organized crime, but one that is particularly difficult to deal with is organized crime that originates from a foreign country. That is something that we have seen on the significant increase in recent months.
Mr. SCOTT. Okay. My last point was, if I could Mr. Chairman, very quickly, you also stated, Mr. Abernathy, that you sent a letter to the federal home loan banks to ask that they join the Financial Services Information Sharing and Analysis Center. Have you heard from these banks? If so, what have they said?
Mr. ABERNATHY. We have just recently sent the letter, so as we expect it takes time for them to process and make the decisions. We have asked the FS-ISAC, the financial services organization itself, to make the direct contacts to these banks and to ask them, you have heard from the secretary, the assistant secretary; you have heard from the chairman of the Federal Housing Finance Board; are you ready to sign on. We are very hopeful that they will, but we have not had any takers yet to this point, but it is still early.
Mr. SCOTT. Thank you.
Thank you for your generosity, Mr. Chairman.
The CHAIRMAN. The gentleman's time has expired.
The gentleman from Iowa, Mr. Leach.
Mr. LEACH. I am just trying to put a sense of perspective in what you are saying. It is impressive to me that a couple of words have come up. One is resiliency of institutions; another is redundancy of systems. It strikes me that the two R's are probably the most important concepts.
Just in terms of defense of our systems, I think we have to make it clear that decapitation does not bring us down. That is, loss of life, as Mr. Olson mentioned, is something that we are prepared to deal with in terms of how we proceed in the future.
Page 31 PREV PAGE TOP OF DOC
My concern is that we have a dual circumstance, resiliency and redundancy in the private sector. We also have it in the public sector. In an emergency, the Fed is the center point. So I would like to ask Mr. Olson, are you confident of the Fed's resiliency and the Fed's redundancy of systems? While it was not designed for this purpose, does the fact that you have regional institutions magnify your strengths? Is decentralization also a systemic strength?
Mr. OLSON. Let me answer your questions in the reverse order of the one in which you asked them. In terms of the dispersal, the fact that we have Fed systems throughout the country is indeed part of our strength. It is part of our strength in terms of its role in monetary policy, but it also provides us with a physical diversity that is very important for us, while we are assuring both the resiliency and the redundancy. It meant that in many cases our ability to provide backup or partnering, the capability, the facilities were already there to do so. So that is particularly important.
In terms of our ability to meet future circumstances as they unfold, I think that the best way to respond to that is evaluating the manner in which we have responded in the past, for example to 9/11. I think the fact that the banking system did not close; that at no point in time did any customer even in Manhattan not have access to their personal financial information. Now, they might not have had access to the information at the branch or the ATM where they were accustomed to having it, but it was available because of the resiliency of the system and because of the large numbers of systems.
So I would say we are cautiously confidence. That is not a subject that we would ever take for granted.
Mr. LEACH. Is there such a thing as a Fed in a mountain?
[Laughter.]
Mr. OLSON. I am not sure what you are asking me.
Mr. LEACH. What I am saying is, do you have a second Federal Reserve headquarters?
Page 32 PREV PAGE TOP OF DOC
Mr. OLSON. Oh. Could I get back to you on that on a private basis?
Mr. LEACH. Of course, fair enough.
Mr. OLSON. As with Congressman Scott, these are important questions that we would be happy to provide that information for you in another setting.
Mr. LEACH. Fair enough. Just one final, just to be very precise, the subject of Congress's approach to a possible bill on netting has been raised and addressed. I am correct in assuming that as Chairman Greenspan indicated in the last hearing, the Federal Reserve strongly supports a netting bill. Is that correct?
Mr. OLSON. Very much so. We appreciate your support and the support of the other members of this committee who have indicated their support for moving that bill. That would be a very important step forward, we believe.
Mr. LEACH. Treasury concurs?
Mr. ABERNATHY. Yes, sir. We would like to see that enacted either as part of the bankruptcy legislation or as free-standing legislation. It is very important.
Mr. LEACH. And our third witness, you would concur on that as well? Thank you.
Thank you, Mr. Chairman.
The CHAIRMAN. The gentleman's time has expired.
The gentleman from North Carolina, Mr. Miller.
Mr. MILLER OF NORTH CAROLINA. Thank you, Mr. Chairman.
My questions are about private sector preparedness and what we are doing to encourage it. The 9/11 Commission devoted a page to the topic. They pointed out that 85 percent of the critical infrastructure was in private sector hands. They said that they had encouraged the American National Standards Institute, ANSI, a very well respected industry group, to develop and promulgate national standards for preparedness, convening safety, security, business community experts, and to develop a voluntary national preparedness standard.
Page 33 PREV PAGE TOP OF DOC
Mr. Liscouski, do you agree that those standards should be voluntary? Should there be some force of law behind them? Let me first disagree to some extent with Mr. Leach, who said that he thought an attack on our financial institutions would be an act of barbarism, but not something that would bring our system down. It strikes me that a serious disruption in our financial institutions could have a catastrophic effect on our economy. Do you agree, first of all, that the risk is grave to our economy generally? And then second, that whatever standards we come up with, what we think the private sector should be doing, should be voluntary, as opposed to having some force of law behind it?
Mr. LISCOUSKI. Congressman Miller, I do not want to take this out of context, but I believe the statement regarding the catastrophic effect of the attack was the concern about the most recent threat.
Mr. MILLER OF NORTH CAROLINA. I was not referring to anybody else's testimony, then. I was talking about my own perception. I have attended a hearing on the Science Committee about the loss or disruption of the electrical grid. If that happened, the ripple effect through our economy could be very, very serious. It strikes me that the same thing is true in the financial services sector. If American business cannot get access to money, they cannot pay their bills, they cannot make payroll, they cannot buy materials. The people they do business with are not getting paid, and on and on. The possible loss there is serious. Do you not agree with that?
Mr. LISCOUSKI. Of course. In the broad context of what the overall catastrophic effect could be on the financial services in general, yes, that is exactly the type of thing we look at from the consequence-of-loss perspective. We always look at the consequence of loss when we are looking at sectors and vulnerabilities.
Mr. MILLER OF NORTH CAROLINA. Okay. How about the voluntariness? Do you think it should be voluntary or do you think there should be some force of law behind the standards that ANSI has promulgated, that the 9/11 Commission has said need to be abided by American business?
Page 34 PREV PAGE TOP OF DOC
Mr. LISCOUSKI. I just want to conclude my previous comment by saying that we have yet to see, however, anything that would manifest itself in terms of a threat that would be at that catastrophic loss level. With respect to standards and regulation, as you well know the financial industry is fairly well regulated now. The standards that are imposed by the regulation in many cases adequately addresses the requirements to meet the specific threats that we are operating against.
I think in a general sense with respect to standards, we are looking to establish best practices and guidelines throughout the community, all the critical infrastructure components, to ensure that we get good compliance and practices to respond to various types of threat scenarios against which we are operating. Whether it be ANSI, we are currently working with the American Society of Mechanical Engineers to develop ways to bake into business processes for best practices. It is at that level that we think we can have the most benefit to affect the outcome of security for the long term.
I think the challenge in terms of looking at regulation or standards to remediate against a current threat, and they can never happen quickly enough. I think the best efforts we can make are looking for long-term systemic changes in business practices and security practices for the industry is irrespective in the financial sector across critical infrastructure. My office in particular in working with the private sector to ensure that we take that approach.
The one thing we have to be very careful of is that there is not a one-size-fits-all standard. We have to be careful about ensuring that when we look at it.
Mr. MILLER OF NORTH CAROLINA. I am not sure I got an answer to my basic question of what should be behind it other than a hope for goodwill.
