[House Hearing, 109 Congress]
[From the U.S. Government Printing Office]




                               before the

                      FINANCE, AND ACCOUNTABILITY

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION


                           SEPTEMBER 26, 2005


                           Serial No. 109-124


       Printed for the use of the Committee on Government Reform

  Available via the World Wide Web: http://www.gpoaccess.gov/congress/


26-505                      WASHINGTON : 2006
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512�091800  
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001


                     TOM DAVIS, Virginia, Chairman
CHRISTOPHER SHAYS, Connecticut       HENRY A. WAXMAN, California
DAN BURTON, Indiana                  TOM LANTOS, California
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
GIL GUTKNECHT, Minnesota             CAROLYN B. MALONEY, New York
MARK E. SOUDER, Indiana              ELIJAH E. CUMMINGS, Maryland
TODD RUSSELL PLATTS, Pennsylvania    DANNY K. DAVIS, Illinois
CHRIS CANNON, Utah                   WM. LACY CLAY, Missouri
JOHN J. DUNCAN, Jr., Tennessee       DIANE E. WATSON, California
CANDICE S. MILLER, Michigan          STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio              CHRIS VAN HOLLEN, Maryland
DARRELL E. ISSA, California          LINDA T. SANCHEZ, California
JON C. PORTER, Nevada                C.A. DUTCH RUPPERSBERGER, Maryland
KENNY MARCHANT, Texas                BRIAN HIGGINS, New York
PATRICK T. McHENRY, North Carolina       Columbia
CHARLES W. DENT, Pennsylvania                    ------
VIRGINIA FOXX, North Carolina        BERNARD SANDERS, Vermont 
JEAN SCHMIDT, Ohio                       (Independent)
------ ------

                    Melissa Wojciak, Staff Director
                   David Marin, Deputy Staff Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
          Phil Barnett, Minority Chief of Staff/Chief Counsel

   Subcommittee on Government Management, Finance, and Accountability

              TODD RUSSELL PLATTS, Pennsylvania, Chairman
VIRGINIA FOXX, North Carolina        EDOLPHUS TOWNS, New York
TOM DAVIS, Virginia                  MAJOR R. OWENS, New York
GIL GUTKNECHT, Minnesota             PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
JOHN J. DUNCAN, Jr., Tennessee

                               Ex Officio
                      HENRY A. WAXMAN, California

                     Mike Hettinger, Staff Director
               Tabetha Mueller, Professional Staff Member
            Adam Bordes, Minority Professional Staff Member

                            C O N T E N T S

Hearing held on September 26, 2005...............................     1
Statement of:
    Allen, Catherine, chief executive officer, BITS, the 
      Financial Services Roundtable; Donald Donahue, chairman, 
      Financial Services Sector Coordinating Council for Critical 
      Infrastructure Protection and Homeland Security; Samuel 
      Gaer, chief information officer, New York Mercantile 
      Exchange, Inc., chief executive officer, NYMEX Europe 
      Limited; and Steve Randich, executive vice president of 
      operations and technology and chief information officer, 
      the NASDAQ Stock Market, Inc...............................    60
        Allen, Catherine.........................................    60
        Donahue, Donald..........................................    88
        Gaer, Samuel.............................................   101
        Randich, Steve...........................................   114
    Kelly, Raymond, police commissioner, city of New York........     6
    Parsons, D. Scott, Deputy Assistant Secretary, Critical 
      Infrastructure Protection and Compliance Policy, Department 
      of the Treasury; R. James Caverly, Director, Infrastructure 
      Coordination Division, Department of Homeland Security; and 
      Daniel Muccia, first deputy superintendent of banks, State 
      of New York Banking Department.............................    22
        Caverly, R. James........................................    30
        Muccia, Daniel...........................................    41
        Parsons, D. Scott........................................    22
Letters, statements, etc., submitted for the record by:
    Allen, Catherine, chief executive officer, BITS, the 
      Financial Services Roundtable, prepared statement of.......    65
    Caverly, R. James, Director, Infrastructure Coordination 
      Division, Department of Homeland Security, prepared 
      statement of...............................................    33
    Donahue, Donald, chairman, Financial Services Sector 
      Coordinating Council for Critical Infrastructure Protection 
      and Homeland Security, prepared statement of...............    90
    Gaer, Samuel, chief information officer, New York Mercantile 
      Exchange, Inc., chief executive officer, NYMEX Europe 
      Limited, prepared statement of.............................   105
    Kelly, Raymond, police commissioner, city of New York, 
      prepared statement of......................................     9
    Muccia, Daniel, first deputy superintendent of banks, State 
      of New York Banking Department, prepared statement of......    42
    Parsons, D. Scott, Deputy Assistant Secretary, Critical 
      Infrastructure Protection and Compliance Policy, Department 
      of the Treasury, prepared statement of.....................    24
    Platts, Hon. Todd Russell, a Representative in Congress from 
      the State of Pennsylvania, prepared statement of...........     3
    Randich, Steve, executive vice president of operations and 
      technology and chief information officer, the NASDAQ Stock 
      Market, Inc., prepared statement of........................   116



                           SEPTEMBER 26, 2005

                  House of Representatives,
Subcommittee on Government Management, Finance, and 
                            Committee on Government Reform,
                                                      Brooklyn, NY.
    The subcommittee met, pursuant to notice, at 10:07 a.m., at 
the Brooklyn Law School, 250 Joralemon Street, Brooklyn, NY, 
Hon. Todd Russell Platts (chairman of the subcommittee) 
    Present: Representatives Platts and Towns.
    Staff present: Michael Hettinger, staff director; Tabetha 
Mueller, professional staff member; Daniel Daly, counsel; and 
Adam Bordes, minority professional staff member.
    Mr. Platts. A quorum being present, this hearing of the 
Committee on Government Reform Subcommittee on Government 
Management, Finance, and Accountability will come to order.
    I'd like to thank first the Brooklyn School of Law and my 
esteemed colleague and ranking member of our subcommittee, Mr. 
Towns, for hosting this field hearing here in Brooklyn. We're 
here in New York because this is the heart of our Nation's 
financial sector. On September 11, 2001, terrorists destroyed 
the World Trade Center in an attempt not just to murder and 
maim, but to dismantle our economy. With the backdrop of two 
destructive hurricanes, we see that any disaster, whether 
natural or man made, requires us to be well prepared. This 
hearing is about the preparedness of the financial sector in 
    The rapid recovery of the financial infrastructure after 
September 11th inspired confidence throughout America. The U.S. 
Treasury securities market opened just 2 days later and the 
equities market was in full operation by September 17th. Still, 
Congress, the executive branch and industry realized that 
financial firms would need new contingency plans. The Federal 
Government in partnership with local governments and the 
private sector responded with a variety of initiatives. Many of 
these post September 11th improvements were tested during the 
massive power blackout on August 14, 2003. All indications 
after the blackout were that improvements put in place after 
September 11th helped mitigate the damage that could have 
resulted from the infrastructure shutdown and panic the 
blackout caused. These results are encouraging.
    The purpose of this hearing is to examine the present 
status of financial market preparedness for wide scale 
disasters or disruptions, including efforts aimed at 
prevention, detection and response. This hearing will provide 
local, State and Federal Government officials and 
representatives from the private sector a chance to discuss 
accomplishments and identify areas where improvements and 
resources are still needed.
    [The prepared statement of Hon. Todd Russell Platts 

    Mr. Platts. We have a very distinguished group of 
witnesses, beginning with Mr. Raymond W. Kelly, police 
commissioner for the city of New York. Commissioner Kelly, 
thanks for being with us.
    Mr. Kelly. Thank you, sir.
    Mr. Platts. Commissioner Kelly will be followed by Mr. D. 
Scott Parsons, Deputy Assistant Secretary for Critical 
Infrastructure Protection and Compliance Policy from the U.S. 
Department of Treasury; Mr. R. James Caverly, Director of the 
Infrastructure Coordination Division at the U.S. Department of 
Homeland Security and Mr. Daniel A. Muccia, first deputy 
superintendent of banks from the State of New York Banking 
    On our third panel will be Ms. Katherine Allen, chief 
executive officer of BITS, the Financial Services Roundtable 
and Mr. Donald Donahue, chairman of the Financial Services 
Sector Coordinating Council for Critical Infrastructure 
Protection and Homeland Security; Mr. Samuel Gaer, chief 
information officer for the New York Mercantile Exchange; Mr. 
Steve Randich, executive vice president of operations and 
technology and chief information officer for the NASDAQ stock 
    Thank you again all for being here today and we look 
forward to your testimony.
    I'm pleased now to yield to our ranking member, the 
gentleman from New York, Mr. Towns, for purposes of an opening 
    Mr. Towns. Thank you very much, Mr. Chairman. Thank you for 
holding this hearing today in Brooklyn. I'd also like to thank 
our police commissioner, Mr. Kelly, which I'd say is the finest 
commissioner this city has ever known or seen. He's done a 
fantastic job over the years. Always a pleasure to see you 
    Mr. Kelly. Thank you, sir.
    Mr. Towns. I'm pleased to welcome our Government Management 
Subcommittee to our home town, Brooklyn, NY, New York and look 
forward to our distinguished panel from both the public and 
private sectors. The financial capital of the world, New York 
remains a vital component of economic growth, both domestically 
and abroad. Although political and economic alterations have 
shaped and changed the marketplace in recent years, banks, 
brokers, government lenders and Wall Street have remained the 
backbone of our capital and currency markets from Brooklyn to 
    The New York Stock Exchange alone accounts for 
approximately 2,800 companies with a combined market 
capitalization of nearly $20 trillion. On an average day the 
New York Stock Exchange trades nearly 1\1/2\ billion shares for 
an average daily dollar volume of roughly $50 billion. Stock 
and equity instruments, however, are not the only source of 
economic reliability for our markets. Future commodities and 
options trading at places such as the New York Mercantile 
Exchange serve as a major investment vehicle among 
institutional investors, pension funds and economic forecasters 
for domestic and foreign companies. Imagine the crisis our 
domestic manufacturers or agricultural sectors would be faced 
with if they did not have access to a viable commodities 
trading platform for energy products.
    Recent events, however, beginning with the tragedy of 
September 11, 2001 have forced both government and industry at 
all levels to reevaluate how well we are prepared to maintain 
stability and continuity in the marketplace should another 
disaster occur. Such events are not only fiscal in nature, as 
electronic attacks on our electricity and telecommunication 
grids can prove as consequential and costly as a physical 
    The government and private sector have appropriately 
embraced the need for stronger planning and coordination of 
activity since September 11th and have successfully begun to 
incorporate risk-based activities in their plans to reduce the 
threats facing industry and the physical infrastructure, human 
capital and personnel and information sharing capabilities. 
Backup systems and fiscal entities separate from current 
operations are now common among brokerage houses and trading 
platforms. Nevertheless, the various types of threats facing 
our financial services sector require planning at not only the 
Federal level, but at the State and local levels of government 
as well.
    While the Department of Homeland Security may coordinate 
information sharing activities and threat level analysis, it 
would require the Metropolitan Transportation Authority, the 
New York PD and the Office of Emergency Management to execute a 
broad-based evacuation of Wall Street or southern Manhattan in 
the event of a physical attack within the surrounding area. 
These activities would require State authorities to reconfigure 
travel patterns on interstate highways and area bridges to 
insure safety and orderly evacuation activities. Furthermore, 
the functionality and reliability of our telecommunication 
electricity and pipeline grids will require both Federal and 
State coordination of activities in order to remedy and 
preserve the security of our energy resources in the wake of a 
    From this perspective, I hope our witnesses can demonstrate 
for us a clear delineation of responsibilities among both 
government and regulators and private sector participants. An 
underlying tenet of our market-based model is the level of 
trust and transparency investors both large and small can place 
in our institutions. It is our responsibility for planning and 
executing an adequate level of security and reliability for 
market activities that is shared at all levels of government in 
concert with private sector participants.
    Thus, I hope our witnesses will speak to this blueprint of 
coordination, execution and transparency to insure that our 
market remains the bedrock of economic growth for centuries to 
    Again, I'd like to thank all the witnesses for appearing 
today, and on that note, Mr. Chairman, I yield back.
    Mr. Platts. Thank you, Mr. Towns. We'll commence with the 
testimony of Commissioner Kelly. If you don't mind, would you 
please stand and be sworn in?
    [Witness sworn.]
    Mr. Platts. We'll note that the Commissioner affirmed the 
oath in the positive. We'll proceed, we have a general 
guideline of about 5 minutes, but, Commissioner, we're 
delighted to have you here and the expertise you have, he may 
be giving you some guidance on time, but we really would like 
to you take whatever time you need to share your insights with 


    Mr. Kelly. Thank you very much, Mr. Chairman and 
Congressman Towns. Good morning and thank you for inviting me 
    Defending this city, the financial capital of the world, 
from a terrorist attack is the No. 1 priority of the New York 
City Police Department. Accordingly, I'd like to focus my 
remarks today on the preventive measures the department is 
taking against this threat.
    As you know, one of the stated aims of Osama Bin Ladin and 
al-Qaeda is to target America's economy. Shortly after the 
September 11th attacks, bin Laden himself exulted in the 
massive blows suffered by the U.S. economy, offering in an 
interview his own estimation of over $1 trillion in losses. We 
have no doubt that he seeks to replicate that strike if 
    Since then, we learned of another plan to target financial 
institutions in New York. This after authorities discovered 
detailed surveillance of the Stock Exchange and the Citigroup 
Center in the laptop computer of an al-Qaeda operative captured 
in Pakistan last year. This followed two additional al-Qaeda 
plots to target the city in 2003; the first to bring down the 
Brooklyn Bridge and the second to smuggle weapons through a 
garment district business into the heart of Manhattan. These 
plots were foiled by increased police visibility and good 
intelligence sharing.
    I cite them as evidence that New York City remains squarely 
in the cross hairs. Consequently, nowhere else is the effort to 
prevent another attack being undertaken with greater urgency. 
In addition to the dollar cost, this has required that we 
divert 1,000 police officers to counter-terrorism duties every 
day, and engage in extensive training and preparation. We've 
also undertaken a range of defensive measures to protect and 
harden the downtown financial district and enlist the support 
of the private sector.
    Beginning in January 2002, we created a new bureau of 
counter-terrorism and we restructured our intelligence 
division. We've recruited outstanding individuals with 
extensive Federal intelligence and counter-terrorism experience 
to run them. We expanded our presence on the Joint Terrorist 
Task Force with the FBI and we posted detectives to seven other 
countries to enhance the flow of information we receive about 
any threats relevant to New York City.
    We established one of the premier counter-terrorism 
training centers in the Nation right here in Brooklyn. In 
addition to our own core of 37,000 police officers, we have 
delivered training through that center to the members of the 
New York City Fire Department, the Metropolitan Transportation 
Authority Police Department, New York State Police; Nassau, 
Suffolk, Westchester, Rockland County Police and other 
agencies. We have also brought in dozens of private security 
professionals from hotels, banks and other institutions and 
trained them to better protect their facilities. Through our 
Nexus program we are reaching out to businesses that terrorists 
might seek to exploit. We want businesses to report any unusual 
order or anomalies that might suggest terrorist involvement. 
Detectives have paid thousands of visits to businesses 
throughout the city to increase their counter-terrorism 
    In July we launched a new initiative with the private 
security industry in New York called NYPD Shield. We are 
establishing a secure Web site with training materials and 
threat information updates and we have offered detailed 
briefings on topics such as the London bombing and the attacks 
on the Egyptian resorts at Sharm el Sheikh. We also exchange 
threat information daily with the city's corporate and 
institutional security directors through an instant messaging 
    We have expanded the protection of critical infrastructure 
throughout the region. We have created the threat reduction and 
infrastructure protection program [TRIPS]. We've also divided 
critical infrastructure into five categories and assigned a 
team of detectives to cover each one. These investigators visit 
facilities throughout the city, identifying vulnerabilities and 
developing comprehensive protection plans with site managers to 
prevent attacks.
    In 2003, at the beginning of the war in Iraq, we 
implemented a comprehensive security plan known as Operation 
Atlas. Given the ongoing terrorist threat Atlas remains in 
effect today. Broadly speaking, Operation Atlas has tightened 
the protective net around the city by increasing vigilance at 
entry points into New York and by placing mass transit and 
other potential targets under much greater scrutiny.
    Turning to the financial district itself, beginning in 
2002, the Police Department engaged in extensive collaboration 
with the New York Stock Exchange and downtown business leaders 
to harden the financial district. The area around the Exchange 
is the subject of 24-hour police presence under Operation 
Atlas, which includes visits by our heavily armed Hercules 
teams. We also established vehicle checkpoints at seven major 
intersections leading into the Exchange. Each is monitored by 
Stock Exchange security officers trained by the NYPD. Each 
checkpoint is outfitted with Police Department recommended 
equipment, including Delta barriers and sallyports to deter 
truck bombs; explosives screening points and bomb-resistant 
guard booths. Further protection is offered by dozens of 
retractable bollards and heavy planters that restrict 
pedestrian and vehicle blow.
    I want to note that as lower Manhattan continues to 
recover, and continues its rebuilding process, we plan to 
dedicate significant resources and personnel to keep pace with 
the growth of business. That includes the establishment of a 
coordination center where all relevant law enforcement agencies 
and the private sector will be represented. We look forward to 
Federal support of such an initiative.
    Mr. Chairman, any viable counter-terrorism program must 
stress prevention and response equally. And if, God forbid, New 
York City is struck again by terrorists or any other disaster, 
the Police Department will be prepared to respond immediately. 
We have trained approximately 12,000 of our officers in more 
advanced chemical, biological and radiological response to an 
attack involving weapons of mass destruction. We have also 
provided training to nearly all of our uniformed personnel in 
the New Citywide Incident Management System or SIMS, adopted 
last year by New York City. The system provides a unified 
command structure that allows the Police Department to work 
seamlessly with other first responders, including the Fire 
Department, for any disaster.
    We conduct daily exercises throughout the city in 
responding to a terrorist attack. This constant training and 
drilling paid off during the blackout of 2003, when the Police 
Department was mobilized to protect the city from looting and 
potential disorder. There were few arrests and disruptions were 
kept to a minimum.
    As you know, while overall evacuation planning is the 
responsibility of the city's Office of Emergency Management, 
the Police Department would play a major role in such an event. 
One of our most important responsibilities would be to secure 
key sites and protect life and property during and after a 
major incident. We're fully prepared to do that.
    On that note, I want to mention that last week we welcomed 
back the second half of the 300-plus police officer contingent 
we sent to Mississippi and New Orleans after Hurricane Katrina. 
These officers took part in search and rescue operations and 
patrolled against looters. Along with the pride and 
satisfaction from a job well done, the Police Department will 
undoubtedly learn from that experience and we dispatched 
another joint New York City Police Department and Fire 
Department team to Texas to assist there with Hurricane Rita.
    Finally, Mr. Chairman, I want to emphasize that all of our 
preparations come at a steep price; about 180 million per year 
to maintain our daily counter-terrorism and intelligence 
activity. These are ongoing operational costs to defend the 
city. While the Federal Government provides vital assistance 
for training, equipment and overtime, we still have huge 
expenses to cover. Regrettably, the influx of Federal support 
one would expect to flow to New York as a result of living in 
the cross hairs has not been sufficient.
    The Police Department is defending New York's people, its 
infrastructure and the Nation's financial assets from another 
terrorist attack, yet a large proportion of the Federal 
homeland security grant funding still is not targeted to 
threat. The Federal Government must invest realistically in 
protecting those areas the terrorists are likely to target 
again. Along with a few other major cities, New York tops that 
list. Everything we know about al-Qaeda tells us that this is 
true. It's a lesson from our history that we simply cannot 
afford to ignore.
    Thank you for inviting me today, Mr. Chairman.
    [The prepared statement of Mr. Kelly follows:]

    [GRAPHIC] [TIFF OMITTED] T6505.002
    [GRAPHIC] [TIFF OMITTED] T6505.003
    [GRAPHIC] [TIFF OMITTED] T6505.004
    [GRAPHIC] [TIFF OMITTED] T6505.005
    [GRAPHIC] [TIFF OMITTED] T6505.006
    Mr. Platts. Thank you, Mr. Kelly, we appreciate your 
testimony and glad to have an exchange with you. Just this past 
week we saw with Mayor Bloomberg announcing the $6 million 
grant from the Department of Justice regarding the 
interoperations of communications, through the city and the 
surrounding counties and boroughs of New York and New Jersey 
and that certainly goes to part of your message about 
coordination and the ability to be on the same page.
    Can you expand a little bit on that effort and how that's 
building on the interoperable communications already in place 
since September 11th?
    Mr. Kelly. We actually had interoperability capability 
before September 11th and since September 11th it's been 
reinforced and practiced indeed. We emphasize and check our 
interoperability channels every day. What this gives us is the 
ability to communicate with the surrounding areas; particularly 
Essex County in New Jersey and Bergen County and Westchester 
County. So in the event that our resources from those counties 
need to come into New York City or we respond to their 
purposes, we can communicate more effectively.
    So it's certainly moving in the right direction. With 
support it will take perhaps about a year to get that function.
    We do have now interoperability with Nassau County, which 
is contiguous to New York City, on our eastern border. So it's, 
again, part of the continuum to continuing to improve our 
ability to communicate.
    Mr. Platts. The provision of the $6 million certainly is 
not perfect, and I know it's a challenge to acquire sufficient 
funds. You've touched in your testimony on the not-unlimited 
national funds, that we do it in a smarter way.
    Are there specific examples of where the things that are 
currently you'd like to see done that stand before Department 
of Homeland Security or Justice to help fund some of the 
efforts here that are most critical to your efforts regarding a 
possible terrorist attack in general or specific to the 
financial sector?
    Mr. Kelly. We incurred significant operational expenses to 
have our counter-terrorism program in place, that is, in 
essence, overtime expenses. I mention it in my prepared 
remarks, we spend about $180 million a year, Police Department, 
that is, to carry out our counter-terrorism functions. That's 
on top of other overtime expenses that we have in the normal 
course of protecting this city.
    What we would like to see is in a general sense more money 
made available for those operational expenses. Much of the 
money that we have received is targeted for equipment and we 
certainly appreciate that and we need it, but we'd like to see 
if at all possible a broadening of the authority where we would 
get reimbursement that enables us to pay for operational 
expenses, particularly overtime expense.
    Mr. Platts. Your testimony talked about 1,000 officers a 
day. That's year round you have 1,000 officers involved in 
training related to counter-terrorism?
    Mr. Kelly. Yes, sir. Either officers or full time 
equivalent officers. We've created a counter-terrorism bureau, 
we expanded our intelligence division. We also have our 
preparedness program, where we have responses, everyday drills 
where we take them off of normal patrol duties, have them come 
to locations--it can be throughout the city, but most of the 
locations, quite frankly, are in Manhattan, so we mobilize 
twice a day, we'll bring in as many as 100 radio cars, so two 
officers will come together twice a day to do that.
    We then take them, mobilize, and then go to sensitive 
locations that we're concerned about. They don't go necessarily 
to the same location every day. We make certain we change the 
face of what we do, because we are concerned about 
reconnoissance going on. So that's part of our resource tactic, 
to make certain we constantly change what we do. But in doing 
that, and in training, as you say, it requires about 1,000 
officers a day. So it's a significant commitment on the part of 
the city at a time when, right now as we speak, we are 4,500 
officers below where we were in October 2000.
    So not only have we reduced the head count because of 
budgetary reasons, we are supplying 1,000 officers for counter-
terrorism forces. We're happy and it's a credit to the great 
job that the police officers of the city that crime is 
continuing to come down. As a result of their hard work, crime 
is down about 20 percent in the last 3\1/2\ years in New York 
City. It still takes a lot of hard work, a lot of effort, but 
we're juggling a few of balls in the air, as you can see.
    Mr. Platts. I think across the country, I'm not a veteran 
myself of the military or a member of the law enforcement 
community and both communities have my great respect and 
admiration and our law enforcement here at home and the first 
responders are really the heroes of this war on terror, 
certainly in New York and the New York City Police Department.
    In your coordination in trying to be prepared, whether it 
be communication or manpower, you talked about one, protecting 
infrastructure, and again, in the financial sector, or people 
in the--evacuation people if the financial sector was again 
    How is your coordination with National Guard? One of the 
challenges we saw in Katrina was how that coordination, 
Federal, State and local occurred. How often do you train with, 
interact with National Guard if they were trained to assist 
with either evacuation or control in New York City?
    Mr. Kelly. There are actually National Guard troops in New 
York City now, certainly at Grand Central Station, Penn 
Station. When we have major events, we activate what we call an 
emergency operation center in Police Headquarters and we will 
have representatives from many city agencies, State agencies, 
Federal, including the National Guard, so they're physically 
located with us. I must also say private sector security also 
comes to our emergency operations center. So we're in the 
business of communicating and coordinating with them, at least 
the ones--for instance, last, well, it's now, the U.N. General 
Assembly is ongoing, but a week and a half ago we had the 
plenary session where we had more world leaders that have ever 
come to one spot in one building before, it was the 60th 
anniversary of the United Nations, so we activated that and 
within that center was National Guard, military, so we do it on 
a regular basis.
    Mr. Platts. You mentioned the private sector in your NYPD 
Shield program, trying to have that communication. How can you 
describe the buy-in or the involvement of the private sector 
communities with NYPD?
    Mr. Kelly. They very much want to be working with us and 
certainly we want that as well, so there's a very 
collaborative, cooperative environment that exists in this 
city. We have had a program, the APL program, it stands for 
Area Police Liaison Program, it's been in existence since the 
1980's, but we've strengthened that. We communicate with the 
people in that group virtually every day, by Blackberry, e-
mail, letting them know what's going on on a daily basis. That 
program has been ongoing, as I say, and has been strengthened.
    Now, NYPD Shield is sort of an umbrella program that 
incorporates that and other programs that we have. It is a 
proactive attempt on our part to do training, to bring them 
even closer to us, and it's been very well received. We have a 
Web site and we keep them informed of an ongoing situation. I 
said in my prepared remarks, we had a detailed briefing for 
them on the London bombings, we very much appreciate it. Just 
recently we had a briefing on the Sharm el Sheikh bombings in 
Egypt. We had an officer assigned to Israel, he was able to go 
there, came back with specific information. Showed him 
pictures, and as I said, we're communicating on e-mail all the 
time. So that organization has about 1,000 members.
    But these are security directors. I mean, they're 
representative of the major corporations in New York City. 
These are the security people who really are protecting the 
financial services industry and other industries as well. So 
I'm very encouraged about Shield and I can only characterize 
our relationship with the private security and private sector 
as being a very strong and collaborative one.
    Mr. Platts. I have some additional questions, but I want to 
yield. Before I do, I want to note that we're joined by Dean 
Wexler and I thank her for letting us be here today. As a law 
school graduate, I'm always hesitant to being in a moot court, 
I'm used to being out there and being judged, but I guess we're 
being judged differently today, but I appreciate your hosting 
us. Mr. Towns.
    Mr. Towns. I'd like to echo the chairman's thanks, Dean, 
for allowing us to come in and also like to thank you, 
Commissioner, for coming.
    In terms of funding for first response, from the Federal 
Government, can you describe for us the flaws or barriers that 
may be inherent with the current process? What are some of the 
problems that you see in the present process?
    Mr. Kelly. As Mayor Bloomberg has stated many times and 
I've gone to Washington and testified that we would certainly 
support a funding allocation that would base totally on threat. 
To us it's logical. We see ourselves threatened and we would be 
the recipient of more funding, with some formula based on 
threat or at least more heavily based on threat than the 
existing formulas that were put in place.
    Having said that, I mean, we need the money, but having 
said that, the Mayor has made certain that the department is 
getting everything that it needs, that we need, and he said 
that on many occasions. This strains the city's budget, though, 
no question about it. Money, we have to have a balanced budget 
every year, so the money that's going to the Police Department, 
the Fire Department, other first responders is being taken from 
somewhere else in the city's budget. So we believe that a 
threat-based formula, a total threat-based formula makes sense 
in the post September 11th world that we live in.
    Mr. Towns. You mentioned in your comments earlier about 
communications and of course information sharing. Have the 
industry stakeholders coordinated their certainly internal 
efforts with your department? Do you feel that industry has 
made adequate progress in developing comprehensive security 
practices that are appropriately based on risk and level of 
exposure? Do you feel comfortable?
    Mr. Kelly. I think we can all do more. I think the private 
sector can do more, but I think efforts are being made, some 
industries, some companies do more than others. But, generally 
speaking, the message is out there, and as far as our 
relationship with them, you know, as I stated before, it's a 
very cooperative and close relationship. However, I think 
private, the private sector has gotten the message, but we 
could all do more.
    Mr. Towns. Can you describe for us what lessons have been 
learned from New York PD and the city since 2001 as to the 
value of having industry and government as partners in 
information-sharing activities? Are there barriers to adequate 
information sharing that remain problematic for industry or 
Government participants? I'm concerned about this flow of 
information and communications.
    Mr. Kelly. I believe it's better than it's ever been. As I 
said, our Shield, NYPD Shield program is all about information 
sharing. It's very well received by the private sector. We want 
to get information out, the Federal Government wants to get 
information out. There's a whole, there's an environment that 
supports information sharing now as never before in government, 
so nobody is holding on to information. Nobody wants to be 
caught holding on to information, quite frankly, so there's a 
lot of sharing going on.
    As I said, we had, in the London bombings, it was all 
public information, but we really got in the weeds with our 
private security partners, giving them a lot more detailed 
information than most of them had. And it's our belief that the 
better informed they are, the better able they are to protect 
themselves and thereby protect the city. We can't do it alone, 
that's our message to them. We need your eyes and ears, we need 
your active support, your active involvement.
    So I think prior to 2001, sure, I mean, we just didn't see 
the threat as we should have, but since 2001, it's gotten 
increasingly better as far as the sharing of information at all 
levels of government and government with the private sector.
    Mr. Towns. I yield back, Mr. Chairman. Thank you.
    Mr. Platts. Thank you, Mr. Towns. On the threat-based 
allocation, I was just reading your testimony in preparation 
for the hearing. It gave me as a member from South Central 
Pennsylvania a better idea of the challenges you face in 
allocation resources. In my District we have Gettysburg and 
some national sites of significance and certainly Philadelphia, 
but given how New York has been targeted not just in 2001, but 
in some of the intelligence since you referenced, back to 1995, 
the allocation, it certainly helps me to better understand the 
importance of that threat-based allocation approach.
    When we were here for the convention last year and had a 
chance to visit the Police Museum, times have changed from some 
of what was shared in that museum to today. The fact that there 
are seven officers deployed in other countries, being out 
there, proactive in your intelligence efforts is quite a 
difference from 100 or so years ago.
    One of the issues touched on about intelligence gathering 
and sharing intelligence, certainly within New York City and 
all your efforts, Federal, State and local, private sector. In 
Washington, one of the changes we made from September 11th was 
the Patriot Act, which was to allow information to be shared 
between those communities; intelligence gathering and law 
    Are you able to share specific examples of how the changes 
we made at the Federal level helped you at the local level here 
in New York regarding intelligence gathering because of those 
statutory changes of the Patriot Act?
    Mr. Kelly. Well, the Patriot Act helps the Federal 
Government, helps the FBI gather information, also exchange 
information or use information internally. It eliminated or 
greatly reduced the wall that existed in the FBI, for instance, 
between intelligence gathering and criminal investigation. So I 
know it's helped.
    I can't give you specific examples where it applied to New 
York City, but I can only assume like in certain cases, for 
instance, well, the Peracca case which I mentioned in my 
prepared remarks, I can only hope that helped in the 
investigation itself. It eases the flow of information, to me 
that's a good thing, inside the Federal Government.
    Mr. Platts. Thank you. The private sector and the various 
efforts that you have ongoing, reaching out to them, is there 
any financial contributions by the private sector to the city 
of New York or to the NYPD specific to acknowledge that there's 
a benefit to those private sector partners as well, maybe in a 
greater sense in some of your efforts, because it's really 
targeted, say, specifically to the financial sector, are there 
any resources that are allocated by them to your efforts?
    Mr. Kelly. Of course, they would argue that their taxes are 
their contribution.
    Mr. Platts. I would readily agree with them, but it's 
always good to ask if they want to give more.
    Mr. Kelly. I can give you one example, though, that there 
was a contribution. That's with the protection of the New York 
Stock Exchange. I mentioned again in my prepared remarks how 
certain intersections are protected by individuals trained by 
the NYPD. Well, they're paid for by the New York Stock 
Exchange. They also pay for some paid detail police officers 
that we have assigned there, but we have active duty on-duty 
police officers working there as well. We have significant 
resources devoted down there, but they're paying for that 
heightened level of security there, and of course you could 
argue that as we bring together security folks throughout 
industry and the financial services industry and we sort of 
task them in an implicit way to do things for us, that they're 
contributing. But that's the only hard example that I can give 
you of contributions where the New York Stock Exchange had paid 
significant amount of money for protecting the area around the 
Stock Exchange.
    Mr. Platts. And I think a good example of that partnership, 
public and private.
    I want to conclude in your testimony, you talked about 
continuing to adapt, especially with the business community 
here in the city with the coordination center between law 
enforcement and private sector and the need for Federal support 
for that initiative, and I assume that means funding support.
    I want to give you the opportunity to expand with Treasury 
and Homeland Security who is here, and the two Members that are 
here, maybe a little bit about what that is and the importance 
of it.
    Mr. Kelly. Yes, sir. The Freedom Tower is going forward at 
the 16-acre site of the World Trade Center. There will be other 
structures put in place there. Goldman Sachs has agreed to 
build onsite 26, which is right across from the Freedom Tower, 
so there's going to be a significant increase of people in the 
area and development, of course the financial services sector 
is going to be well represented.
    As that development goes forward, we are committed, the 
city is committed to putting in additional resources in the 
area that will involve both personnel, but also technology, and 
we're studying that now and moving forward with it.
    One of the plans that we have as that goes forward is to 
put in place, as I said, a coordination center, where we would 
have not only appropriate law enforcement agencies there, for 
instance, Metropolitan Transportation Authority, Port 
Authority, our own police personnel, Fire Department, but 
representatives from the stakeholders that will be there; the 
private sector security, and we envision that would be a 24-
hour coordination center, and we've talked to industry leaders, 
they're enthusiastic about all this. But that's kind of our 
overall plan.
    It's going to be expensive. We think it's important for us 
to provide additional protection in that area. Now, it will not 
only be limited to that area let's say, below Chambers Street. 
It will also be somewhat north. Some of the things we're doing 
now are under our Operation Atlas, as I said, we mobilize twice 
a day and send our units out to sensitive locations. We use 
some of these resources to do that, so it will be--it will help 
us in doing some of the coverage that now we're taking directly 
out of patrol resources and other parts of the city.
    So that's kind of the overall plan. Yes, we certainly would 
like to have Federal resources to help whenever it could.
    Mr. Platts. Thank you. Mr. Towns, do you have other 
    Mr. Towns. Yes, I do. Thank you very much, Mr. Chairman.
    The recent disaster in the Gulf Coast region demonstrates 
for us that major events do not have to be terrorist-related to 
have significant consequences. Have there been any significant 
efforts made by the New York City Department of Police or the 
city itself to establish evacuation plans for, say, Wall Street 
or lower Manhattan in the event of a major physical disaster? 
Have State and regional stakeholders, such as Port Authority or 
MTA, been proactive in developing a comprehensive plan to move 
large volumes of people away from the disaster area in a safe 
and timely fashion? I guess the last part would be how can the 
Federal Government assist you in that process.
    Mr. Kelly. We do have very comprehensive evacuation plans. 
Evacuation plans are coordinated by the Office of Emergency 
Management, but the Police Department plays a significant role 
in carrying out those plans. We provide assistance in 
evacuations, going to areas that may be evacuated. Search and 
rescue would be part of the functions we would provide. We have 
a coastal storm contingency plan and we have an evacuation plan 
for the entire city. The city is divided into 150 sectors, and 
there are elaborate plans for that. As a matter of fact, 
Commissioner Bruno, the head of the Office of Emergency 
Management is testifying right now at the City Council on those 
    As far as the other stakeholders are concerned, yes, the 
Office of Emergency Management works with the Port Authority, 
MTA. Obviously MTA would provide a significant amount of the 
transportation used to evacuate areas of the city. We have, as 
you well know, Congressman, a very large public transportation 
system in the city; subway and buses. The MTA would be an 
integral part of any evacuation plan. Port Authority as well.
    As far as Federal Government assistance, I can't think of 
anything specific. I'm sure Commissioner Bruno can think of it, 
but I can't think of anything that comes to mind for me other 
than any resources that could supplement what we're doing, 
anything that could help in the movement of people in a major 
evacuation, but we are, we have plans to evacuate every sector 
of the city, not just the financial district in lower 
Manhattan, but I must say that area is in one of the flood 
    If you look at our coastal storm contingency plan, you'll 
see it's prefaced on certain assumptions; Category 1, 2, 3 and 
4 storms. It does not go up to 5, but it does go up to 4, and 
there are flood areas in, say, lower Manhattan, that would be 
impacted by even a Category 1 storm. So there are plans to have 
an evacuation and also plans to provide services in that area, 
if something like a large storm hits us.
    Mr. Towns. Let me say, Commissioner, we really appreciate 
your involvement in the kind of information that you shared 
with us in Washington, you know, but we need to sort of do a 
little bit more to make certain they fully understand. Because 
when I say to my colleagues in Washington that you have 1,000 
police officers involved in counter-terrorism and they, knowing 
the Police Department is not even 2 percent the size of that, 
it's hard to communicate with them what this really means, the 
impact of it. Do you have any ideas or suggestions of what you 
might say to us or give to us that we may further take back to 
our colleagues to try to convince them that New York is unique 
in so many ways, and that this is the financial capital of the 
world and that New York is a place that we need to make certain 
that is protected in every way. So do you have anything that 
you might want to share with us further that we might be able 
to convey to our colleagues?
    Mr. Kelly. I think every part of America, indeed, 
significant parts of the world would be adversely affected by 
another attack in New York. We know that al-Qaeda's goal is 
something bigger and better than September 11th. They're not 
looking at small bar events in this city, they're looking for 
something larger, and it's been stated in a lot of different 
ways. So anybody who thinks that it just affects New York City 
or New York State is mistaken.
    We're protecting, as I said in my remarks, national assets. 
We're protecting assets that if they're attacked, will have an 
adverse impact across the world. You look at the things I 
mentioned. Look at New York Stock Exchange, you look at 
American Stock Exchange, NASDAQ. You look at the financial 
services industry headquarters that we have here. We have an 
attack here against any of those institutions, it will 
reverberate throughout the world, and certainly throughout 
    So I think that's the message that has to go back to 
Washington. We understand that people are concerned about their 
districts, that's what they're in Washington for. But you also 
have to look at the bigger picture. Because if we're struck 
here, it's going to hit in some way, shape and form, every 
congressional district in America and it's going to hit in a 
very hard way. The next event, God forbid, if there is one, is 
going to be, unfortunately, at least in their planning cycle, 
their planning minds, much larger than the last one.
    Mr. Towns. Thank you. I yield back.
    Mr. Platts. Thank you, Mr. Towns. Thank you, Commissioner 
for your insights. I appreciate certainly your current service 
here in New York, but I also mark your great service as a 
combat veteran in Vietnam and your 30 years in the reserves. As 
a fellow citizen, I'm personally grateful for your dedication 
to all of us citizens.
    Mr. Kelly. Thank you very much. Thank you, Mr. Chairman.
    Mr. Platts. We'll take about a 2-minute recess here while 
we get our second panel: Mr. Parsons, Caverly and Muccia. Thank 
    Mr. Platts. We'll reconvene here and again we're delighted 
to have our second panel here: Mr. Scott Parsons, Deputy 
Assistant Secretary, Critical Infrastructure Protection and 
Compliance Policy, Department of the Treasury. Glad to have you 
with us. Mr. James Caverly, Director of the Infrastructure 
Coordination Division, Department of Homeland Security and Mr. 
James Muccia, first deputy superintendent of banks.
    Now that you're all seated, if I could ask you all to rise, 
we'll swear you in and proceed with your testimonies.
    [Witnesses sworn.]
    Mr. Platts. You may be seated. The clerk will note all 
three witnesses affirmed the oath. We'll proceed first with Mr. 
Parsons. If you'd like to begin, and again we'll use roughly a 
5-minute guideline, but we're glad to hear your testimony in 