Mr. Abernathy, in your testimony you said the FBIIC will also try to share best practices, encouraging whenever possible, cajoling where necessary. That strikes me as a fairly limited range of options. First, we are going to encourage you, and if you do not do right, we are going to ratchet up and cajole you. I am not sure the prospect of being cajoled is going to strike fear in the hearts of a lot of folks. Is that your whole range of options, to encourage compliance with best practices or standards or whatever you call it?
Page 35 PREV PAGE TOP OF DOC
Mr. ABERNATHY. Let me explain the context. The cajoling and encouraging is with regard to the federal and state regulatory agencies themselves. We do not have any enforcement authority with regard to the Securities and Exchange Commission, but the Securities and Exchange Commission, for example, has very significant authorities with regard to the entities that they supervise.
So when it comes to the encouraging and cajoling, it is making sure that the banking regulators, including the Fed, the SEC and other banking regulators are using their authorities to make sure that the financial institutions themselves are applying their regulatory powers and employing the kinds of best practices that you talk about, what the various standards are, to make sure that they are able to continue to provide the services that they are chartered to provide.
So the enforcement tools are in the hands of the regulators. The job of the FBIIC is to make sure that the regulators are using and applying those enforcement tools.
The CHAIRMAN. The gentleman's time has expired.
The gentleman from Alabama, Mr. Bachus.
Mr. BACHUS. Thank you, Mr. Chairman.
Governor Olson, I want to commend you. We talked about netting earlier, and I want to commend you and the Fed because Chairman Greenspan in some testimony before the Congress recently talked about how important the netting provisions were. So I hope the Senate gets the message, and we are able to include that in some legislation.
Mr. OLSON. We thank the members of this committee that have been supportive in that effort. We agree that it is important.
Mr. BACHUS. I would take this time just to say again that, Chairman Oxley, before 9/11 took steps which I think this committee, working with the regulators, to ensure that our financial institutions and our markets did go through 9/11 I think in an exemplary way.
Page 36 PREV PAGE TOP OF DOC
My two questions I am going to ask are for Assistant Secretary Abernathy. You mentioned that $2 million that Treasury spent on the Financial Services Information Sharing and Analysis Center.
Mr. ABERNATHY. Yes, sir.
Mr. BACHUS. Can you tell me about what Treasury's commitment is to that center, which was formed actually by Executive Order?
Mr. ABERNATHY. The center itself was formed in 1999, if I am not mistaken.
Mr. BACHUS. Or 1998, by a presidential decision.
Mr. ABERNATHY. Yes. It was actually formed by the private sector pursuant to encouragement from the federal government, but it is a privately created and organized entity. What we did was in recent years, we looked at that entity that originally had a very narrow focus, coordinating the largest financial institutions. In visiting with them, we said in order to do your job you need to be able to reach all of the financial institutions. Of course, their response was, how do we do it?
So we funded a consulting group to look at just how you can expand the FS-ISAC and have it self-supporting. The FS-ISAC does not receive any operating funds from the federal government and we wanted to have a system that was sustainable by being funded by its members exclusively. We have come up with a plan and a reorganization that we believe is working and is moving forward very well.
Mr. BACHUS. What are your plans in regard to the future of the center?
Mr. ABERNATHY. It is to continue to have it develop as the central means of coordinating information among the whole financial sector. To demonstrate just how flexible it is, we have various levels of communication that are available on the FS-ISAC. There are first of all threat announcements that go out to everybody, but it is also a platform where specific segments of the financial sector can get together and communicate with one another on important critical infrastructure problems, and we are seeing already a number of efforts to do that and to use that as the platform for it.
Page 37 PREV PAGE TOP OF DOC
Mr. BACHUS. Okay. Treasury provides critical financial services that need protection every day, like daily check forecasts and cash forecasts and collection and disbursement of federal funds or federal monies, conducting Treasury auctions, things of that nature. What are you doing to see that these important functions are somewhat insulated against potential threats?
Mr. ABERNATHY. You are absolutely right, Congressman. Besides being the chairman of these coordinating roles, Treasury itself has important roles in the financial system, particularly with regard to the movement of all the federal money, both the money that is coming in and then the money that is disbursed to pay all the bills and all of the checks. We frequently work with that element of Treasury in those particular bureaus to make sure that they have those two words that Congressman Leach talked about, resilient and redundant operations in place. We feel very confident that Treasury has those not only established, but we test them frequently.
Mr. BACHUS. All right. I have no further questions. I would like to say for the record, I think this is correct, the PDD-63 which President Clinton authorized and it was amended by Executive Order, but I think that mandated that the center be established. I could be wrong, but I am pretty sure that that would make sense because that was 1998, and if it was created in 1999.
Mr. ABERNATHY. Yes, I believe that is right. What I wanted to emphasize, though, is that it is a privately owned entity and we think it derives a lot of strength because of that, fostered by government, if you will, and encouraged, and it is built into a network of other ISACs. But its strength comes from the fact that it is owned and governed by the private sector.
Mr. BACHUS. Right. And I think we will see that in the second group of panelists who are some of the stakeholders or participants.
Page 38 PREV PAGE TOP OF DOC
The CHAIRMAN. The gentleman's time has expired.
The Chair would announce we have about 8 minutes left on two floor votes. I would ask the gentleman from New York if he would be brief.
Mr. ACKERMAN. Brief.
The CHAIRMAN. That was the word I was looking for. The gentleman from New York.
Mr. ACKERMAN. Yesterday, the nation received very startling information from the Vice President of the United States. He contended that if he were not reelected, together with the President, and the Democrats instead were elected, that hundreds of thousands of Americans would be killed in a terrorist attack. I would like to know if that is a bunch of political hyperbole, or in the hard work that you have been doing at the Federal Reserve, at the Treasury Department, at Homeland Security, you have come across any information whatsoever, over the transom, rumors, chatter, or anything else that would indicate that there is any validity or truth to what the Vice President says.
Mr. OLSON. Speaking on behalf of the Fed, that is above my pay grade, Congressman. I do not have access to the information to answer it.
Mr. ACKERMAN. So you have seen no information that that is true?
Mr. OLSON. I would say that the question is above my pay grade. I have not addressed the question.
Mr. ABERNATHY. Congressman, I did not see the comments so I would not want to comment on it for my own. I will just add that we see constantly, as I have pointed out in my testimony, that the financial services sector is under assault every single day.
Mr. ACKERMAN. Nothing to do with Democrats?
Mr. ABERNATHY. As far as I can tell, it is a continuous assault that is not letting up in intensity.
Page 39 PREV PAGE TOP OF DOC
Mr. ACKERMAN. Under a Republican administration.
Mr. ABERNATHY. This has been in place now happening for numbers of years.
Mr. ACKERMAN. But there is no indication that it is politically biased. Okay.
Mr. ABERNATHY. Nothing that I have seen.
Mr. ACKERMAN. And Homeland Security?
Mr. LISCOUSKI. I think my colleagues have perfectly addressed the question, sir. Thank you.
Mr. ACKERMAN. Has anybody made contingency plans just in case the Democrats are elected, in any of your agencies?
[Laughter.]
The CHAIRMAN. I have made some contingency plans.
[Laughter.]
Mr. ACKERMAN. I do not mean about your future personally. I thank the panel and I thank the Chairman for his indulgence.
The CHAIRMAN. Thank you.
Ms. Lee?
Ms. LEE. Thank you, Mr. Chairman.
Very quickly, let me just thank you again for being here. I come from the San Francisco Bay Area, and of course we are very concerned not only from attacks and vulnerabilities as it relates to natural disasters, but of course as it relates to vulnerabilities from terrorism.
I would just like to know what, as you see it in terms of the Bay Area, in terms of financial institutions, because many of the top financial institutions are in the San Francisco Bay Area, what do you see as some of the vulnerabilities?
Page 40 PREV PAGE TOP OF DOC
What do you recommend, especially Mr. Liscouski, in terms of the coordination between federal, state and local officials in terms of the San Francisco Bay Area?
Mr. LISCOUSKI. Without getting into the specifics of the protective measures and the vulnerabilities, it is probably not appropriate for this forum, but I think I can talk generally speaking with respect to our coordination with state and local officials. We work very closely with the Homeland Security officials in California, and specifically the local officials in San Francisco, and routinely.
I would be happy to provide to you a separate reporting as far as what specific measures we have taken, again just out of deference for the type of information we are talking about.
Ms. LEE. Thank you.
Assistant Secretary Abernathy, what do you identify or have you looked at some of the greatest vulnerabilities facing San Francisco's financial district? Is that part of the overall planning that you have done?
Mr. ABERNATHY. One of the things that we do on a constant basis is trying to identify what are the key critical elements of the financial infrastructure; what their vulnerabilities are and then how we can address those. Certainly, we look at wherever they are. They are not located all in New York City. Some are there, and some are in other parts of the country. Financial services are extremely important to the economy of San Francisco and from San Francisco a lot of important financial services are provided throughout the nation.
One of the things that we think will be of great help to San Francisco and other money centers around the country is, as I mentioned, this cook book that we are putting together of looking at the ChicagoFIRST model and providing that to financial centers around the country and encouraging them to develop appropriate coordinating efforts in their cities as well.
The CHAIRMAN. The gentlelady's time has expired. We have to go to vote.
Page 41 PREV PAGE TOP OF DOC
Ms. LEE. Okay. We have to go.
The CHAIRMAN. I want to just take the Chair's prerogative to ask Mr. Abernathy the status of TRIA, and just a few comments, then we have to close this down.
Mr. ABERNATHY. Certainly, Mr. Chairman. We are progressing as the law has outlined for us an analysis of how the Act is performing. We put in place, as I think we mentioned here previously, a very meticulous, sequenced data collection exercise so we could see just what is happening on the ground.
The CHAIRMAN. As required in the Act.
Mr. ABERNATHY. As required in the Act. We just received the most recent collection of data from insurance providers. We are also looking at developments not only here in the United States, but there is a very interesting development with connection to the Olympic Games.
There we had some very prominent activities that had absolutely no government support at all that were able to find terrorism risk insurance. We are looking at that example to see what it tells us with regard to the availability of the products.
The CHAIRMAN. I thank all of you, and this panel is dismissed. The committee stands in recess until 12 noon.
[Recess.]
Mrs. KELLY. [Presiding.] We welcome our second panel today. We have Mr. Robert G. Britz, president and co-chief operating officer of the New York Stock Exchange; Mr. John Mohr, chief operating officer, New York Clearing House; Mr. Wilton Dolloff, executive vice president, operations and technology, Huntington Bancshares Incorporated, on behalf of BITS and the Financial Services Roundtable; and Mr. Samuel Gaer, chief information officer, New York Mercantile Exchange.
Mr. Emanuel, I understand that you would like to introduce our next guest on the panel.
Page 42 PREV PAGE TOP OF DOC
Mr. EMANUEL. Thank you, and thank you for holding this hearing.
I first went to meet with Brian and the ChicagoFIRST group a couple of months ago. Brian Tishuk is the executive director, and prior to that he had a distinguished career at Treasury working on a set of issues over there. ChicagoFIRST, in Brian's discussion and in answer to questions, will show as a role model to what other cities can do in a sense of the private sector coming together, starting ready-to-do planning to deal with unintended events.
In Chicago, like other major financial centers, we have about 320,000 to 350,000 jobs in the area who rely on the financial services industry, leaders in the future, it is an options industry. And what ChicagoFIRST has done is a remarkable job in coordination with also what the City of Chicago has done.
So I am pleased that the Chairwoman agreed to have ChicagoFIRST and Brian as a person to testify today. As I told Brian earlier, I have Alan Greenspan in the Budget Committee, and no disrespect intended, I am going to get and go there and ask my questions of Chairman Greenspan so I can tell Brian what interest rates are going to be like tomorrow.
I want to thank the Chairlady for holding this hearing and thank the entire panel for giving their time today.
Mrs. KELLY. Thank you very much.
Let us begin with you, Mr. Britz.
STATEMENT OF ROBERT G. BRITZ, PRESIDENT AND CO-CHIEF OPERATING OFFICER, NEW YORK STOCK EXCHANGE, INC.
Mr. BRITZ. Thank you, Chairwoman Kelly.
Ranking Member Frank, distinguished members of the committee, I am Robert Britz. I am president and co-chief operating officer of the New York Stock Exchange. As such, I am directly responsible for the day-to-day operation of our market, our trading floor, our data-processing sites, our technical infrastructure, software development, and our information business. In addition, I also serve as the chairman of the Securities Industry Automation Corporation, or SIAC, which is a technology subsidiary of the New York Stock Exchange and the American Stock Exchange.
Page 43 PREV PAGE TOP OF DOC
On behalf of the NYSE, I want to thank the committee for holding this hearing and giving us the forum to discuss the NYSE's investment in business continuity and contingency planning post-9/11. The NYSE lists more than 2,750 companies with a combined market capitalization of around $18 trillion. Just for context, the next-largest marketplace in the world hovers between $2 trillion and $3 trillion. We trade on average 1.5 billion shares a day, or in dollar terms about $50 billion. Ensuring the world's largest equity market can open for business every day under all circumstances is clearly our highest priority.
Madam Chairwoman, the NYSE has a long history of developing forward-looking business continuity strategies that harden and protect our physical and technology infrastructure and improve our ability to withstand or recover from a disaster. Our approach consists of three components: to prevent an attack or natural catastrophe; to withstand them; and to recover from them.
In close cooperation with federal, state and local law enforcement, the Exchange has expanded its physical security perimeter. We have also taken measures to increase the screening of all people, package delivery and mail that enters the NYSE or our data centers. And we have instituted a more restrictive policy vis-a-vis visitors and deliveries. Business continuity planning did not begin after 9/11. Before 9/11, we made sure that all of our facilities had emergency generators, uninterrupted power supply, and stored water on-site, to enable continued operation after the potential loss of power or water.
Our technology infrastructure was already connected to a private extranet that utilizes geographically redundant fiber routes. The NYSE and SIAC employ large security forces and invest in automated security systems to protect the infrastructure. Significant investments have been made in information security personnel and infrastructure to protect our systems from intrusions and attacks, while enabling our business partners to connect to the NYSE technology complex in a secure manner.
Page 44 PREV PAGE TOP OF DOC
Our primary trading floor is actually five different trading floors located in four different buildings. Trading can be moved from one location to another as may be necessary. Since September 11, the NYSE has made an investment totaling more than $100 million to prevent and/or recover from an interruption to our market. The specific business continuity programs include both new initiatives, as well as enhancements to existing programs. In particular, the NYSE has built a contingency trading floor, expanded SIAC's emergency command center, created the Secure Financial Transaction Infrastructure network or so-called SFTI network, constructed a remote network operations center, and recently received approval to establish a remote national market system data center.
The NYSE's regulatory group filed and the SEC recently approved new business continuity rules, Rule 446 for NYSE-member firms. In addition, beyond ensuring the resiliency of the NYSE, to ensure continuity of trading the NYSE has modified its systems to accept four-character symbols so that we can be a position to trade over-the-counter Nasdaq securities should that ever be necessary.