    Mr. Parsons. Thank you very much. Chairman Platts, Ranking 
Member Towns, thank you very much. We really appreciate the 
opportunity to be here today to testify on the financial 
services sector preparedness to handle a wide scale disruption.
    Mr. Platts. Mr. Parsons, do you mind holding that a little 
closer? I can hear you, but I'm not sure if everyone can. Thank 
    Mr. Parsons. I am pleased to tell you that the financial 
sector has made tremendous progress to insure its resiliency to 
withstand both man-made and natural disasters. President Bush 
has led the development and implementation of an effective 
program to defend our country's critical infrastructure. The 
financial services sector plays an indispensable role in the 
Nation's economic system, providing individuals, businesses and 
the government with credit and liquidity, short and long term 
investments, risk transfer products, various payment systems 
and depository services. It enables people to save for their 
education, their retirement, to purchase their homes and to 
invest in their dreams.
    The financial services system is essential to America's 
overall economic well-being. I note that we have experienced a 
number of events in recent years that test the resilience of 
the sector. The attacks of September 11, 2001, the power outage 
of August 15-16, 2003 and the elevated threat level for the 
financial sector of August 2004 have all tested the 
preparedness and resolve of the financial services sector. Most 
recently, Hurricane Katrina caused unprecedented devastation in 
multiple States. Yet the financial system has survived each of 
these events and through hard work and investment becomes 
stronger and better able to withstand such disruptions.
    The President has mandated that the Federal Government work 
closely with the private sector to protect the Nation's 
critical assets and infrastructure from major disruption. An 
important and unique insight that guides this strategy is that 
nearly all of the financial infrastructure is owned by the 
private sector, and, therefore, the success of our protective 
efforts depends on close cooperation between the Government and 
the private sector. On December 17, 2003, the President issued 
Homeland Security Presidential Directive No. 7 which 
establishes a national policy for Federal departments and 
agencies to identify and prioritize U.S. infrastructure and key 
resources and protect them from terrorist attacks. HSPD7, as 
it's known, recognized that various departments and agencies 
have specific knowledge, expertise and experience in working 
with certain sectors. Therefore, this directive provided for 
sector specific agencies or lead agencies for given sectors and 
the Department of Treasury has been designated as a sector 
specific agency for the banking and finance sector.
    It is under this designation that Treasury collaborates 
with appropriate private sector entities and other governmental 
agencies to encourage the development of information sharing 
and analysis mechanisms and to support sector coordinating 
mechanisms with the purpose of, No. 1, identifying, 
prioritizing and coordinating the protection of critical 
infrastructure, and, No. 2, to facilitate the sharing of 
information about physical and cyber threats, vulnerabilities, 
incidents, potential protective measures and best practices.
    Secretary Snow has a very strong commitment to insuring 
that the financial system continues to serve all Americans. The 
Nation's economy has been a constant target of terrorists who 
wish to do us harm. A consistent part of the rhetoric from 
Osama bin Ladin and others is the overall ideology to attack 
our Nation's economy, to attack the financial system to support 
it and to try to do us harm in this manner.
    Secretary Snow has tasked the Treasury Department's Office 
of Critical Infrastructure Protection and Compliance Policy to 
be responsible for developing and executing policies affecting 
both the physical and the cyber security of the U.S. financial 
system. The majority of these efforts require close cooperation 
and partnership with the public and private sector, and there 
are a number of important groups that we work with to achieve 
this end. One is the Financial and Banking Information 
Infrastructure Committee. This is a body of all of the Federal 
and State financial regulators and the Treasury Department is 
the Chair of this committee.
    The second is a private sector body, the Financial Services 
Sector Coordinating Council. You'll be hearing from the Chair 
of the FSSCC, as it's known, later on this morning.
    We also utilize an important information sharing mechanism 
called the Financial Services Information Sharing and Analysis 
Center or the FS-ISAC. That is a body that is run by the 
private sector with the sole purpose of disseminating critical 
physical and cyber threat information to the financial services 
sector members.
    And last, I would mention an important development, 
something that we think holds great promise and that is the 
creation of regional coalitions. I note specifically, Ranking 
Member Towns mentioned the futures industry. The first 
coalition of this nature is called ChicagoFIRST. It was based 
in Chicago with the recognition that the futures industry plays 
a prominent role in that city, and its goal by its members was 
to advance homeland security protective measures, specifically 
with local emphasis on it.
    We believe that this was a great model and we were able to 
partner with several other entities, including BITS, to 
document the steps that went into creating this and we've since 
published that document. I'm pleased to tell you that there is 
considerable focus on this initiative within the Department of 
Treasury and we are close to seeing some new announcements for 
new regional coalitions that will involve not only those on the 
east coast, but hopefully the west coast as well.
    With that, Mr. Chairman, I conclude my opening comments.
    [The prepared statement of Mr. Parsons follows:]

    [GRAPHIC] [TIFF OMITTED] T6505.007
    [GRAPHIC] [TIFF OMITTED] T6505.008
    [GRAPHIC] [TIFF OMITTED] T6505.009
    [GRAPHIC] [TIFF OMITTED] T6505.010
    [GRAPHIC] [TIFF OMITTED] T6505.011
    [GRAPHIC] [TIFF OMITTED] T6505.012
    Mr. Platts. Thank you, Mr. Parsons. Mr. Caverly.