In addition, we have enhanced NYSE and SIAC disaster recovery planning, physical and information security; developed and implemented a mandatory business continuity training program for all NYSE and SIAC employees; enhanced emergency employee communication systems to ensure key personnel can be reached; and all personnel have access to relevant and timely information in an event. We have instituted a temporal dispersion initiative with respect to the data center staff, and we also are adding additional generating capacity at the New York Stock Exchange proper.
The NYSE employs a rigorous information technology structure to ensure reliability of all of the information that we receive, process and disseminate to the world every day. We employ external perimeters, firewalls, intrusion detection, internal access controls, and we conduct penetration testing with so-called ''friendly'' hackers.
Page 45 PREV PAGE TOP OF DOC
The NYSE and SIAC launched the Secure Financial Transaction Infrastructure network, or SFTI, as I mentioned a moment ago. It has become the primary extranet serving the financial industry. It provides diverse redundant routing to SIAC data centers for member firms, national market system participants that are connected to the NYSE, to the American Stock Exchange, the National Market System, and DTCC's IT infrastructure as well.
Following 9/11, U.S. equity trading was interrupted because many broker-dealers lost their connectivity to the markets due to the damage suffered by a major central telecommunications switching facility near ground zero. SFTI addresses this by enabling member firms to connect to the NYSE's data centers via multiple access points, so-called carrier hotels throughout the New York metropolitan area, as well as Boston and Chicago. From these access centers, message traffic is carried over a geographically diverse fiber network owned and managed by SIAC.
Beyond the resiliency of our market, the NYSE is prepared to trade Nasdaq stocks if that case ever arises. While NYSE systems have been modified and can support four-character symbols used by the unlisted stocks, no need for any modification on the part of the broker-dealer systems. And because our capacity today, NYSE's capacity vis-a-vis its own stocks, is about five times our average daily volume of 1.5 billion shares, we have no question about the ability to absorb the extra traffic resulting from Nasdaq stocks.
Madam Chairman, in your invitation to testify this morning, you also asked that the NYSE share its experiences relative to the limited code orange threat issued on August 1. On Sunday, August 1, Secretary Ridge of the U.S. Department of Homeland Security announced that al Qaeda was targeting specific sites in Washington, D.C.; Newark, New Jersey; and New York City, including the NYSE. In addition, Secretary Ridge announced that the Department of Homeland Security was raising the terror threat level to orange for New York City. At approximately 6 p.m. the prior evening, the New York office of the FBI contacted NYSE security officials to inform them that the FBI had information that was very pertinent to the NYSE, and they requested that we meet with them immediately, which indeed we did.
Page 46 PREV PAGE TOP OF DOC
This intelligence clearly indicated that al Qaeda had surveiled the NYSE. On Sunday, August 1, the FBI and the NYPD informed the NYSE that there would be immediate increase in NYPD officers and NYPD ''Hercules'' teams deployed around the NYSE's perimeter. In addition, the NYPD would increase the number of truck inspections for vehicles traveling south of Canal Street to determine if those trucks actually needed to proceed downtown toward the financial district.
On Sunday, August 1, the NYPD pledged their assistance for police department access and cooperation during the heightened alert. The Department of Homeland Security, as well as other federal, state and local agencies, notified the NYSE before Secretary Ridge's announcement that the exchange was a specific target. With this advance notice, the NYSE was able to communicate with its employees through our contingency Web sites. Under these contingency sites, we are able to provide timely information about the status of our operations for Monday, August 2, to members, member firms, member firm employees, and NYSE employees.
On Tuesday, August 3, NYSE officials met with Homeland Security Secretary Ridge, New York City Mayor Michael Bloomberg and both pledged their cooperation in the provision of federal and New York City assets as needed.
Since 9/11, all of our efforts have served to increase the NYSE's physical security, presence, and its business continuity planning. Our enhanced business continuity contingency planning are online and being tested every day. Unlike many localities and sites, New York City and the NYSE remain at a higher level and will remain at a heightened alert to protect the people and the infrastructure that operate the NYSE's agency-oriented market.
In the event of another terrorist attack or catastrophe, the NYSE plans to resume trading in a timely, fair and orderly fashion that will provide confidence to America's 85 million investors. While the NYSE and SIAC have implemented a comprehensive contingency plan that will provide for an orderly resumption of trading in the event of an attack or other catastrophe, we cannot prepare for every possible contingency. We will continue to work with the SEC, the Department of Treasury, Homeland Security, and the NYSE's member firms, the financial services industry, and federal, state and local law enforcement to address the threats and to implement strategies and solutions.
Page 47 PREV PAGE TOP OF DOC
I hope the foregoing is helpful to the committee. We look forward to working with this committee going forward on matters of mutual interest, and I would be happy to answer any questions. Thank you.
[The prepared statement of Robert G. Britz can be found on page 65 in the appendix.]
Mrs. KELLY. Thank you so much, Mr. Britz.
Mr. Mohr?
STATEMENT OF JOHN MOHR, EXECUTIVE VICE PRESIDENT, NEW YORK CLEARING HOUSE
Mr. MOHR. Good afternoon. My name is John Mohr and I am an executive vice president of The Clearing House, which is headquartered in New York. Just to correct the record of the cover sheet of the testimony, it lists me there as the chief operating officer. I wish that I were, but I am not.
Mrs. KELLY. Thank you.
Mr. MOHR. We are headquartered in New York and we are the nation's oldest and largest clearinghouse. We are owned by 19 very large, global, international and regional banks. We were founded in 1853, and we are a private sector global payments system infrastructure that clears and settles more than $1.5 trillion each day. We serve as an industry forum for addressing strategic and regulatory issues dealing with payments made in U.S. dollars. The Clearing House serves more than 1,600 U.S. financial institutions and manages payment services that span the entire spectrum of paper, paper-to-electronic, and electronic payments.
I want to thank you for this opportunity to update you on steps we have taken to further strengthen the key elements of the U.S. payment infrastructure which are operated by The Clearing House. One of the key lessons learned from the 9/11 disasters was that from a business continuity perspective business as usual was no longer adequate. Contingency and business continuity plans needed to be reevaluated and refocused.
Page 48 PREV PAGE TOP OF DOC
Since 9/11, the financial industry has increased its focus on the resiliency of its high-value payment systems. It is universally agreed that systems such as CHIPS, which is our large-value payment system, must be capable of resuming full capacity operations quickly, within hours of any catastrophe. We take this responsibility seriously. It is worth noting that CHIPS never skipped a beat on 9/11 and the days that followed.
CHIPS itself operated without interruption during the entire crisis and all 56 banks that connect to it were able to continue to conduct business. This included the 19 banks that were located in or near the World Trade Center. Each of these banks was required to relocate their operations to contingency sites in the middle of an unimaginable disaster. The fact that this was successfully accomplished I believe is a great testament to the leadership in these banks.
Following 9/11, our management reviewed the events of the week for lessons learned. Some of the things that we have done, we added additional security staff to perform more frequent and random patrols of our facilities. We conducted penetration tests of both our physical security and our logical security for our systems. We reconfigured one of our facilities to make it better prepared to prevent penetration. We implemented state-of-the-art biometric access controls. We also all but eliminated visitor access to all of our operating centers.
We reviewed where our critical employees worked and relocated some of these individuals to avoid a concentration risk of having too many key individuals in one place. We have taken measures to ensure that key operations and support staff have secure remote access to our electronic systems so that they can operate remotely in the event that they cannot get to our principal operating centers. For many years, The Clearing House has operated fully redundant data centers, each with the capability of backing up the other. To further enhance its resiliency, we have developed and out-of-region third data center. This new center is fully equipped to take over the operation of CHIPS within an hour of a simultaneous failure of the other two sites.