    Mr. Caverly. Mr. Chairman, Mr. Towns thank you for having 
us here today. What I'd like to do is summarize my comments and 
enter my statement into the record.
    As we're all aware, protecting the Nation's critical 
infrastructure is really a partnership and it's a new kind of 
partnership between the owners and operators of that sector. 
Most of them being in the private sector and then State 
government, local government and Federal Government. Your panel 
of witnesses today I think does a great job of exemplifying 
exactly what kind of partnership needs to be there to insure 
that the Nation's critical infrastructure is protected the way 
we need to protect it.
    Clearly, the events of September 11th, the power outage of 
2003, then the casing reports heightened financial alerts in 
2004 identifies the impacts that terrorism or threats of 
terrorism can have to the financial communities of this country 
and as Police Commissioner Kelly said, those impacts will 
reverberate across the country.
    The Department of Homeland Security really has three 
principal objectives when dealing with critical infrastructure. 
One is to provide the resources and training to State and local 
government and law enforcement training for security 
enhancements. The other is to provide information to those 
various levels, whether they're the owners and operators of the 
individual components of the Nation's infrastructure, to local 
level law enforcement, State law enforcement and then across 
the Federal partnership of the kind of information that is 
necessary for each of those people to create risk assessments 
and react appropriately within the environment in which they're 
responsible for. And then underneath that is the creation of a 
fluid and viable information-sharing mechanism that will allow 
us to get the information quickly out to the points of decision 
and bring back information into the analytical framework that 
allows to us look at this as a total picture.
    As Mr. Parsons identified, the President's directive to his 
cabinet contained in HSPD7, Homeland Security President's 
Directive 7, a key component of that is asking members of the 
private sector to create a framework in which we can deal with 
the sector as an entity. The financial services sector was the 
first sector to come across and create a single entity called 
the Sector Coordinating Council, and you'll be hearing from Mr. 
Donahue the head of the FSSCC later. Looking at that and 
looking at what was done in Treasury with some activities of 
our own, we implemented the National Infrastructure Protection 
Plan a framework across all of the sectors to create a set of 
sector coordinating councils and government coordinating 
counsels that will allow us to act on this partnership. We 
believe the financial services has shown us a great way in 
which to build this framework.
    The other thing that HSPD7 directs the department to do is 
develop a National Infrastructure Protection Plan that is 
looking at setting security goals, identifying assets and 
assessing new risks. The NIPP plan was put out in a base plan 
in February of this past year. The next version will be coming 
out shortly. Once we get the base plan out in the next short 
timeframe, we'll begin working with each of the critical 
infrastructure sectors to develop a sector specific plan that 
focuses on each of the sectors and the activities the various 
players have to do both at Federal, State, local and also 
private sector level.
    A key component of one of the things that the department is 
working on is a risk assessment methodology. Secretary Chertoff 
has made risk assessment a key component of his program to 
enhance the Nation's critical security infrastructure. We 
developed a Risk Assessment Methodology for Critical Asset 
Protection [RAMCAP]. As we implement and develop the data 
inside, it will allow us to assess the risk across the 
infrastructures and do it comparatively. Because of the 
connected nature of the infrastructure, this is very, very 
    As I said earlier today, the panel here reflects a good 
level of the coordination and integration that needs to take 
place. We believe that the activities of August 2004, which led 
us to heighten the Homeland Security alert level in New York 
and Washington in the financial services sector is a very good 
example. As the intelligence was developed, we began working 
very closely with NYPD and the owners and operators and 
security directors in specific facilities that have been 
surveilled. We were able to take very quick and appropriate 
action across not only the responsibility of what local law 
enforcement and Chief Kelly were able to do, but also the 
owners and operators were able to do and share information. We 
think that is an example of exactly how this partnership should 
work because each of us has certain responsibilities in the 
    One of the things about the financial services sector is 
the redundancy that is built into the system. Because of things 
that happened in the financial services sector in the 1980's 
and 1990's, when in fact it lost power in lower Manhattan and 
when it lost telecommunications at certain times, it built 
resiliency into its system. It has a very, very robust, 
resilient system to allow it, as the chairman pointed out, to 
resume its financial operations quite soon after taking a 
serious blow. We think that's important.
    The national communication system is part of Department 
Homeland Security and we're working closely with the financial 
services sector to insure the telecommunication backbone for 
their information flows has the kind of resiliency and 
redundancy necessary to insure that no matter what happens the 
transactional part of that connectivity can continue.
    One of the most important parts is a program we call 
``route diversity methodology.'' It insures as you look at the 
networks of the telecommunications that in fact all 
transactions are moving across a very diverse network, as 
opposed to being funneled into single hubs and therefore 
building a resiliency outside of that.
    The last thing I'd like to make a brief comment about is 
Homeland Security Information Network. It is a framework the 
Department of Homeland Security is deploying that will allow us 
to connect to the various groups, whether regional groups or 
things such as the Financial Services ISAC. It is a cohesive 
network that allows a sharing of information not only inside 
the sector, but across sector lines and also across 
jurisdictional lines to insure that the information part that 
flows either to or from the Department of Homeland Security is 
accessible, whether it's law enforcement information, first 
responder information or information that we receive from the 
private sector.
    With that, Mr. Chairman, I'll take your questions.
    [The prepared statement of Mr. Caverly follows:]

    [GRAPHIC] [TIFF OMITTED] T6505.013
    [GRAPHIC] [TIFF OMITTED] T6505.014
    [GRAPHIC] [TIFF OMITTED] T6505.015
    [GRAPHIC] [TIFF OMITTED] T6505.016
    [GRAPHIC] [TIFF OMITTED] T6505.017
    [GRAPHIC] [TIFF OMITTED] T6505.018
    [GRAPHIC] [TIFF OMITTED] T6505.019
    [GRAPHIC] [TIFF OMITTED] T6505.020
    Mr. Platts. Thank you, Mr. Caverly. Mr. Muccia.


    Mr. Muccia. Thank you, Mr. Chairman, and Congressman Towns 
for allowing me to submit this testimony to you today on the 
current status of financial market preparedness for wide scale 
disasters or disruptions.
    I will briefly summarize the key points contained in the 
department's written testimony. First, I do not believe that 
the financial regulatory community or the banking industry have 
become complacent. The stakes are too high, and the reminders 
too frequent. Certainly, if there was a threat of complacency 
setting in, the recent catastrophe in the Gulf Coast and New 
Orleans has served as a powerful reminder that we can never be 
too prepared.
    Second, effective communication and coordination between 
State and Federal banking agencies is essential to rapid 
recovery. From our perspective, the protocols set in place by 
the Financial and Banking Infrastructure Information Committee, 
which Mr. Parsons chairs, or FBIIC, have proved to be effective 
in improving communication and coordination. We understand from 
our fellow State regulators in Louisiana that coordination with 
their Federal counterparts in response to Katrina have been 
excellent. We at the New York State Banking Department know how 
valuable that communication and coordination is, as it was 
tested both during September 11th and the August 2003 power 
blackout. Third, our assessment of the readiness of the New 
York State banking institutions we directly supervise is based 
on our ongoing supervision and onsite examination programs. 
Overall, our examiners are giving good grades to our 
institutions. The small number of institutions that are 
considered critical to the system are being held to a high 
standard of business resumption capability and are expected to 
meet current supervisory standards and targets. The vast 
majority of non-critical institutions have adequate plans and 
those missing the mark are in the process of correcting 
    One area that we will be focusing on in the near term is 
testing. More testing of business continuity plans is needed. 
Test results need to be more carefully and vigorously audited 
and the scope of testing needs to be widened. We are discussing 
how to achieve this with the Federal banking agencies that 
share our supervisory responsibility over our institutions, and 
I expect formal guidance will be issued in 2006.
    Finally, we recognize that business continuity planning is 
a continuous process that requires our constant vigilance and 
attention. We are committed to insuring our institutions are as 
prepared as possible and thank Congress and this subcommittee 
for your continued support and attention to this critical 
challenge. Thank you.
    [The prepared statement of Mr. Muccia follows:]