Page 49 PREV PAGE TOP OF DOC
One key procedure which was reaffirmed during the events of 9/11 is contingency tests. Mandatory testing of contingency capabilities has been conducted by CHIPS since the early 1980s. The tests cover a variety of disaster scenarios and exercise the backup and recovery capabilities of the participants, as well as CHIPS. The performance of each participant during these tests is evaluated by The Clearing House and those banks that fail the test are required to continue to re-test until they pass. The discipline of regular testing helped contribute to the quick recovery of the banks following the events of 9/11. Since 9/11, we have expanded our own testing regimen to include two tests a year, coordinated with the Federal Reserve's Fedwire system.
Another significant initiative led by the Clearing House following the events of 9/11 was our Intercept Forum which addressed the question, what could financial institutions, working with the public sector, do to eliminate the flow of funds to terrorists and their organizations. We had senior representatives from 34 public and private sector organizations. This forum identified five task groups which were co-led by representatives from both the public and private sectors. These five groups, let me touch on them briefly: patterns of behavior, account transaction monitoring, and global cooperation.
The first three I think are easily understood, their purpose, their mission clearly understood by the names of their groups. The other two, control list, following the events of 9/11, the banks and the regulators and the law enforcement agencies needed to sit down and clarify what we were trying to accomplish in terms of identifying terrorists, flows of funds to terrorists, what policies and procedures had to be in place, what new was being put in place. All this had to be communicated effectively, so we put a group together to work on that.
Our fifth group, a database team, was originally set up to develop a highly secure real-time capability to download suspected terrorist information and to upload hits that financial institutions may have, reporting them back to the law enforcement agencies. This fifth group was superseded by FinCEN and their PAC system which was set up in 2003, I believe. We work closely with them and handed over that responsibility to them. All of our banks have been working with them since.
Page 50 PREV PAGE TOP OF DOC
I think the Intercept Forum is a great example of the private and public sector's ability to work together to achieve shared goals. Financial institutions, law enforcement agencies, and regulators were able to draw upon each other's core competencies in a cooperative way and achieve meaningful results. It is clear that going forward we will need continued cooperation in all three areas to be successful.
Thank you.
[The prepared statement of John Mohr can be found on page 116 in the appendix.]
Mrs. KELLY. Thank you.
Mr. Dolloff, I understand that Mr. Tiberi was wanting to come to introduce you because you were a fellow Ohioan. I hope you will take my introduction, from being a former Ohioan who now is in New York. We are delighted to have you here. You may proceed.
STATEMENT OF WILTON DOLLOFF, EXECUTIVE VICE PRESIDENT, OPERATIONS AND TECHNOLOGY, HUNTINGTON BANCSHARES INCORPORATED, ON BEHALF OF BITS AND THE FINANCIAL SERVICES ROUNDTABLE
Mr. DOLLOFF. Thank you, Madam Chairman and members of the committee for this opportunity to testify about the financial services industry's efforts to address critical infrastructure protection. I am Wilton Dolloff, executive vice president for operations and technology at Huntington Bancshares, Incorporated. I am pleased to appear before you today on behalf of BITS and the Financial Services Roundtable. I have submitted a written statement that provides details on efforts by BITS and the financial services industry to strengthen our nation's critical infrastructure.
I would like to use this time today to deliver three messages. First, the financial services industry is doing an outstanding job strengthening our slice of the critical infrastructure pie. Among other things, we have developed emergency communication tools, conducted worst-case scenario exercises, engaged in partnerships with the telecommunications sector and key software providers, compiled lessons-learned from the 9/11 attacks and the August 2003 blackout, and combated new forms of online fraud.
Page 51 PREV PAGE TOP OF DOC
Second, as you know, our industry is heavily regulated. The regulators have stepped up their oversight, but we cannot address these problems alone. Our partners in other sectors, primarily telecommunications, power, software, must also do their fair share to ensure the soundness of the nation's critical infrastructure.
Third, I want to review several recommendations for the Congress to consider. Since 9/11, our sector has done a lot to respond to the risk we face today. Protecting our nation's critical financial services infrastructure is a top priority. I would like to highlight several efforts to help assure the security stability of our sector.
We have improved communications and enhanced our ability to analyze and disseminate information. For example, we have enhanced the financial services information sharing and analysis center, the ISAC, providing an important tool for members to share and analyze cyber and physical threat and vulnerability information. In addition, we have established the BITS-FSR crisis communicator. This high-speed alert system rapidly notifies CEOs and CIOs and others as appropriate to convene conference calls during which industry leaders share information and make decisions. The system was recently activated on August 1 immediately following the threat-level escalation by the Department of Homeland Security for the financial industry.
One of the key lessons learned in recent years is our sector's dependence on other critical infrastructure sectors, namely telecommunications and power. BITS is working with the telecommunications industry to identify and mitigate vulnerabilities and enhance recoverability. While the cooperation between these two sectors has been unprecedented, much more work remains to be done.
In August 2003, the blackout occurred in the Northeast. It gave us an opportunity to test our assumptions about what would happen in a large-scale loss of power. In general, the financial services industry performed well. Backup systems operated. Alternate communications systems were used and there was no measurable impact on settlements and payments.
Page 52 PREV PAGE TOP OF DOC
Our industry has also been working hard to strengthen cyber-security. We have stepped up our efforts by sharing information, analyzing threats and working more closely with the software industry. In December 2003, BITS surveyed its members on the cost of addressing software vulnerabilities and learned that costs are approaching $1 billion annually. In February 2004, BITS and the Roundtable held a cyber-security CEO summit to launch efforts to promote CEO-to-CEO dialogue on software security issues.
In short, we want the software industry to improve the security of products and services that they provide to us. Just as financial institutions are key targets for hackers and other cyber-criminals, our industry is increasingly the target of fraudsters operating online. We are responding to the escalation in identity theft with a series of steps to facilitate prevention of the crime and assist victims when it occurs. The cornerstone to these efforts is the BITS-FSR Identity Theft Assistance Center, or ITAC. The concept of this pilot program is to provide a simplified recovery process that benefits victims by relieving much of the current burden of reporting the theft and restoring one's financial identity.
The Congress can help the financial services sector meet the challenge of the post-9/11 environment in three ways. Number one, encourage the telecommunications industry to provide diverse and reliable services to critical infrastructure sectors. Two, recognize the dependence of all critical infrastructures on the software operating systems and the Internet. And finally, number three, encourage law enforcement to prosecute cyber-criminals and identity thieves and publicize U.S. Government efforts to do so.
I am pleased that Congress has an active interest in helping to shore up the financial sector against vulnerabilities and hope that we can work together to heighten security. Financial firms will continue to work diligently to achieve the level of security that our customers demand.
Madam Chairman, I will be happy to answer any questions. Thank you.
Page 53 PREV PAGE TOP OF DOC
[The prepared statement of Wilton Dolloff can be found on page 86 in the appendix.]
Mrs. KELLY. Thank you so much.
Mr. Gaer, we welcome you.
STATEMENT OF SAMUEL GAER, CHIEF INFORMATION OFFICER, NY MERCANTILE EXCHANGE
Mr. GAER. Thank you, Madam Chairwoman. Good morning, and thank you to the members of the committee for inviting me to address the issue of emergency preparation and vigilance for the financial services sector. The subject matter is of timely concern and I sincerely welcome the opportunity to both express what the New York Mercantile Exchange has accomplished to date, as well as to express concerns regarding areas in which you might consider providing assistance to our efforts going forward.
The Exchange is the world's largest physical commodities futures exchange and has been an example of market integrity and price transparency throughout its 132-year history. Commercial enterprises and government entities all over the world use our marketplace to manage their energy metals risk, a function that is particularly critical to the global economy in any time of crisis. The Exchange is also a technology leader in the futures industry, developing robust, redundant, best-of-breed trade management clearing and reporting systems capable of quick fail-over to backup systems when required.
No preparedness planning, however, can be accomplished without a careful analysis of the business that needs to be protected. Our core business is trading and clearing. In order to ensure the continuity of this core business, we have pursued several alternatives. The Exchange headquarters was designed to be as redundant as possible, including the availability of backup generators, which became critical during the blackout of 2003.
One of the first priorities for the Exchange after September 11, for example, was to build a replica trading floor which contains trading rings, administrative space, live price feeds, and a fully operational and redundant data center. In other words, it is a complete facility. This facility has been powered-up since the beginning of the Iraq War and is ready to go on a moment's notice.
Page 54 PREV PAGE TOP OF DOC
The Exchange also has two electronic trading systems, both of which have round-the-clock trading capability. In fact, we were the first exchange in New York to reopen following September 11 when we opened our electronic trading system for a 2-hour session on September 14, which resulted in a record 70,000 contracts being traded in 2 hours.
During an emergency, the high-level strategic decision-making authority rests with the crisis management team which we call the CMT. It is comprised of members of the executive committee of the board of directors, C-level executives and critical senior executives. Their role is to assess a threat and if necessary provide an official declaration of disaster, to interface with the members of the exchange, and to coordinate with industry and regulatory agencies.
Maintaining communication between recovery units and resources is the single most important aspect of any emergency recovery effort. The Exchange has gone to great lengths to ensure that the CMT and their subordinates are all able to communicate, including provision of cell phones with two-way radios, mobile e-mail devices, laptops with cellular modems which we affectionately call footballs, and access to CFTC-sponsored GETS cards. Every critical exchange system is duplicated and can provide services in the event the main facility or system is unavailable. Data moves across redundant optical fiber links, linking our backup site to the primary site. In addition to the network created between the two hot sites, the Exchange maintains multiple links to Internet service providers.
Training, education and regular testing will ensure that the systems and staff are ready to respond to any event that disrupts our business. Ongoing planning for events keeps the Exchange planners in top form. The Exchange, along with the Futures Industry Association, or the FIA, have begun planning a major multi-company and multi-exchange coordinated testing effort which will culminate in the first annual industry-wide disaster recovery test this fall on Saturday, October 9. The effort is extremely important to our industry and will be repeated annually.
Page 55 PREV PAGE TOP OF DOC
As a critical infrastructure organization, we strive to learn from every event we face. So what were the lessons we learned from the various events that we have handled recently? The tragic and cataclysmic events that took place on September 11, 2001 showed us that planning for emergencies that involve a single company, building or service is no longer adequate. As we look back at 9/11, the relationships the Exchange has forged with government agencies will always be of critical importance in planning for and support during an emergency event. In addition, the relationships our member firms have formed with important government leaders have enabled the Exchange to overcome many difficult recovery challenges in the past.
The blackout of 2003 taught us different lessons, foremost of which is that the unavailability of a facility is not a prerequisite to an emergency event. Multiple redundant service providers need to be secured for all critical business services. Other events that the Exchange planners carefully consider are the planning we have done for the Republican National Convention and the regular disaster recovery testing and mock disasters that the Exchange conducts all serve to reinforce and fine-tune the planning we have at the ready. Communications stands alone as the key equalizer when facing the surprises any emergency delivers. A disaster gives no advance warning.
Madam Chairwoman, in closing I ask this committee to consider the following concerns from the Exchange. As an integral part of the critical infrastructure, the Exchange already manages a full complement of continuity plans, backup sites and emergency operation locations. However, our business relies upon the coordination of many services within the financial sector. It also relies heavily on telecommunications, utility and transportation infrastructure over which the Exchange has no control. The Exchange is prepared to recover our systems and business processes if faced with another event such as 9/11, but the recovery of the services and the price discovery mechanisms we provide to the financial services sector and economy also relies on resiliencies of the external businesses on which the Exchange depends.
Page 56 PREV PAGE TOP OF DOC
I would like to thank the Chairwoman and the members of this committee for inviting the Exchange to speak with the other distinguished panelists on this extremely important topic. I would be happy to answer any questions the committee has.
[The prepared statement of Samuel Gaer can be found on page 101 in the appendix.]
Mrs. KELLY. Thank you very much, Mr. Gaer.
Mr. Tishuk.
STATEMENT OF BRIAN S. TISHUK, EXECUTIVE DIRECTOR, CHICAGOFIRST
Mr. TISHUK. Good afternoon. Chairman Kelly, members of the Financial Services Committee, I am Brian Tishuk, the executive director of ChicagoFIRST, a coalition of 16 of Chicago's leading financial institutions. A list of our members and government partners is appended to my written statement.
Through ChicagoFIRST, these institutions cooperate with one another and collaborate with government to address common business continuity and homeland security issues. This ensures that our business continuity and disaster recovery plans conflict neither with one another nor with the government's plans for prevention, response and recovery.
In light of the events of September 11, the Chicago financial community, as others, reexamined and enhanced their individual business continuity plans. During the spring and summer of 2003, a number of these institutions also decided to form ChicagoFIRST. Two leaders took it upon themselves to commit their time and their respective firms's resources to make this coalition a reality: Louis Rosenthal, executive vice president at LaSalle Bank and Ro Kumar, first vice president at the Options Clearing Corporation.
From the beginning, our top priority was to get a seat in the city's Joint Operations Center or JOC. The JOC is a place where different government agencies, city agencies, come together to address a crisis, whether it is a snowstorm or a terrorist attack. We sought a seat to ensure access to accurate and timely information in case of an emergency. We obtained this seat in July of 2003. Our members are also working with the city and the state to learn where our respective evacuation procedures may conflict and to take remedial action.
Page 57 PREV PAGE TOP OF DOC
Another absolutely critical objective for the financial community in Chicago is credentialing. ChicagoFIRST and the city are using an interim credentialing solution that we put together with them, while the city and the state together develop a permanent one. ChicagoFIRST is also working with the city and the Red Cross to develop shelter-in-place protocols. These best practices will protect our members' employees at the office and their families at home.
Now, every regional partnership will necessarily be unique. However, ChicagoFIRST has been constructed in a manner that would allow its salient elements to be replicated in other parts of the country. I would like to highlight four components of our model. First, financial institutions should organize themselves in a grassroots fashion and leadership should come from within the financial community. Second, with the critical infrastructure largely in the hands of the private sector, we have an obligation to put some ''skin in the game,'' as the saying goes. However, at least in the short term, funding from the public sector should also be provided.
Third, information sharing is key. Such sharing ranges from the mundane of my calling the city to find out why there are a number of police cars and fire trucks outside a particular building, to the absolute essential of having the city and state give us a heads-up about impending issues and announcements such as the August 1 disclosure of terrorist threats against financial institutions on the east coast. Finally, not only can the above elements be replicated elsewhere, but also adapted to any region, even outside of financial centers where other sector participants may be necessary.
I would like to mention briefly the crowning achievement of 2004, a July tabletop exercise that proved successful in every way. Most importantly, we devised a scenario that examined how the partnership would function if financial institutions were forced to operate for an indefinite period of time under the threat of terrorist attack. Unfortunately, 2 weeks after the event, we saw that very scenario unfold in real life on the east coast that allowed us to be ahead of the game in Chicago.