    [GRAPHIC] [TIFF OMITTED] T6505.021
    [GRAPHIC] [TIFF OMITTED] T6505.022
    [GRAPHIC] [TIFF OMITTED] T6505.023
    [GRAPHIC] [TIFF OMITTED] T6505.024
    [GRAPHIC] [TIFF OMITTED] T6505.025
    Mr. Platts. Thank you, Mr. Muccia. I appreciate each of 
your testimonies. Each of you I believe in your written 
testimony and here today referenced an August 2003 blackout. It 
was in a sense the first major test after September 11th here 
in the New York area. The blackout was also a test especially 
throughout the northeast of how our new coordination was going 
to work. I'm interested if each of you would want to share your 
perspective of how your organization responded. Also, what will 
be especially informative is the things that didn't go as you 
expected 2 years after September 11th.
    Mr. Parsons. Sure. Our observation is, as you noted, Mr. 
Chairman, the power outage was indeed the first real test of 
the mechanisms that we put in place after September 11th. We 
felt they worked very, very well for a couple of reasons. One 
is it was critical to get information out to the sector as 
quickly as possible, and it had to be an exchange of 
information. We knew there was a blackout, but we also wanted 
to find out what was happening in New York City.
    Those mechanisms worked very well. The communications that 
we had built in were very effective in ascertaining the 
situation and within 15 minutes or so we had a good 
understanding of what exactly was going on. I would also note 
that they were instrumental in being able to help spread the 
word as quickly as possible. This was in fact not a terrorist 
incident, which I think was very, very important for everybody 
at that time to understand.
    Additionally, it enabled us to convene, for example, all of 
the financial regulators to look for any problems that we may 
have had. If there were any imbalances created due to the time 
of the incident, thankfully it came after the closing of most 
of the major markets. Were there any things or actions that we 
needed to do to immediately from a regulatory standpoint, and 
then also in working with our private sector coordinating body, 
the FSSCC, we were able to identify any needs that they may 
have had very quickly.
    I think it's important to note that the financial sector is 
extremely resilient and most of the firms here have well-
drilled, well-thought-out backup emergency plans.
    Nonetheless, we used this mechanism to find a couple of 
examples where we needed to intervene. One example of that is 
at the American Stock Exchange. It needed a new generator so 
they could cool its training floor. While working with the New 
York Office of Emergency Management, we were able to coordinate 
the delivery of that to help the AMEX get back on line quickly.
    Very briefly, I would say there were some lessons learned 
for us. One of them is the interdependency that we have on 
other sectors. You heard Mr. Caverly talk about 
telecommunications. That's a very big concern for us in 
financial, but we also learned, for example, the need to 
resupply generators to--if we were going to have a sustained 
outage, and we have subsequently through the FSSCC convened 
meetings with other government agencies like the Department of 
Energy and the Department of Transportation to discuss these 
and other lessons that we learned not only from that event, but 
from other pieces of our thinking on this as well.
    Mr. Platts. Thank you.
    Mr. Caverly. One of the things that it did was reinforced 
the critical role that information sharing plays. There were 
existing mechanisms prior to the creation of the department; 
relationships between telecommunications and electricity 
specifically because of their interdependency nature. Based on 
the activity that came out of that, DHS has set up the National 
Infrastructure Coordinating Center, to provide transparency. 
The lesson that moved us in that direction was that on Friday 
morning after the blackout, as we were talking to the 
telecommunications and electricity people, the electricity 
people pointed out that power would not come on in Detroit 
until Sunday. The telecommunications people identified that 
presented a significant program for their wireless nets, 
because most of them depended on batteries, some on generators. 
They recognized they needed to bring more generators in as well 
as resupply the fuel to the generators that were there, but 
they didn't have existing relationships with suppliers.
    We were able to take them and connect them up with the 
Michigan State Energy Office who knew all the suppliers and 
could quickly make sure they had the supply they needed until 
the power came back on.
    It's that kind of transparency and sharing of information 
that's critical to a situation like that. The media gives us 
some heads up, but there are things that come from the 
operating parts that the owners and operators know and we need 
to create a better more fluid forum. The NICC is the process, 
and as we built the connectivity it provides the capability for 
those extraordinary communications that have to take place in a 
    Mr. Muccia. I would agree with Mr. Parsons in terms of the 
overall connectedness of communication. I think one of the 
things that happened was some of the protocols we put in place 
that we learned sort of ad hoc on September 11th we got to use 
in the blackout event. It was a more formal structured way of 
communicating that helped get the word around more quickly. Our 
institutions did very well.
    So overall in our department we exercised our plan and had 
representatives at the Federal Reserve in New York. We were in 
contact with SEMO and New York OEM. So overall, it worked very 
    Mr. Platts. The lessons learned in that coordination, for 
example, the fuel to the generators to control and identify 
quickly what the problem was, how did working with utilities, 
what was the cause for that? I think you're right to get the 
word out quickly to the public that this is not a terrorist 
attack. It was a infrastructure breakdown basically. I didn't 
learn it as quickly as the rest of the country, because I was 
tent camping in the Northwest at the time. I learned about it a 
day late I think, behind everybody else. I was removed from 
civilization with my wife and kids.
    But in getting a handle of what did happen and how quickly 
word did get out, given that the utilities are private sector, 
how did that happen? You needed to learn here's what happened, 
why it happened and then share that publicly.
    Mr. Parsons. The first thing we determined very quickly is 
that this is not an act of terrorism and that was simply done 
by--I guess it would be a collection of information that flowed 
in all at once.
    Mr. Platts. Was it the private sector coming forward too?
    Mr. Caverly. It was.
    Mr. Parsons. Both.
    Mr. Caverly. To some degree you can understand the 
structure--the North American Electrical Reliability Council, 
which sets the reliability standards for the electric industry 
is a central point for information. They were on the phone by 
3:30 that afternoon identifying the cause of it, which was a 
rolling blackout caused--they didn't know initially what caused 
the system to start tripping out, but they were able through 
their reliability coordinators in the reliability region to 
identify that's how it happened. Then you went back to the 
operating center. So they built the picture quickly of what the 
cause was, being able to talk.
    So the information comes out of them very, very quickly 
into the system. Remember, it is a regulated industry, so the 
reporting requirements are a little more structured than some 
other parts of the private sector. In that case the information 
came out of it, as well as the reporting you were getting in 
the media--there was no report of explosions or other such 
    Mr. Parsons. Mr. Chairman, it was also useful again to hear 
from people in the affected city who were saying, ``we don't 
see any explosions, we just see the lights have gone out. 
There's no smoke, there's no fire.'' I guess I would answer 
that it was kind of information flow both ways, to and from.
    Mr. Platts. Mr. Muccia, you mentioned that you worked with 
SEMO here in New York. Would that have been the case prior to 
September 11th, your involvement, the Banking Department, 
immediately, being part of that Statewide effort in responding? 
Did that change because of September 11th or would that 
involvement of the Banking Department be there already?
    Mr. Muccia. It really changed I think to a significant 
degree with preparations for Y2K, where we really--we always 
had it there, but I think in terms of taking it more seriously 
and being more prepared, it started with Y2K and certainly 
September 11th really brought it home.
    Mr. Platts. Obviously, there's an endless list of efforts 
we could engage in and you've each highlighted some very 
important ones that your organizations are now pursuing. 
There's not an endless sum of money out there, and so you need 
to be smart.
    Last, we had a hearing on managerial cost accounting in 
trying to make that cost benefit analysis on the Federal level 
in that case in two or more departments; Veterans Affairs and 
Labor. In what way does that go on with your respective 
organizations that you're trying to do that kind of cost to 
benefit? It kind of relates to the Commissioner, the threat-
based provision of funds, but internally in your organization, 
how do you go about that?
    Mr. Parsons. That's a very good question. We do have a 
limited sum of money and as you noted, we could spend freely, 
but we can't do that. So what we try to do is we try to take a 
risk-based approach to our efforts at the Department of 
Treasury. What we've first done is working with the other 
financial regulators, we've identified the wholesale clearing 
payment system, which is really, if you really think about it, 
it is the series of mechanisms and institutions that really 
make the financial system work, and we've chosen to direct our 
efforts to those entities, believing that we will get a huge 
return that will in fact create a cascading effect and that 
other firms will benefit from this knowledge and our efforts 
    We've embarked on a testing regime which is not focused on 
simply doing a test, it's really focused on doing a plan, and 
that plan involves the State and local officials and the 
affected institution, the institution that we've all 
collectively identified or the series of institutions. So it's 
very targeted and at the end of the day we have a plan that not 
only involves one center, but involves many of the operating 
capacities within these given institutions.
    So I guess I'd summarize by saying you really have to take 
a risk-based approach in thinking about where will we get the 
best return for our dollars, and we do think about it before we 
accentuate programs.
    I would also add through our partnerships with the 
regulators and with the Financial Services Coordinating Council 
we get a tremendous scale to our investment and it reaches a 
vast majority of the financial sector.
    Mr. Caverly. Secretary Chertoff is devoted to a risk-based 
approached in vulnerability and consequences related to the 
infrastructure. As you can imagine, the department has to look 
across all 17 critical infrastructure sectors. The RAMCAP 
methodology that I mentioned earlier allows us to look at the 
risks associated across the sectors and ultimately prioritize 
and allocate across the sectors the limited resources that are 
    It doesn't do us particularly good if you have the best and 
most resilient systems in the financial services sector and you 
haven't accounted for the risk to transportation or 
telecommunication risk or cyber risk. So we have to look across 
all those components of a very intertwined infrastructure and 
prioritize our assets on a risk basis, so in fact we make the 
system resilient.
    Mr. Muccia. We also use a risk-based approach in terms of 
our supervision and examination and key to that is really our 
program of CPC's or resident examiners at critical institutions 
that we share responsibility with the Federal Reserve or the 
FDIC, depending on the institution. So we leverage off each 
other in terms of sharing resources, responsibilities with the 
Federal banking agencies and we use resident examiners on those 
key institutions to stay in touch and in focus and we leverage 
off work. We can't do it all ourselves, even the Federal 
banking regulators can't. We leverage off the work done by the 
businesses themselves, utilizing their internal audit reports 
and their external audit reports and their internal policies 
and procedures.
    Mr. Platts. You mentioned in your answer about RAMCAP. 
Where do we stand in that development deployment of that?
    Mr. Caverly. The framework for the methodology has been 
developed across the spectrum. We are now doing modules across 
each of the sectors. Obviously, that methodology is important 
as we develop the NIPP plans for each sector-specific agency. 
So those are scheduled to be completed later this fall for each 
of the sectors.
    Mr. Platts. Thank you. Mr. Towns.
    Mr. Towns. Thank you very much, Mr. Chairman. Let me begin 
with you, Mr. Parsons. You talked about a regional coalition 
and of course you talked about ChicagoFIRST. Many people are 
saying that methodology should go further than Chicago, because 
there's extra cost involved.
    My question is, ChicagoFIRST, I thought it should be New 
York First, but that not being the case, could you tell us in 
terms of the makeup of that and what it's all about and is it 
true that the reason you're having difficulty moving it forward 
is because of the additional resources that would have to be 
allocated in order for it to be a reality.
    Mr. Parsons. Congressman Towns, I can tell you, 
ChicagoFIRST is an interesting story. It started out with two 
participants for large firms there who said, hey, we feel like 
we're not getting adequate representation to the local level, 
at the local level for what the financial services sector 
really needs. And that conversation led to an idea which in 
turn led to collaboration and the result of this over a period 
of time, including with the encouragement of the Department of 
the Treasury was the establishment of ChicagoFIRST.
    I can comment on a couple of things related to funding. One 
is, it is a self-funding organization. That is, its members 
have agreed to pay dues to fund its effort. They have appointed 
an executive director who is a full time employee and who 
coordinates all of their activity. They also have a president 
and they have a board of directors that oversees their 
operation. So I don't believe that in the case for ChicagoFIRST 
that funding has become a tremendous issue at this moment in 
    What I would add, though, is we've been working actively to 
encourage the creation of other organizations like ChicagoFIRST 
in other areas of the country, and we believe they're extremely 
useful. I would note it would have been very helpful, for 
example, to have sort of a single point of contact that 
represented the financial services sector in New Orleans as we 
worked for the recovery of Katrina. I think our mechanisms are 
working well. This would have simply augmented and made our 
flow of information and our exchange of needs and ideas more 
    So we are hopeful that we're going to have, in fact, we 
plan on having an announcement on October 13th about the 
formation of a new organization in Miami. We hope to have 
additional organizations as well.
    Mr. Towns. Let me ask you, will you provide additional 
money or resources to move this forward? I know you said 
there's the different companies, agencies put money in, but are 
you willing to also put additional resources in in order to 
make it a reality?
    Mr. Parsons. That's a great question. We at this time, we 
have not planned for specific investments toward the 
establishment of these organizations, other than our work to go 
down and share with them the documents I referenced in my 
opening remarks and written testimony that we partnered with 
BITS on, a how-to model, a how-to cookbook, if you will, to 
establish these organizations.
    What we have done, though, and we've done this twice with 
the case of ChicagoFIRST, is we have funded an exercise with 
ChicagoFIRST as the point to test various aspects of response, 
recovery and generally trying to identify needs within the 
community, and I would tell you that we would plan on doing 
that for the other regional coalitions as well.
    Mr. Towns. There seems to be a lot of excitement around 
ChicagoFIRST. I just want to share that with you. I think 
that's important.
    Mr. Caverly, as the department moves forward with its 
reorganization under Secretary Chertoff, can you describe for 
us how the new structure of DHS will improve the agency's 
efforts to strengthen critical infrastructure protection 
activities? Will these new government structures have adequate 
authority and attention from the Secretary? How do you 
anticipate the new Office of Intelligence and Analysis 
improving upon the sharing of information between public and 
private sector participants, such as the financial markets?
    And also, I guess in terms of the issue of privacy, has 
that popped up?
    Mr. Caverly. Let me answer the question somewhat in a bit 
of reverse order. On the privacy issue, privacy always remains 
a critical concern of the department, because as you look for 
the information that will help you do--identify the strengths, 
identify indications and warnings, we always run into the risk 
of having information on U.S. citizens that cause problems with 
existing privacy laws. So we're working very, very hard to 
insure that we get a robust information analysis system that 
doesn't violate the rights and privileges of the American 
citizens for the privacy of their personal information.
    So we work at it. It does present certain problems that 
each of the units within the department have to work with based 
on the kinds of information they need to build the picture that 
allows them to assess risk, identify threat.
    Relative to the Secretary's reorganization, I think if you 
look at it, the new rules proposed under the Secretary for 
preparedness if you think about it, protection is a seamless 
framework that goes from preparedness through protection to 
response and recovery. Because if you can respond and recover 
as quickly and efficiently as possible, you reduce the impact, 
reduce the consequences of an event, whether a natural event or 
man-made event, terrorist event. So what the secretary has done 
in that case is combined into one unit the responsibility for 
the preparedness which the administration recognizes in HSPD8 
the responsibility for protection or prevention, if you want, 
in HSPD7 and the response and recovery which is in HSPD5. So he 
brings together a framework that has both the preparedness 
planning, the infrastructure protection planning and, 
obviously, the national response plan all into one framework.
    The other thing I think that the Secretary's reorganization 
recognizes is there's a vast span of responsibilities in 
agencies of the department, and what he's really set up is a 
framework that allows the coordination and the sharing of 
information and the transparency necessary so that those 
various responsibilities resting with individual agencies and 
organizations can complement each other and not duplicate.
    Mr. Towns. Right. Thank you very much.
    Mr. Muccia, let me ask you, sharing information about 
potential threats is viewed as a critical step in helping to 
insure the financial institutions are better prepared to 
protect their operations from disruptions. How is your 
organization assisting in providing such information to 
financial institutions? I would assume that an electronic 
attack could easily be targeted on a small institution just as 
it could a larger one. Are there additional barriers you can 
identify for us in regards to effective information sharing 
practices that are the potential solutions to this problem?
    Mr. Muccia. Thank you, Congressman. You mentioned cyber 
attacks and New York has a cyber security office that 
concentrates on those threats and gives advice to the industry, 
and one of the mechanisms we actually have set up is a 
collection of those types of events that gets centralized at 
the New York office and then scrubbed of identifying 
information and then put out to the industry so they're aware 
of what types of attacks are going on.
    In terms of information sharing, in terms of a crisis, we 
have a number of points of contact, where we will establish 
communications. One of them I already mentioned before, that is 
indeed our resident examiners at individual critical 
institutions. For all institutions, including the small ones 
you talked about, we have numerous contacts available to them. 
Obviously, they kind of depend on the telecommunication system 
working, but we have obviously contacts through cell phones, 
Blackberry, we have some satellite phones available to the 
department, so in terms of the infrastructure we have as many 
different varieties; Internet, available.
    If our offices in New York City--and we will reach out, 
part of our plan is we like to be proactive and reach out to 
institutions to find out what's happening--if we're disabled in 
our offices downtown, we switch to our offices in Albany. If we 
need to reactivate our hot site within 24 hours, if we have to 
do that, we have numerous points of contact. We also have 
examiners who have given their contact information, their home 
phones and so forth to various institutions, so we have a 
number of ways of doing it and then with our programs of having 
representatives at the State Emergency Management Office at 
their operations center, at the New York City OEM office and at 
the Federal Reserve Bank of New York, we therefore have 
numerous points of getting into contact.
    Mr. Towns. Thank you very much. Let me just ask all of you 
down the line, starting with I guess you, Mr. Parsons. You 
always hear about communications, sharing of information, 
coordination, you always hear this. Is there anything that 
Members of Congress can do to improve or facilitate that in any 
way? I know you guys hate for you us to stick our nose under 
the tent, I understand that.
    Mr. Parsons. Congressman, that is truly an excellent 
question. You know, we've put a lot of effort, as you noted, to 
information-sharing mechanisms. I would note here today that 
Director Caverly is working very hard on the further creation 
of the Homeland Security Information Network, which we 
wholeheartedly support and we think that's going to be an 
excellent mechanism. It will complement other things that we 
have currently in place.
    Honestly, I think at this point I don't have a good answer 
for you, other than to say nothing comes to mind.
    Mr. Towns. Right, OK, thank you.
    Mr. Caverly. Congressman, I think there are two things. One 
is something, not something Congress can fix, but is just 
getting the two institutions, government and the private sector 
to understand the information needs on both sides and be able 
to transfer them into something that's useful to them. The 
intelligence community presents information in a certain way 
that is understandable to professionals that have dealt with 
them for a long time, but not potentially understandable to a 
security director who has not been engaged with them for a long 
time. Our job is to find ways to do that and we're working very 
much on.
    I think the other issue, I think this is one where the 
legislative entities across the country, whether they're local, 
State or Federal, need to continue to search for the right 
balance between the need to have sensitive information 
protected so that it's not in the public domain versus the 
public's right to have the information it needs to form 
judgments. There's a delicate balance, but we're moving into an 
area where the information needs to be shared between the 
owners and operators, the infrastructure and the government, 
that doesn't need to be in the public domain, whether it's 
vulnerability information or intelligence, and we need to 
strive to find a balance in those two very pressing needs.
    Mr. Muccia. Congressman, nothing comes to mind right away. 
I think in my limited world of banking supervision we've had a 
long history of cooperating with the Federal banking 
regulators, State and Federal, through our joint examination 
programs our joint supervision programs, so we're very used to 
having this close coordination and communication.
    Mr. Towns. Thank you very much.
    Mr. Parsons. Congressman, I just might add, Congress has 
already acted in a very beneficial way, that's the Intelligence 
Reform Act; working to bring down barriers between agencies 
that will help us to share information both among ourselves and 
with the private sector as well.
    Mr. Towns. Thank you. I yield back to the chairman.
    Mr. Platts. Thank you, Mr. Towns. Mr. Parsons made specific 
reference to the Patriot Act, intelligence reform. We're 
obviously dealing with the reauthorization of that and trying 
to strengthen some of the civil rights protections, but as I 
referenced to Commissioner Kelly, that information sharing, 
obviously, is critical to what you do within the Federal 
department or in sharing information with local entities like 
    Mr. Parsons. Yes.
    Mr. Platts. I want to ask Mr. Caverly, you in talking about 
the Infrastructure Protection Plan, that implementation going 
forward, how often is that coordinated plan reviewed for--in 
response now to Katrina and Rita, how would that process go 
forward? Is it a weekly review, monthly review? Is there a set 
approach to it or is it more just as we learn you go back and 
    Mr. Caverly. I think there are several pieces of that. 
There is a preparedness plan, which we've begun to work on with 
the department relative to the scenarios to be prepared to deal 
with and that's an iterative process that the Office of 
Preparedness will be doing.
    The National Infrastructure Protection Plan is still under 
development. We have a base plan framework that we put out an 
interim plan last February. The base plan will come back out 
for comment to the American public shortly. Then there will be 
individual sector plans after that.
    Currently the plan is for the Director to look at that 
annually. We may look at that cycle and say maybe a biannual 
review, it might be longer than that. Then ultimately the 
response down to Katrina and Rita were all carried out under 
the National Response Plan, which was an effort by the 
department based on congressional direction to combine a large 
set of Federal response plans that were not connected in a 
single framework. So the National Response Plan put out a year 
and a half ago does that and that will be a process to come 
back and see how well those integrated pieces work down in the 
southern part of the country.
    Mr. Platts. In developing the plans and getting feedback on 
how to protect the infrastructure, and today we're focused 
mostly on the financial sector, but another part of 
infrastructure is chemical facilities, chemical plants. How 
much outreach--I'll give you an example. I had a constituent 
came to me and my staff, then followed up with the department 
in terms of how this was being addressed. A driver for a 
company that does a lot of transportation of chemical, very 
volatile chemicals and his concern that when presented with 
some of these plans, the identification, confirming that he is 
who he's supposed to be and entitled to pick up this very 
volatile supply order, that it was very lax.
    Do you reach out within the department where actually you 
go to those drivers and randomly pick some; say, how do you see 
it? Or, how do you get feedback?
    Mr. Caverly. It's a couple of things. There's obviously 
security protection advisers located around the country going 
out to facilities, visiting the supply chain part of those 
facilities to pick up that kind of information.
    Across something like the chemical sector, there's a range 
of activities they do from something like the American 
Chemistry Council for the largest manufacturers that have a 
responsible care program for their security program, which is 
best practices for them. Some of the other groups do. We 
created a Chemical Sector Coordinating Council along the lines 
that we've seen in financial services for the intent of making 
sure that those kind of best practices, those kind of 
knowledges, those protected activities can be translated across 
a wide range of different kinds of facilities, different kinds 
of concerns and operational realities.
    I think it's a mix of the two things you identified.
    Mr. Platts. I would encourage that outreach in that example 
that the driver, his--as we're doing more background checks on 
the drivers so they can get their license and be approved. Say 
it doesn't mean a whole lot if someone bumps me off enroute, 
takes my spot and pulls in and they don't check to see he's not 
me. That type of outreach. Sometimes we look at that big 
picture and forget that the guys are in the front lines, get 
their insights which are sometimes----
    Mr. Caverly. That highlights the interdependence of all of 
the components. It's not just a single component. It's a system 
of systems.
    Mr. Platts. It is. You have to look at the plan itself with 
the transportation network that's involved in distributing what 
that plant is manufacturing.
    Mr. Parsons, on the interagency capability sound practices 
to strengthen the resilience of the financial system 2006 
timeframe we're looking at for those protocols or those 
practices being put in place, what's your assessment of where 
this industry is as being able to comply with that timeframe?
    Mr. Parsons. I believe the industry is well along, and I 
believe they will comply with deadlines that have been set.
    Mr. Platts. Is there any possible problems that may need to 
be revisited or just that are not realistic or overall, are you 
    Mr. Parsons. Congressman, at this point I've heard of no 
problems, I'm not aware of any. So we remain optimistic the 
goals will be met. I will take the opportunity to commend the 
sector because they have been extraordinary in their response 
to this document and they've made extraordinary investments and 
extraordinary progress.
    Mr. Platts. Great. The coordination. And Mr. Caverly this 
may be specific to you, the coordination, again, of information 
being shared here, it seems that we've seen tremendous success 
in the private sector and public entity in sharing information, 
what's happening and how we need to respond. We had a blackout 
in York--old York, PA, not New York--a while back and one of 
the issues that came to my office was there wasn't a 
preestablished ability of businesses to have direct access to 
utilities. Where all of us as residents want our refrigerators 
working, our lights on and air conditioners individually, but 
there are entities that affect a much greater population base 
because of the service they provide to the private sector, and 
so they ended up coming to me, because I had a contact through 
my State House days in dealing with this utility and we kind of 
became the conduit for information from the utility, the 
private sector provider and timeframe to these businesses, 
especially food warehouses and things, so we could decide how 
are we going to manage this problem long term.
    We became that conduit. Obviously, it would have been 
better if it was preestablished. What do you hear on that 
direct access specifically to the energy, to utilities with the 
financial sector in New York?
    Mr. Caverly. I think in New York, again, based on the 
history that the financial sector has had with New York, it has 
very good connectivity both in telecommunications and 
electricity. Again, unfortunately it's because they had 
problems in lower Manhattan historically that did in fact move 
this up on the many things that somebody has to consider in 
assigning their resources to.
    I think what you highlight is the need to say one size 
doesn't fit all here; that we need things that operate on a 
local level, could operate on a regional level and could 
operate on a national level to insure that the kinds of 
information that you need to continue your operation, the 
continuity of operations, is accessible to you.
    The utilities are doing a much better job in putting 
information now up on the web and having it accessible, but, 
again, if you're not used to looking for it there, it might 
take you some time to find that information. They understand 
the benefit to them of having that transparency out there and 
being able to get the information out, particularly in a day of 
7 by 24 news coverage where, clearly, misinformation causes far 
more trouble frequently than not. So there is a incentive for 
them to provide that kind of connectivity.
    If you look at groups like ChicagoFIRST, if you look at the 
program that Commissioner Kelly talked about Apple in New York, 
those local activities that provide that connectivity and 
dedicate the time to be connected to understand where to get 
that information is a thing that has to happen. So I think we 
all have a role to play in getting to what you're suggesting, 
which is the ability to have the information needed to make the 
decisions when something happens.
    Mr. Platts. And that's great for a followup. When it's 
information from your organizations to the private sector, some 
of that information is very sensitive intelligence information. 
How do you handle or prepare for the transfer of sensitive 
intelligence with those receiving entities? Do they go through 
a certain level of personnel background checks and things that 
they're entitled to be privy to to what you're sharing?
    Mr. Caverly. Unfortunately, the system that we have for 
protecting that national security information never envisioned 
what we have now, which is part of the private sector, we have 
been able to through a system of security clearances, etc., 
create a framework in which we can get information to them. 
It's not as efficient as we'd like. Homeland Security 
Information Network, as we develop the capability and adjust 
the flow of information, ultimately I think will allow us to 
get information to the owner operators in their place of 
decisionmaking. Right now it's pretty awkward, because we have 
to bring them into a classified facility, assure they have a 
clearance, but one of the things we're looking at is how can I 
be sure I can give you quickly timely the information you need 
to make that decision at the place where you need to make it, 
because if you don't, we can't be as efficient as we want.
    Clearly, with the financial institutions in New York, their 
leadership all have security clearance. We were able to work 
very closely with them in sharing some of the most sensitive 
information last August, because we knew the need of being able 
to share it with them. But we were able to do that on an ad hoc 
basis and I think we need to move to a much more systematic 
capability. But it requires changing our whole framework for 
protecting sensitive national security information that's been 
in place for a long time and that takes a lot of time.
    Mr. Platts. In that review, that's something the department 
is engaged in, how it's going to try to streamline that?
    Mr. Caverly. How to streamline that, how to make sure the 
information can go to someone who has to act on it in a 
protected way without it becoming cumbersome for them to have 
to receive the information.
    Mr. Platts. Thank you.
    One final question, Mr. Muccia, that in your testimony you 
talked about the review of the Institution Business Continuity 
Plan and the importance of the board of directors' senior 
management being engaged in understanding and appreciating the 
importance of this issue.
    In those reviews, what is the norm? Is it the norm that the 
senior board members and executives understand that continuity 
disaster recovery is critical in today's time that we now live 
in? Is that the norm, or are there some that still don't get 
    Mr. Muccia. Mr. Chairman, that is the norm today. I once 
had a mentor who told me the key to success in business was if 
your boss was interested in a topic, then all of a sudden you 
become extremely interested in that topic, and I think now the 
events that we've had in the past and the examination programs 
that we've have that really lie responsibility at the very top 
with the board of directors. They know that we'll be taking 
enforcement actions against them if they're not paying 
attention. They have paid attention and have pushed down that 
message to senior management and have held them accountable. 
That's where we see success. When the board is active, when the 
board knows the plans, when the board is monitoring the status 
of those plans; that's when we've had success with the 
institutions. We've had some smaller institutions that still 
have some work to do, but we are working with the institutions 
to make sure they get the message.
    Mr. Platts. I would share the message with your mentor. 
Those are some wise words. I learned from my mom and dad. If my 
mom or dad was focused on something, it was important for me to 
get that done.
    Mr. Towns, do you have any comments?
    Mr. Towns. I just hope my staff is listening. I do have one 
more question. I'd like to direct this to Mr. Scott Parsons.
    Treasury released a report that essentially called for the 
ending of the terrorism insurance backstop for insurance to 
provide terrorism insurance products to the marketplace. Many 
industry participants, including some of those before us today, 
have called for extending the authorization of such programs.
    Can you describe for us the economic incentives or barriers 
that are present in today's market to justify such a decision? 
Won't the loss of the TRIA backstop provide less incentives for 
insurers to private such coverage?
    Mr. Parsons. Congressman, I appreciate the question; 
appreciate the spirit of the question. My response to you is 
the department did issue a report and Secretary Snow has signed 
it and would I let that report speak for the position of the 
department at this point.
    Mr. Towns. No further comment?
    Mr. Parsons. No, sir.
    Mr. Towns. Well, I can understand the sensitivity about it, 
but you also need to understand our concerns.
    Mr. Parsons. Certainly.
    Mr. Towns. We'll drop it at that.
    Mr. Chairman, I'll close on that note, hoping, though, we 
could get some kind of written response from the Treasury 
Department, because this is something that we have people 
asking a lot of questions about and we can't give them the 
answers, so I would appreciate that, recognizing you might not 
be prepared to do that this morning. We look forward to getting 
that. Mr. Chairman.
    Mr. Platts. Exactly, Mr. Towns. I would suggest if the 
department will followup to the committee in writing, we'll 
keep the record open for about 2 weeks for that submission.
    I want to thank each of you. I did have one final question 
in a broad sense, because we certainly as fellow Americans are 
watching the devastation of the Gulf in recent weeks now with 
Katrina and now Rita. We also appreciate in trying to help 
those citizens and businesses recover the tremendous demands on 
the Federal, State and local private sector. You read on how 
that's going to impact your department and ability to continue 
all the other efforts that are underway in Homeland Security, 
at Treasury and to have your arms around the needs of the Gulf 
Coast, is there anything you want to make sure we're aware of 
that's going to be challenging for your departments?
    Mr. Parsons. I would just make a general comment, Mr. 
Chairman, which is--it has been a very taxing month, and we 
have worked very hard to make sure that the people who have 
been affected by these storms have financial services that they 
need to conduct their lives, and I have to tell you I have seen 
some extraordinary work done at all levels; at the State level, 
at the local level, at the Federal level, and especially the 
citizens and business owners who are down there.
    What I would just tell you is that it has opened a new set 
of thinking for us in terms of lessons learned, in terms of 
things that we think we need to be doing as a next step in 
preparing the financial sector, so we anticipate a real effort 
to get some good lessons learned out of this, but not just to 
have lessons learned, but to actually act on them and make 
sure. It's our philosophy that we need to make sure we 
understand what is happening and be better prepared for the 
next one.
    Mr. Caverly. I think two things. The Secretary's 
reorganization saw the need to insure that we had a better 
balance between the preparedness activities and the prevention 
activities and I think this highlights that and his 
reorganization does it.
    Second, I think it highlighted the changed nature of the 
expectation of the private sector and the government in 
restoring, particularly for those assets that have significant 
natural impacts such as the pipelines, refineries, etc. and it 
increases our need for information sharing, for something 
simple as working to make sure the aerial photography that we 
take very quickly after it gets to the owners and operators who 
don't have access to the sites they can begin their response. 
We can share things that historically we did not connect the 
two together so I think it will have that kind of practical 
    Mr. Platts. Thank you, again to each of you. We appreciate 
your written testimonies, your testimonies here today and each 
of your respective organization's work of you and your 
colleagues on behalf of our fellow citizens. Thank you.
    We'll take again a brief 2 minute recess where we'll get 
our third and final panel set up and reconvene shortly.
    Mr. Platts. This hearing stands back in session. We're 
delighted to have on our third panel some members from the 
private sector to share their insights. We have Katherine 
Allen, chief executive officer of BITS Financial Services 
Roundtable; Mr. Donald Donahue, chairman, Financial Services 
Sector Coordinating Council for Critical Infrastructure 
Protection and Homeland Security; Mr. Samuel Gaer, chief 
information officer, New York Mercantile Exchange, chief 
executive officer NYMEX Europe Limited; and Mr. Steve Randich, 
executive vice president of operations and technology and chief 
information officer of NASDAQ Stock Market.
    We appreciate each of you being here and we'll ask if you 
could stand and be sworn in and we'll take your testimony.
    [Witnesses sworn.]
    Mr. Platts. Thank you. The clerk will note that all 
witnesses affirmed the oath in the affirmative. We would again 
appreciate your written testimony. I call it my homework. When 
we were in school on a regular basis, and we had that homework. 
They're not the only ones to get it and the written testimony 
gave Congressman Towns and myself some great insights in 
preparation for this hearing. Again, we look forward to your 
oral testimony.
    If you could try to keep it to 5 minutes each, which will 
enable us to get into a Q and A with you. Mr. Towns has a time 
crunch, having to leave shortly before 1. Ms. Allen, if you 
would like to begin.