Page 58 PREV PAGE TOP OF DOC
In conclusion, the members of ChicagoFIRST are very proud of our progress. While much remains to be done, Chicago's financial community is better prepared to protect its employees and businesses than it was before ChicagoFIRST was formed. We hope that our successful approach can provide a model for private-public partnerships in other cities throughout the country. Thank you again for the opportunity to testify at this important hearing, and I am happy to answer any questions the committee may have.
[The prepared statement of Brian S. Tishuk can be found on page 136 in the appendix.]
Mrs. KELLY. Thank you, Mr. Tishuk.
I would like to ask a couple of questions, but before I do three of the five members of this panel are from New York and participated in the recovery. I want to compliment all of you. You were back up. You were functioning. Our financial systems in New York were functioning so quickly. You are to be complimented for the work that you did prior to 9/11 to ensure that that actually happened.
I would like to begin with asking a general question, actually, but I am going to focus this on you, Mr. Britz. The Stock Exchange has often been thought to be a target for terrorists. In the press, it was indicated that terrorists had cased the Exchange as a potential target. In a broad sense, what additional steps have you taken since you heard about people casing the place?
Mr. BRITZ. First of all, I will share with you an anecdote, Congresswoman. When we met, I referenced in my remarks, we met with Homeland Security, we met with the FBI the evening before, the Saturday evening as a matter of fact, and the NYPD and a number of local law enforcement agencies. We asked them point blank, what can we do, what might we do that we are not now doing? The answer uniformly was, nothing; that they regard what we do today or what we did prior to the most recent announcement as the gold standard.
Page 59 PREV PAGE TOP OF DOC
They, in turn, again as I referenced in my remarks, the NYPD in particular supplemented their force on the ground around our perimeter both in terms of patrolmen, but also in terms of the Hercules swat team, if you will, so that we had a very substantial presence over and above what we normally have. I know you have seen what we normally have, so I think it is the gold standard. But post-9/11, essentially what we did was push out our perimeter.
We had well before 9/11 magnetometers, X-rayed every package, every valise. I myself walk through a magnetometer every morning. My briefcase goes through the X-ray every morning. But that, of course, is once you are inside the building. We pushed the perimeter out, as you know, with the help of the NYPD so that you cannot get within a block of the Stock Exchange with a vehicle without going through a checkpoint, having canine sniff, checking the manifest, having the dog sniff as to whether or not there is any explosive capability and so on. So essentially what we have done and what we have reinforced with the help of the police department is to extend that external perimeter away from the building.
Mrs. KELLY. Thank you.
I know there are a number of people who enjoy the fact that now there is a sense of a mall around the Stock Exchange. It certainly is pleasant to be able to walk without having to worry about the traffic down there.
Mr. BRITZ. Those are the people who are not in vehicles.
[Laughter.]
Mrs. KELLY. Right. Exactly.
Mr. Dolloff, you represent BITS. I asked a question of Mr. Liscouski in the earlier panel. I do not know if you were in the room. I am very concerned about the insider threat with regard to the programs that are in each one of the businesses that work in the financial industry. I am concerned about them because I understand that it is possible for people in the process of the programming and reprogramming to fit the niche market that each business needs, there are programmers who are there who are doing certain things.
Page 60 PREV PAGE TOP OF DOC
Is there something that you can tell me that the industry itself, from your BITS organization, the BITS FSR is doing, to perhaps profile the people who are doing programming, to do some kind of a check so that the programs do not yield up information that might be essential information to people that we actually would rather not have that information?
Mr. DOLLOFF. Congresswoman, if I understand the question correctly, I would like to address it from the Huntington's perspective first, because I am not sure of the organization efforts of BITS in this area. I can tell you that many financial institutions have programming standards and oversights over their programmers. One person may develop a program and it then goes through a testing process, and what we call a ''change control'' process where people outside the unit that did the program, review the program for its legitimacy and to make sure that it is doing as it is intended to do.
Now, is it possible for somebody to be so clever that it could sneak by even that checkpoint? Probably. You can only protect against what you think you know. But I think that is a standard that you will find in most financial services industry shops, if you will, on how they control the quality of the programs that they develop.
Mrs. KELLY. My concern is that so many of us look at a threat from outside, hackers, people like that. My concern is the threat from inside.
Mr. DOLLOFF. I would agree with you. There is always a threat, both externally and internally. As I said, we need to make sure that we have these dual checks in place, and sometimes it is more than dual checking. They go through very extensive testing processes to make sure that the program development that has taken place does what it is intended to do.
Mrs. KELLY. My time is up. I do have a few more questions, but I am going to turn this over now to Mr. Miller.
Mr. MILLER OF NORTH CAROLINA. Thank you, Madam Chair.
Page 61 PREV PAGE TOP OF DOC
I wanted to pursue a question that I began with the first panel about compliance in the private sector with the necessary safeguards against terrorism; that 85 percent of our infrastructure is in the private sector. There has been apparently a fair amount of effort to try to develop standards.
Mr. Britz, you referred to the New York Stock Exchange's standard as the gold standard, which I commend you for, but I am afraid that a great deal of the private sector will not adopt a gold standard, but a tarnished brass standard of going cheap on terrorism safeguards, when in fact they are at risk and there are consequences beyond. There are consequences to their employees. There are consequences to anybody else who may be on their premises. And there are consequences to the people that they do business with, in a ripple effect.
The 9/11 Commission recommended a voluntary standard. Any of you, do you agree that it should be voluntary? Or should there be some force of law behind some standard in the private sector for terrorism safeguards? We can start with you, Mr. Britz, and work our way down.
Mr. BRITZ. First of all, Congressman, when I referenced a gold standard, it was the New York City Police Department and the FBI referring to us, not us referring to ourselves. It was in the area of physical security.
Mr. MILLER OF NORTH CAROLINA. Either way, I commend you.
Mr. BRITZ. Gosh, I really do not feel confident to address that question other than to perhaps offer a private sector comment which would be that it is in the private sector's interest to safeguard their respective franchises. I know that the New York Stock Exchange has done everything it has done, even though we are overseen by the Securities and Exchange Commission to be sure, and the word ''cajole'' was used earlier. They cajole us every now and again.
But most, if not everything that we have done in the area of protecting our infrastructure has been self-initiated because it is in our business and our franchise interest to do that. So you have that kind of a motivator resident within every private sector business that has assets and franchises to safeguard.
Page 62 PREV PAGE TOP OF DOC
Beyond that, I am not a regulator of the banks or the paying agencies and so on, and I do not know if I would comment beyond that.
Mr. MILLER OF NORTH CAROLINA. Anybody else? Try to keep it fairly brief because I only have 5 minutes. Yes, sir?
Mr. MOHR. Yes, I would agree with most of what Mr. Britz said. I think it is in the interests of the private sector to make sure they are safe and sound. I would also point out that the regulators, in my opinion, did an excellent job following 9/11, leading the review on an industry-wide basis and coming up with a lot of good clear thinking, good clear direction.
I think the partnership between the two was essential to making us as strong as we are today. I think the best way forward is to keep that partnership going, keep driving the two together to make sure that they are working together.
Mr. MILLER OF NORTH CAROLINA. Anyone wish to speak up for something other than a volunteer standard? All right.
A second point that the 9/11 Commission made, let me read one question, their bolded recommendation: ''We believe that compliance with the standards should define the standard of care owed by a company to its employees and the public for legal purposes.''
I took that to be a reference to the substantial body of state negligence law, of common law negligence of what the standard of care is, and that reference means that they believe that under state common law businesses that did not adopt the appropriate safeguards, and there are consequences to others as a result of their failures, should give rise to civil liability.
There is also a wealth of economic theory that says that the civil liability system is a market mechanism to assure proper safeguards. Do you agree that the civil liability system would apply in cases, certainly now that we know there is a terrorism threat, to the consequences of a failure to take appropriate safeguards? Anybody want to stick up a hand? Mr. Britz, do you want to start with you?
Page 63 PREV PAGE TOP OF DOC
Mr. BRITZ. Congressman, I apologize. I do not feel confident to respond to that question. I am neither a lawyer nor an expert on what it is the Commission intended in those words.
Mr. MILLER OF NORTH CAROLINA. Okay.
Mr. Mohr, do you have any comment?
Mr. MOHR. I have nothing to add to that.
[Laughter.]
Mr. MILLER OF NORTH CAROLINA. Mr. Dolloff?
Mr. DOLLOFF. I would agree. I do not feel qualified to answer that question.
Mr. MILLER OF NORTH CAROLINA. All right.
Mr. Gaer?
Mr. GAER. I would also agree. I am neither a lawyer nor an expert on what you are reading.
Mr. MILLER OF NORTH CAROLINA. Mr. Tishuk?
Mr. TISHUK. I am afraid it is not my area of expertise either.
Mr. MILLER OF NORTH CAROLINA. Okay. I am pleased that I was able to bring about so much unanimity among the panel.
[Laughter.]
Mrs. KELLY. Thank you very much, Mr. Miller.
Ms. Biggert.
Mrs. BIGGERT. Thank you, Madam Chairman.
I would like to congratulate all of the members of this panel for their self-initiated efforts to bolster the infrastructure of America's financial sector, and to take the offensive approach in that.
Page 64 PREV PAGE TOP OF DOC
I would especially like to applaud you, Mr. Tishuk, not just because you live in Homer and are a constituent, but for what you have done with ChicagoFIRST in providing a model partnership between the public and private sector in this area.
Could you just tell us a little bit more about the tabletop and what happened and why that is so important, and what you learned from it?
Mr. TISHUK. Certainly. The tabletop took place in mid-July. We had terrific participation, some 17 government agencies, 21 financial institutions, telecommunications providers, power, water. It included all of the relevant areas of the city and the state, as well as the federal government. It was very useful.
The whole object of the tabletop was to assess assumptions that we all had about one another, to make sure that we knew what we could really expect from one another during an emergency, rather than finding out something we did not expect in the heat of the moment.
It certainly provided a lot of grist for our mill. Everybody has told us it was very successful, that they learned a lot about all the other participants. We certainly learned a lot. We learned our communications systems are even more fragile than we had initially thought, and we are working to find alternatives to the conference calls that we tend to rely upon.
We are also reaching out to the counties surrounding Chicago, because our employees come from there and we certainly learned more about the city's and state's evacuation plans for getting folks out of the city, out of Cook County and beyond. Therefore, it is important to make sure that they are part of this dialogue so that our employees know what they can expect to find if such an event occurs.
Perhaps most importantly, given its success, we learned that it is very much a goal for us to test, implement lessons learned to fill the gaps, and repeat, both in the table top format, which is somewhat artificial, as well as in a testing mode where you are in your office or where you are supposed to be normally, and then respond.
Page 65 PREV PAGE TOP OF DOC
Mrs. BIGGERT. It was mentioned earlier, or it was mentioned in your testimony that you have had trouble communicating with the Department of Homeland Security, while you have worked very closely with the Treasury Department. Do you think that that will change after today?
Mr. TISHUK. I certainly have that expectation, yes. I would like to point out, though, that we have had excellent support and a relationship with DHS's regional arms in Chicago. Both FEMA and the Secret Service have been with us every step of the way. They have been forthcoming with their ideas and very supportive to our suggestions. So from that standpoint, things could not be better.
Mrs. BIGGERT. One of your suggestions has been that you would have a regional center for the Department of Homeland Security in Chicago.
Mr. TISHUK. Correct. Chicago is a vital center. As the East Coast hardens for good reasons, we certainly want to make sure that terrorists do not look upon Chicago as a softer alternative to attacking financial institutions and metropolitan areas.
Mrs. BIGGERT. Thank you for all that you do.
I have another question for probably most of the people on the panel. After 9/11, a number of financial firms managed to shift trading and portfolio management to their offices in London and other financial capitals. Should major global financial institutions include in their disaster recovery plans the ability to shift trading and book management temporarily away from the affected country? Do some of you have that in your plan in case that there is a disaster? Mr. Britz?
Mr. BRITZ. I will take a shot at that, Congresswoman. In our Rule 446, the business continuity rule, and I am now talking about broker-dealer member firms of the New York Stock Exchange, we impose a requirement that they demonstrate the ability to operate under various circumstances, but we do not dictate as to how.
Page 66 PREV PAGE TOP OF DOC
When you say ''shift away'' from the affected country, and this country is a fairly large country, that may very well include shifting to other centers that they may have literally around this country, as opposed to necessarily going to Europe or some other center. The NYSE as a regulator of broker-dealers dictates that you have to demonstrate the capability, but we do not dictate as to how.
Mrs. BIGGERT. Mr. Mohr?
Mr. MOHR. For the commercial banks, the regulators have already told the larger banks that they must have certain recovery capabilities that are outside the immediate region. That process is already under way, but there is no directive that they have to move offshore. Those banks that did move offshore did so because they are multinational banks that have processing centers in other areas of the world.
Mrs. BIGGERT. Mr. Dolloff?
Mr. DOLLOFF. I would agree with what Mr. Mohr just said. We have backup facilities outside our immediate region. We, however, are not an international or have an international presence, so we would not have that capability to go outside the United States, but we do have backup facilities.
Mrs. BIGGERT. Mr. Gaer?
Mr. GAER. Like everybody else on this panel, our business is intensely competitive. In an event such as 9/11, for example, let us call it a sister exchange of hours. We got a phone call from somebody across the pond to host their book, and that was their biggest fear, if you will, because they felt that once that liquidity goes offshore, it is going to stay there.
As such, we do have a fully redundant trading facility where if we needed to move trading, we could move trading to that facility. We have two separate, fully redundant electronic trading systems that if the facilities are not available, we can use those facilities. We in the midst right now of looking at actually globalizing and providing a presence offshore as well.
Page 67 PREV PAGE TOP OF DOC
Mrs. BIGGERT. Thank you.
Mr. Tishuk?
Mr. TISHUK. You raise an important issue, but it falls outside the scope of our particular mission.
Mrs. BIGGERT. Okay. Thank you. Thank you all.
I yield back.
Mrs. KELLY. Thank you, Ms. Biggert.
One thing I did want to just mention, Mr. Gaer you said that you are dependent on the external infrastructures. I simply want to offer this committee's help, if you have some ideas of things that we might be able to do. You can certainly call my staff. We would be very interested to do whatever we can for you, because I realize that you are in many ways affected by that more than some of the other people involved in financial services.
Gentleman, I neglected to say as you sat down that without objection, your written statements will be made part of the record. You have been recognized for 5-minute summaries of your testimonies, but your testimony will be made a part of the record, your full testimony.
The Chair notes that some members may have additional questions for this panel which they may wish to submit in writing. So without objection, the hearing record will remain open for 30 days for the members to submit written questions to these witnesses and to place their responses in the record.
We thank you very much for your patience and for your testimony today. This hearing is adjourned.
[Whereupon, at 1:15 p.m., the committee was adjourned.]
3