    Ms. Allen. Thank you, Chairman Platts and Mr. Towns for the 
opportunity to testify today. A full version of my testimony 
has been submitted for the record and is here today.
    I'm Catherine Allen, CEO of BITS. BITS is a nonprofit 
industry consortium of the 100 largest financial institutions 
in the United States. We're a non-lobbying group, sort of a 
think tank for technology and operations for the CEOs of these 
100 largest organizations. We serve the industry needs at the 
interface between commerce, technology and financial services. 
We're probably most well known for the best practices and 
guidelines that we create on behalf of the members for the 
industry and we share that much more broadly through the FSSCC, 
through other groups, to the smallest institutions to make sure 
that they are aware of the issues and address some of those 
    BITS and Roundtable member companies direct about $40.7 
trillion in managed assets, $960 billion in revenue and 2.3 
million jobs. Our activities are driven by the CEOs and the 
CIOs or the heads of security of these organizations. The risk 
managers and leaders who care for the financial services sector 
critical infrastructure.
    We also work closely with government agencies such as the 
Department of Homeland Security, Treasury, the Federal Reserve, 
the FBI and many financial regulators, technology and trade 
associations and vendors in achieving what we try to do. The 
financial services industry has always taken significant steps 
to prepare for and respond to major events. In fact, the 
financial sector is often viewed as the poster child for what 
needs to happen in the critical infrastructure arena, primarily 
because of our focus on operational, fiduciary, financial and 
reputational risk.
    Events in the past few years from September 11th to Katrina 
have escalated our efforts. While I believe our industry 
overall is better prepared than ever, there are significant 
risks that can only be addressed by working in partnership with 
others and that partnership is what I'll talk about mostly in 
my testimony.
    Financial institutions weathered Hurricane Katrina well and 
now Hurricane Rita and responded to customer needs quickly. 
They also responded well during the August 2003 power outage 
and the terrorist attacks on September 11th.
    Our sector is a favorite in terms of a target by cyber 
criminals as well as terrorists. Over the past 4 years the 
financial services sector has taken major strides to respond to 
the risks we face today and prepare to address future threats 
and vulnerabilities.
    Financial institutions have business continuity plans which 
they constantly update, refine and test. This is a regulatory 
requirement and part of the risk management process that all 
financial institutions have embraced. As financial institutions 
identify risks, they work to mitigate them and BITS has made 
coordinating financial services industry crisis management 
efforts a top priority. Some examples of what we've done: There 
have been numerous conferences and meetings to bring together 
leaders and experts. We developed a crisis communicator for our 
CEOs and crisis management coordination and security executives 
to get them on the phone as quickly as possible. We've helped 
create and drive membership in the FS-ISAC, the Information 
Sharing and Analysis Center; we conducted worst case scenario 
exercises, we've engaged in partnerships with the 
telecommunications sector and key software providers such as 
Microsoft to address our industry's business requirements. 
We've compiled lessons learned from September 11th and from the 
August 2003 blackout and Hurricane Katrina and have shared 
those with the industry.
    Most well known are our development of best practices and 
voluntary guidelines in everything from how you manage 
outsourcers to the alert levels at the Department of Homeland 
Security to the cross industry telecom business requirements. 
We're currently working on best practices with the energy 
industry, energy and power industries. We created a model for 
regional coalitions, ChicagoFIRST, and we developed liaisons 
and pilots with the telecommunications industry to develop the 
appropriate levels of diversity and redundancy. There is no 
true diversity and redundancy in the telecommunications system 
today and that was one of the things that is critical and on 
the top of our list.
    Most recently in response to Hurricane Katrina and now 
Hurricane Rita, BITS stepped in to help in coordinating and 
disseminating critical information and, again, in my longer 
testimony, there are examples of that.
    As you know, the financial institutions are heavily 
regulated and actively supervised by State and Federal 
agencies. Both have stepped up their oversight of business 
continuity, information security, third party service providers 
and critical infrastructure protection. And also the financial 
exchanges have added requirements in this area.
    Regardless of how well financial institutions respond to 
regulations, we simply cannot address these problems alone. Our 
partners in other critical industry sectors, in particular 
telecommunications, energy and software, must all do their fair 
share. In fact, we call it conducting a ``higher duty of care'' 
because they respond to the critical infrastructures.
    During the past 4 years, the FSSCC, the Financial Services 
Sector Coordinating Council for Critical Information 
Protection, has been created. BITS helped to establish that and 
continues to play a major role in its efforts. You'll hear more 
about that from Don Donahue in a few minutes. We work closely 
with the FSSCC under the Department of U.S. Treasury and with 
other departments at other government agencies.
    There are specific examples of cooperative efforts that 
BITS funded and put together and share with the industry. First 
of all, with the Securities Industry Association, we put 
together best practices and what you do at different levels of 
security from the Department of Homeland Security's alert 
levels, what you do at the various orange, red and yellow 
levels, we shared those throughout the critical infrastructure 
    Second, working with the U.S. Treasury, we funded or 
underwrote the costs for developing ChicagoFIRST so we would 
have a regional model and then could share that model with 
other member companies in other regions of the Nation. 
ChicagoFIRST was created to foster preparedness and 
recoverability of financial services in specific regions and 
again serves as the model for other regions.
    As part of BITS' work to strengthen our critical 
infrastructure, we also focused on the need for more diverse 
and resilient telecommunications services. BITS engaged with 
the telecommunications companies, and worked very closely with 
the National Communications System, an excellent group, which 
is now under the Department of Homeland Security and worked 
with them to develop the BITS Guide to Business Critical 
Telecommunications Services. It's a resource for outlining what 
financial institutions need to ask of their telecommunications 
partners and in my role sitting on the NRIC, which is a group 
of telecommunications CEOs that respond to the--that advise the 
Federal Communications Commission, we also provided that 
information into those work groups so we could exchange the 
dialog with the telecommunications industry about best 
    In dealing with Katrina's aftermath, you can see how 
important telecommunications resiliency and redundancy is.
    Attached to my testimony is a comprehensive overview of the 
contributions that BITS has made in the last 2 years and, 
again, shared with the entire industry. They tend to focus 
around a few key elements: One, improving communications during 
crisis; two, enhancing the resiliency of the telecommunications 
infrastructure; third, enhancing the reliability of the 
electric grid, because telecom and financial services are all 
dependent on that; improving the security of software, hardware 
and the Internet; addressing forms of online fraud and identity 
theft and improving oversight of third party providers.
    There are numerous lessons we can learn from September 11th 
and August 2003 and that is to be prepared and share 
information and view preparation from a strategic and holistic 
    Last, some of the key things I think that the Federal 
Government can do is focus on this need for diversity and 
resiliency in the telecommunications infrastructure. There may 
be incentives such as using the telecommunications excise tax 
that could be used to incent telecommunication infrastructure 
changes, certainly to make available more satellite and 
alternative channels of communication; R&D dollars allocated to 
telecommunications resiliency is critically important, and 
again I commend the National Communications System under the 
Department of Homeland Security and make sure that maintains 
its critical role.
    Second is the power grid must be considered among the vital 
critical infrastructures to make sure it works across the 
Nation. Here incentive dollars are needed and, as I said, BITS 
is working on best practices for this industry. The alternative 
power generation area is critically important for not just 
financial services, but all critical infrastructures.
    Third, recognize the interdependence of all critical 
infrastructures. You cannot make requirements of the financial 
sector without realizing how dependent we are on telecom and 
power, and in some ways on the transportation industry. BITS 
has worked very closely with the chemical, the telecom, the 
power, energy and other critical industries to share what we're 
doing and to share best practices with them, but again, making 
sure that what's of vital importance is how this 
interdependency is addressed from the Government level.
    Last, and I would say probably most importantly, all of us 
at BITS worry about a combined physical and cyber attack. We 
have not had that, but I will tell you that all of the Nation's 
data systems; the first responder systems, the hospital 
systems, the police systems, the financial systems, rely on 
pretty much one operating system. The need for us to make sure 
that our operating systems and software, our hardware and our 
networks are secure and that there are alternatives if they are 
not available is critically important and that's what we mean 
by the ``higher duty of care'' for providers of those services.
    I've attached to my testimony a document we call 
``PREPARE,'' which are seven things that we believe the 
government can do with regard to cyber security issues and 
again they include everything from promoting the issues and 
educating the consumers and the industry to providing R&D 
dollars to strengthening law enforcement who address cyber 
security issues. One other issue and that's in response, 
Congressman Towns, to your question about TRIA. We think it's 
critically important. It's a tool that provides liquidity in 
the property and casualty insurance markets. Thus far, it has 
not cost taxpayers any money, but has resulted in the placement 
of a significant amount of terrorism coverage. We encourage you 
to reauthorize TRIA and continue with that, because it's a 
piece of this holistic look at terrorism.
    Finally, Hurricane Katrina has made poignantly clear we 
need to improve coordination procedures across all 
infrastructures and with Federal, State and local government 
when events occur.
    On behalf of both BITS and the Financial Services 
Roundtable, thank you for this opportunity to testify.
    [The prepared statement of Ms. Allen follows:]

    [GRAPHIC] [TIFF OMITTED] T6505.026
    [GRAPHIC] [TIFF OMITTED] T6505.027
    [GRAPHIC] [TIFF OMITTED] T6505.028
    [GRAPHIC] [TIFF OMITTED] T6505.029
    [GRAPHIC] [TIFF OMITTED] T6505.030
    [GRAPHIC] [TIFF OMITTED] T6505.031
    [GRAPHIC] [TIFF OMITTED] T6505.032
    [GRAPHIC] [TIFF OMITTED] T6505.033
    [GRAPHIC] [TIFF OMITTED] T6505.034
    [GRAPHIC] [TIFF OMITTED] T6505.035
    [GRAPHIC] [TIFF OMITTED] T6505.036
    [GRAPHIC] [TIFF OMITTED] T6505.037
    [GRAPHIC] [TIFF OMITTED] T6505.038
    [GRAPHIC] [TIFF OMITTED] T6505.039
    [GRAPHIC] [TIFF OMITTED] T6505.040
    [GRAPHIC] [TIFF OMITTED] T6505.041
    [GRAPHIC] [TIFF OMITTED] T6505.042
    [GRAPHIC] [TIFF OMITTED] T6505.043
    [GRAPHIC] [TIFF OMITTED] T6505.044
    [GRAPHIC] [TIFF OMITTED] T6505.045
    [GRAPHIC] [TIFF OMITTED] T6505.046
    [GRAPHIC] [TIFF OMITTED] T6505.047
    [GRAPHIC] [TIFF OMITTED] T6505.048
    Mr. Platts. Thank you, Ms. Allen. Mr. Donahue.


    Mr. Donahue. Chairman Platts, Ranking Member Towns, thank 
you for inviting me today. As you know, I currently serve as 
chairman of the Financial Services Secretary for Coordinating 
Council for Critical Infrastructure Protection and Homeland 
Security. Which you've already heard referred to as the FSSCC, 
an industry group dedicated to infrastructure protection 
efforts. I'm also chief information officer of the Depository 
Trust and Clearing Corp., one of the key industry 
infrastructures. Through its subsidiaries, DTTC processes most 
U.S. trades and a broad range of financial assets, for example, 
last year clearing and settling 1.1 quadrillion worth of 
financial transactions.
    FBIIC was established by the sector in 2002. It currently 
has 33 members consisting of many of the key industry 
infrastructure organizations and trading markets and a broad 
array of industry trade associations representing an estimated 
8,000 financial institutions. The FBIIC's mission statement 
states that it seeks to foster and facilitate the coordination 
of financial services sector-wide voluntary activities and 
initiatives designed to improve critical infrastructure 
protection and Homeland Security. As I will discuss later, 
FSSCC has very real achievements in realizing this mission.
    The foundation for FBIIC's achievements is a very effective 
partnership with our key Federal counterparts, most 
particularly our strong relationship with the Department of the 
Treasury. Our sector-specific agency under HSPD7, has been the 
essential foundation for many of the sector's accomplishments 
in promoting infrastructure protection. The leadership of the 
Treasury's Office of Critical Infrastructure Protection has 
been invaluable in these achievements. The sector also is 
forming an effective relationship with the Department of 
Homeland Security and will continue to work with DHS in 
coordination with the Treasury to support its infrastructure 
initiatives. We also have effectively worked with the financial 
regulatory bodies to help them formulate and implement 
appropriate regulatory standards in this area.
    Earlier this year FSSCC published its report, ``Protecting 
the U.S. Critical Financial Infrastructure: 2004 In Review,'' a 
copy of which was made available to your staff. Let me mention 
a few examples of the sector's accomplishments identified in 
that report.
    Prominent among them is promoting broad participation, 
broader participation in the Financial Services Information 
Sharing and Analysis Center, the sector's mechanism for sharing 
critical information about physical and cyber security threats 
and vulnerability. The FS ISAC reports it now has 1,749 
participants plus an expanded reach through the sector's trade 
associations representing nearly 10,000 firms.
    Sector members have implemented several capabilities 
promoting more effective disaster recovery coordination in 
regions critical to financial services. You've already heard 
much about the example of ChicagoFIRST. Other regions have 
implemented similar coalitions and FBIIC and its members are 
working with Treasury to promote this model in other areas 
across the country.
    Third, coordinating the creation of a unified structure of 
emergency calls so that calls can be timed in a way to reduce 
conflicts and feed information into decisionmaking processes in 
an effective way. One of the key learnings that came out of the 
August 2003 blackout experience. These are a few examples of 
the accomplishments that the report highlights. FBIIC's own 
initiatives build on the very strong record of the sector 
generally in responding to these new infrastructure protection 
    My own company, DTCC, for example, has put in place a far 
more resilient infrastructure supporting the financial markets, 
even though we continued to operate without interruption during 
the week of September 11th, completing more than $1.8 trillion 
worth of financial transactions that week. The industry's other 
core clearing and settlement organizations and the trading 
markets have implemented a variety of steps since September 
11th to reinforce the resilience of their operations. In 
addition, key trading markets have thought through reciprocal 
arrangements to trade in other markets' financial instruments 
in an extreme emergency. Sector trade associations, the 
Financial Services Roundtable, BITS, the Futures Industry 
Association, the Securities Industry Association and many 
others have organized their members' efforts to improve 
resilience practices and to test those improved practices. Much 
detail regarding these initiatives is set forth in the 2004 
annual report. Thanks to these efforts, the sector is to the 
point where I am very confident of our ability to operate with 
minimal disruption even under very severe circumstances.
    As successful as these programs have been, we also need to 
rehearse these practices to insure that they will work when 
needed. The sector's commitment to doing this as well has been 
exemplary. A notable example is the test plan for October 15th, 
in approximately 3 weeks, sponsored by the Futures Industry 
Association, the Securities Industry Association and the bond 
market Association. In this test more than 200 participants in 
the futures and securities industries will operate from their 
backup centers and test interaction with key markets and market 
infrastructures. FSSCC also is sponsoring a comparable test or 
considering sponsoring a comparable test on the payment systems 
side in 2006 and we expect to be making a decision about that 
reasonably soon.
    The financial services industry has responded strongly to 
the new challenge of business continuity in the post September 
11th world. We have done this because of our very clear 
understanding that we are responsible for the financial assets 
of 270 million Americans and for their ability to continue to 
conduct their financial affairs. The people of our industry 
take this responsibility very seriously. This committee and the 
Congress can rest assured that the financial services sector is 
and will continue to be resilient and strongly prepared for 
future emergency situations.
    Thank you very much.
    [The prepared statement of Mr. Donahue follows:]

    [GRAPHIC] [TIFF OMITTED] T6505.049
    [GRAPHIC] [TIFF OMITTED] T6505.050
    [GRAPHIC] [TIFF OMITTED] T6505.051
    [GRAPHIC] [TIFF OMITTED] T6505.052
    [GRAPHIC] [TIFF OMITTED] T6505.053
    [GRAPHIC] [TIFF OMITTED] T6505.054
    [GRAPHIC] [TIFF OMITTED] T6505.055
    [GRAPHIC] [TIFF OMITTED] T6505.056
    [GRAPHIC] [TIFF OMITTED] T6505.057
    [GRAPHIC] [TIFF OMITTED] T6505.058
    [GRAPHIC] [TIFF OMITTED] T6505.059
    Mr. Platts. Thank you, Mr. Donahue. Mr. Gaer.

                    STATEMENT OF SAMUEL GAER

    Mr. Gaer. Good afternoon. Thank you, Chairman Platts, and 
Representative Towns for inviting me to participate in today's 
hearing. The subject matter of this hearing is of an ongoing 
concern and engaging these issues head-on is an important tool 
in a set of responsible business practices for both private 
industry and government alike. I sincerely welcome the 
opportunity to express what the New York Mercantile Exchange or 
NYMEX has accomplished to date. The exchange is the world's 
largest physical commodity futures exchange and has been an 
example of market integrity and price transparency throughout 
it's 133-year history. The Exchange also plays a vital role in 
the commercial, civic and cultural life in New York. It 
provides thousands of jobs in financial services and allied 
industries and through its charitable foundation supports 
cultural and service programs in the downtown community of New 
York, throughout the Tri-state area where our traders and staff 
live, in Washington, DC, and Houston.
    The business continuity planning process requires 
commitment from management and the ability to foresee various 
contingencies. Our leading role in the energy and metals 
markets demands we take steps to insure that our price 
discovery and formation mechanisms will continue to be 
available in the event of an emergency affecting our 
operations. NYMEX has a proven track record that demonstrates a 
dedication to insuring that we can provide our services even in 
the face of extreme adversity.
    We are not satisfied, however, to rest on successes of past 
performance. As such, we continually analyze and improve our 
business continuity plans. The Exchange's emergency 
preparedness may be broken down into several distinct but 
integrated categories. Business continuity planning, the more 
narrowly focused practice of recovery planning, the education 
of critical staff responsible for emergency preparedness and 
finally the Exchange's external efforts, including coordinated 
industry-wide testing and provide valuable feedback to 
government industry agencies.
    The Exchange's business is comprised of many different 
process groupings, each of which requires a particular 
expertise. These business units are each assigned a staff 
member who acts as a business continuity coordinator [BCC], 
whose responsibilities include assessing the critical processes 
and creating a workable recovery plan. The BCC is an individual 
with experience in the procedures of their specific business 
unit. Tactical decisions rest with the Emergency Operations 
Team, the OOT, which is comprised of BCC's and business 
continuity leaders. The BCL's role is to coordinate the 
Exchange's continuity and disaster recovery efforts, lead the 
EOT and report to the crisis management team. During an 
emergency, the high level strategic decisionmaking authority 
rests with the CMT, the Crisis Management Team, which is 
comprised of members of NYMEX board of directors, executive 
committee and critical senior executives. Their role is to 
assess the threat and if necessary provide an official 
declaration of disaster, communicate with members of the 
Exchange and coordinate with regulatory and industry agencies. 
The CMT is empowered by the board of directors to make critical 
decisions necessary in any emergency recovery effort.
    NYMEX's core business is commodity futures trading 
clearing. In order to insure the continuity of this business we 
have developed several alternative continuity plans. The 
Exchange headquarters, for instance, were designed to be as 
redundant as possible, including the availability of a backup 
generator fueled by, of all things, diesel fuel, which was 
critical during the September 11th terrorist attack and the 
blackout of August 2003.
    One of the first priorities for the Exchange after 
recovering from September 11th was to build a completely 
redundant replica trading facility. This facility, which was 
completed in January 2003 is located outside of the city and is 
a reasonable commute for our staff and traders. It contains 
fully operational trading ring, telephone work stations and 
space and administrative space. More importantly, it also has 
the ability to disseminate price data worldwide and is a 
completely redundant data center, housing all critical Exchange 
IT systems. All of our traders and key employees have been 
provided with directions to the site and many of our traders 
have participated in a mock trading simulation actually 
bringing them out to the site and going through an actual 
trading session where they exchange trades and we ran through 
the clearing cycle.
    In a situation where access to the trading facility in 
lower Manhattan or the backup site would not be immediately 
available, the Exchange also has two electronic trading 
systems, NYMEX Access and NYMEX ClearPort, both of which have 
24-hour trading capability. In fact, we were the first Exchange 
in New York to open following September 11th. Although it was 
preferred that the trading would resume by open outcry, a 
preferred venue of trading, it was apparent that the quickest 
way to reopen markets would be through NYMEX access, despite 
the destruction of the proprietary communication circuits in 
the collapsed Twin Towers. The Exchange was the first New York 
financial market to reopen when the new system went live on 
Friday, September 14th. The initial energy and metals trading 
session was just 2 hours long, but the pent up demand for 
trading services resulted in then-record electronic volume of 
nearly 70,000 contracts. This volume was nearly eight times the 
average daily volume of regular 16-hour electronic trading 
session at that time.
    In the event of an emergency, it is necessary to have a 
safe and secure place for teams to assemble and manage recovery 
efforts and coordinate services. The Exchange maintains 
emergency operations centers at both primary and backup sites. 
Should an emergency affect the primary site only, an additional 
temporary location has been made available through a local 
community relationship. Maintaining communication is the single 
most important aspect of any emergency recovery effort. All 
aspects of our emergency operations center are choreographed by 
multiple communication links between resources and Exchange 
responders. Continuity planners must envision and plan for 
emergencies that disable telecommunications, utilities, 
transportation, other infrastructure service vendors and 
    Disaster recovery planning also specifically refers to 
restoring the information technologies that run our business 
and provide services to staff and customers. Every critical 
Exchange system is duplicated and can provide services in the 
event the main facility or system is unavailable. Data moves 
across redundant fiberoptic links, linking our backup site to 
the primary site. In addition to wide area network or WAN 
created between the two hot sites the exchange maintains 
multiple hot links to Internet service providers. The Exchange 
information technology systems form the underpinnings of our 
ability to recover the services we provide to the marketplace 
in a timely fashion.
    As new systems are developed and deployed at NYMEX fault 
tolerant distributive-active active and advance replication 
technologies are used to help insure we provide these services 
in the most adverse environments.
    In September 2004, on behalf of NYMEX, I testified before 
the House Financial Services Committee hearing on the emergency 
preparedness of the financial services sector. We have since 
participated in the TopOff 3 exercise sponsored by the U.S. 
Department of Homeland Security, which was designed to test the 
readiness of first responders; Federal, State and local 
emergency managers along with key infrastructure components 
such as hospitals and transportation networks. The securities 
industry component of the TopOff 3 exercise involved the SEC, 
U.S. Treasury Department, exchanges and trade associations such 
as the Securities Industry Association, Bond Market Association 
and the Futures Industry Association. In addition, in October 
2004 NYMEX the MIA other leading futures exchanges and clearing 
firms successfully completed the first industry-wide disaster 
recovery test. The test scope has expanded in 2005 to include 
market data vendors. This industry-wide disaster recovery test 
has become an annual event and is scheduled for October 15th.
    The Exchange is among the leaders in an industry-wide 
initiative to standardized the protocols governing the way 
companies send and receive data. This will help many companies 
develop systems based on standardized specifications, making it 
easier to deploy and maintain data communications internally 
and externally under challenging circumstances.
    Another area we have taken advantage of is sharing 
alliances. The Financial Services Information Sharing Analysis 
Center, FS-ISAC, is a source of critical information ranging 
from information security alerts to Homeland Security threat 
analysis. The New York City Office of Emergency Management is 
another source of information for New York-based companies. 
This information is critical for the constant monitoring of 
potential disruptive events.
    NYMEX has a global presence. The Exchange's energy and 
metals futures markets provide benchmark pricing information 
that is used worldwide. NYMEX recently opened up an exchange in 
London and signed a joint venture agreement with the Dubai 
Development Investment Authority [DBIA]. The exchange must be 
cognizant of world events. NYMEX views continuity planning as 
an ongoing project that is necessary to meet critical business 
needs and it incorporated this planning into its day-to-day 
operations. Every project system or business process deployed 
incorporates some form of continuity planning. Risk and impact 
analysis, training, disaster recovering, testing and regular 
meetings with critical staff create a sense of awareness 
throughout the company. Business continuity planning has become 
part of NYMEX business fabric.
    We strive to learn from past experience. The September 11th 
terrorist attack, the 2003 blackout, our mock disaster testing 
and planning for the 2004 Republican National Convention, as 
well as the recent bombings in London which I was personally 
about two blocks away from, have helped us prepare for the 
future. This year as we were finalizing preparations for the 
launch of the London trading facility and during the July 7th 
and July 21st bombings, we activated our emergency teams as a 
response to that event. We are currently following important 
developments in the Gulf Coast region as our Nation struggles 
with the catastrophic damage caused by Hurricanes Katrina and 
Rita. As you know, there are critical delivery points for both 
gasoline and natural gas in that area.
    Government agencies are of critical importance of preparing 
for and providing critical support during an emergency. The 
relationship the Exchange has developed with government leaders 
has enabled us to overcome many difficult recovery challenges. 
In the immediate aftermath of September 11th, we received 
significant assistance from the Federal, State and city 
    The Exchange appreciates being invited to participate in 
these important discussions. Further efforts to improve 
communication between government and industry will only 
strengthen the ability of the Nation and financial markets to 
respond to the changes that lay at head. Large scale 
emergencies similar to those that have occurred in the past are 
inevitable. Continuity planning is not an individual task, but 
must be faced by all involved participants in the services 
    I would like to thank the chairman and Ranking Member Towns 
for holding this hearing and inviting NYMEX to discuss this 
extremely important topic. Thank you.
    [The prepared statement of Mr. Gaer follows:]

    [GRAPHIC] [TIFF OMITTED] T6505.060
    [GRAPHIC] [TIFF OMITTED] T6505.061
    [GRAPHIC] [TIFF OMITTED] T6505.062
    [GRAPHIC] [TIFF OMITTED] T6505.063
    [GRAPHIC] [TIFF OMITTED] T6505.064
    [GRAPHIC] [TIFF OMITTED] T6505.065
    [GRAPHIC] [TIFF OMITTED] T6505.066
    [GRAPHIC] [TIFF OMITTED] T6505.067
    [GRAPHIC] [TIFF OMITTED] T6505.068
    Mr. Platts. Thank you, Mr. Gaer.
    Mr. Randich.


    Mr. Randich. Thank you for allowing me to testify today. 
I'm Steve Randich. I oversee operations and technology at the 
NASDAQ stock market, which is the largest equities market in 
the world. It's always been a priority at NASDAQ to maintain a 
hardened resilient operation that can withstand catastrophic 
events. A few principles I want to communicate today is that 
NASDAQ for a very long time has viewed business continuity and 
disaster recovery as a top priority. We've had a backup data 
center in a remote geographic location for 20 years.
    Second, exchanges in the United States are evolving toward 
an electronic trading model and this will naturally enhance the 
capital markets' ability to withstand catastrophic events. 
Last, business continuity planning is a collective effort. A 
stock market alone does not represent our capital markets. 
Instead, it is only as good as its weakest link.
    Our operating model provides a natural business continuity 
advantage. Historically, an exchange operated at a central 
physical location where buyers and sellers would meet face-to-
face to trade. A single central location without a practical 
and tested capability of backup puts our Nation's capital 
markets at risk. Trading at NASDAQ is executed through our 
sophisticated computer and telecommunications network. Unlike 
physical floor-based exchanges which employ a specialist to 
direct buying and selling of a stock, NASDAQ's open 
architecture structure utilizes hundreds of geographically 
diverse and competing market makers who simultaneously provide 
trading liquidity for stocks listed on the market. This insures 
not only healthy competition for investors, but, more 
importantly, prevents a single point of failure given the 
geographic diversity of these market makers.
    NASDAQ was prepared for and fully resilient operationally 
to September 11th and the blackout of August 2003. Geography is 
critical to our operation resiliency. We have two data centers 
that are more than 300 miles apart. They are located in 
different geologic and climactic zones and are in different 
regional power grids outside of metropolitan areas. We store 
enough fuel onsite to allow us to run our data center for a 
full week during an extended power outage without a refill. We 
also maintain 185 tons of batteries for additional backup. We 
test each of our generators weekly and perform a utility 
failure test across the entire infrastructure every quarter.
    In addition to geographic diversity, we also use locally 
situated systems and networks to achieve resiliency. Several 
network providers are utilized, each with network diversity 
conductivity into our two data centers. Market participants are 
insured maximum protection by employing diverse access to both 
our primary and backup data center at all times. At no time 
during the week of September 11th were NASDAQ systems 
inoperative. When the attacks occurred, trading was suspended, 
but NASDAQ's systems and network continued to operate. We 
focused on insuring connectivity to our market participants who 
provide liquidity to our marketplace. Although actual stock 
trading was suspended, our systems operated continuously 
throughout the week.
    Notwithstanding the success after September 11th NASDAQ 
implemented improvements to our backup system. We added more 
frequent testing to our backup site and began regularly testing 
full market-wide disaster recovery tests that are open to all 
market participants. In collaboration with State and Federal 
authorities, we evaluated and increased our physical security.
    Although large portions of the northeastern United States 
were out of business during the blackout of August 2003, NASDAQ 
maintained full operations throughout that 2-day period. Our 
alternative power systems automatically provided immediate 
continuity so that there was no impact. However, the blackout 
revealed some areas of weakness in the financial sector that 
required vigilant attention. There's a need for more backup 
facilities outside of high risk metro areas like New York. 
Although most large market participants and telecommunications 
providers had backup systems and procedures in place, they 
didn't all work as expected. There were several examples of 
backup generators that failed within 12 hours of the blackout, 
largely because of either poor fuel quality or machine 
    Looking forward, and since September 11th, NASDAQ has 
worked closely in participation with the Federal Government and 
private sector to strengthen the resiliency of our 
infrastructure. We now have a contingency plan that provides 
NASDAQ the ability to trade all New York Stock Exchange stocks 
if its trading floor becomes inoperative for an extended period 
of time. Nearly 18 percent of the daily NYSE volume already 
trades electronically on the NASDAQ network, so this 
contingency trading plan is in effect tested daily.
    In conclusion, NASDAQ is continually anticipating, 
evaluating, preparing for what may occur 1 day. Our 
preparedness will never be 100 percent perfect as we're limited 
by our human imagination of what might occur. Our increasingly 
decentralized, geographically diverse operating model continues 
to provide us with a high degree of confidence that we will be 
prepared for the next event. As I said earlier, the industry is 
rapidly moving toward electronically trading, which is very 
good news for resiliency. With electronic trading, an exchange 
no longer needs to be tied to a single location. Effective 
backup and redundancy is the key to security against any form 
of accident or attack and essential for our financial national 
security. For financial markets we believe this is the core 
lesson of September 11th and the blackout. For the committee 
and all concerned branches of government, we believe it is a 
crucial lesson as well.
    Thank you for the opportunity to testify today.
    [The prepared statement of Mr. Randich follows:]

    [GRAPHIC] [TIFF OMITTED] T6505.069
    [GRAPHIC] [TIFF OMITTED] T6505.070
    [GRAPHIC] [TIFF OMITTED] T6505.071
    [GRAPHIC] [TIFF OMITTED] T6505.072
    [GRAPHIC] [TIFF OMITTED] T6505.073
    [GRAPHIC] [TIFF OMITTED] T6505.074
    [GRAPHIC] [TIFF OMITTED] T6505.075
    [GRAPHIC] [TIFF OMITTED] T6505.076
    [GRAPHIC] [TIFF OMITTED] T6505.077
    [GRAPHIC] [TIFF OMITTED] T6505.078
    [GRAPHIC] [TIFF OMITTED] T6505.079
    [GRAPHIC] [TIFF OMITTED] T6505.080
    Mr. Platts. Thank you, Mr. Randich. Again, to all of you, 
appreciate your testimonies.
    Maybe a broad question to each of you, just in dealing with 
the Federal Government in your respective organizations and 
members; infrastructure, critical infrastructure protection, 
what do you see as the greatest hurdle in dealing with 
preparedness and is there any specific statutory changes you 
believe need to be made to allow better cooperation, 
interaction with the Federal Government? If anyone would like 
    Mr. Donahue. I'll start. Mr. Chairman, I certainly could 
not recommend any statutory changes, although some of my co-
panelists may have ideas. I think we, as you unquestionably 
heard this morning in the testimony, the financial sector is 
very, very proud of what they have accomplished in this space 
and I think rightfully so. There has been a lot of energy 
devoted to this.
    You asked earlier about the state of compliance with 
respect to the sound practices paper. All of our organizations 
have met their deliverables by this time. The significant firms 
in the paper are all well on track to meeting the deliverables 
by 2006. I think our interaction with Government in support of 
those objectives has been very positive. I think a question 
that looms on the horizon is, speaking personally, how much is 
too much and how much do you achieve agreement in the public 
and private sectors about the degree to which resource 
investments yet need to be made in financial services to 
achieve levels of resilience beyond where we're at at this 
point, and making sure that we all have a very reasonable sort 
of judgment. If we can arrive at a reasonable judgment on that 
question is going to be a key issue as we go forward.
    Mr. Platts. Cost benefit analysis----
    Mr. Donahue. Very, very much so. Again, you heard from all 
the remarks people were making, that there have been a 
significant investments by a number of the industry 
infrastructure members and a number of individual firms, and 
making sure any additional adjustments we're asked to make by 
the benefits we're going to derive from them is a critical 
issue going forward.
    Mr. Platts. Ms. Allen.
    Ms. Allen. I would say the two areas I would like to see 
the government spend much more time focusing on is the 
interdependency area to understand how dependent we are on 
these other critical sectors, and how much our regulators can 
require us to do something. We cannot do it if the telecom, 
power industry and IT industries are not there, and we must 
place the focus on cyber security.
    Second, I don't know if there are statutory changes needed, 
but an example would be antitrust exemption. BITS has a product 
certification program. It's a voluntary testing program by 
vendors, software vendors, to meet minimum security 
requirements. They overwhelmingly tell us, ``We really aren't 
going to do it unless we're mandated to do it.'' BITS cannot 
mandate because of antitrust concerns. So, look at how do we as 
an industry or even critical infrastructure industries set 
standards for cyber security.
    Another thing is, again, incentives for the 
telecommunications infrastructure to have alternative 
telecommunications systems, but also to provide this diversity 
of redundancy that we need.
    Then last, I think the concept of funding regionals was 
brought up. If there were some kind of seed money that would 
help, we would--let's put it this way, it would happen much 
faster, if there were some seed money for the critical areas. 
We could all sit here and name who were the 10 to 15 critical 
geographic areas and there were some seed money. There's a 
model, there's some support, but it does take money, it takes 
some coordination to implement.
    Mr. Gaer. I would actually echo some of the statements made 
regarding to--our experience regarding government involvement 
with disaster recovery business continuity has been a very 
positive one, in the fact that we're regulated by CFTC is our 
primary regulator. I took this job beginning in March 2003 and 
we were planning for a lot of these industry-wide events that 
were going to occur because the exchanges all got together, at 
least in the futures industry the exchanges all got together 
and said what do we have to do to make this work a little bit 
better. It was very refreshing to see representatives from the 
CFTC attend these meetings and say, listen, we're going to let 
industry drive this process, we're going to let industry drive 
the process, we're going to stand back and watch and see how 
you're doing it. We don't want to have to step in, so please 
manage this correctly.
    From all accounts, from everything you've heard today, I 
think the financial services industry as a whole has been 
managing it very well. Interaction with government has been on 
a very open basis, our access to things like GETS cards for 
critical personnel to use, Government Employee 
Telecommunication Service, I think it's called? Government 
Emergency Telecommunication Services. NYNEX's interaction with 
the OEM for events such as Hurricane Isabelle of last year, 
where we're invited to come and join in government and to work 
together in partnership with government, but it's very clear 
from our experience, our industry-wide test, the blackout of 
2003 that industry is going to drive the acceptance and 
industry is going to drive basically the ultimate result of any 
disaster recovery model.
    Mr. Randich. Briefly, having worked in a number of 
industries, I find it amazing how this particular industry is 
so self reliant and motivated in this regard, which is a good 
thing. So in that area, I really don't see any need for any 
specific legislation, only facilitation of policymaking that 
encourages technological innovation and solution in the area of 
business continuity and disaster recovery.
    Mr. Platts. Thank you, and I think this industry has gotten 
the American way of what do we need to do and how do we need to 
do it and let's get it done. I think that's been reflected in 
all our accounts today, the aggressive nature.
    That being said, I think one of the challenges for the 
industry, I think everybody has touched on it in some way 
today, is the interdependence of your industry with these other 
critical infrastructures; telecommunications, power, 
transportation, you name it. What would be your read on your 
interactions with these other sectors, if you want to pick 
power specifically, communication, and how they're responding 
and I think it was, Mr. Randich, in your testimony, about how 
they have onsite generators for a week's worth of power, fuel, 
if we had here in your facility like in New Orleans, where not 
only it's going to be well over a week before power will be 
restored, it's going to be months to some of those areas, and 
even inability to get transportation in because of the amount 
of damage that was done, how is the energy industry responding 
to having an ability to be redundant in their provision of 
services as best possible to your needs, again, not just 
energy, any of the infrastructure industry that we depend on.
    Mr. Randich. In all cases, the answer is never going to be 
perfectly. However, we all have choices that we make in the 
marketplace. We decided where we want to put our data centers. 
We decide who we're going to buy fuel from. We decide who is 
going to be our network provider and our power provider and we 
make those choices, so there's some vendor diversity, as well 
as we pick partners that have proven to be reliable over time. 
So I very much believe that the free enterprise economics and 
decisionmaking over time converge on the best solution for the 
markets that eventually prevail.
    Mr. Platts. As much as possible, again, market-driven 
    Mr. Randich. Market-driven solutions.
    Mr. Platts. Ms. Allen.
    Ms. Allen. I would add that the telecommunications industry 
has been very helpful. Much of that from the work of Duane 
Ackerman, who chairs the NSTAC, the President's Advisory 
Council. In the private sector, CEOs and CIOs from the 
telecommunication sector work closely with us on that. It has 
come less from the government other than the NCC.
    The telecommunications, the best practices we're working on 
there, includes how many days of backup fuel you need to have, 
what are the transportation sources for that. That is, again, a 
private sector-led effort. It's not to say that the Department 
of Energy and others aren't doing things in this critical 
infrastructure area, but it tends to be more focused just on 
the industry, less on the interdependency issues.
    Mr. Platts. OK. How about in the sharing of information 
through the ISAC process and how that's working and 
specifically with financial sector, you're read on where we are 
and where we could go to insure that's effective in its intent?
    Mr. Donahue. I think the sharing of information for the 
ISAC has been very successful to the extent it's reached. We're 
building the interstate highway at this point, and we are 
building a communications infrastructure that can get 
information out to members of the sector. We, obviously, have 
some distance to go in terms of adding end points to that 
network, but I believe that has been very successful and I 
think the ISAC membership is finding it very useful to get the 
alerts and the information that comes to them through that 
    I think Jim Caverly in the earlier panel put his finger on 
where this needs to evolve, which is the development of more 
formal procedures for information coming from the private 
sector to DHS, to Treasury in its role as sector specific 
agency about where we believe vulnerabilities continue to 
    Involving the private sector picture, conversely, of 
opening channels information from government in terms of threat 
information, in terms of more sensitive information of where 
clearance is possibly going to have to be obtained in order to 
be able to do that. That's the area that needs work and 
    Mr. Platts. That was actually one of my specific questions, 
because in your testimony you talk about the importance of 
communications and information, but what's your read on that 
access to sensitive information, whether security clearance is 
being required? Sounds like we have a ways to go in allowing 
that to be a more seamless automatic process.
    Mr. Donahue. I don't think anyone is comfortable with the 
state that has reached. DHS and Treasury both working together 
did sponsor members of the FSSCC for clearances at the secret 
level, which has been very helpful. I think there have been 
instances where information could be discussed on conference 
calls where we knew everyone on the call had a particular 
clearance and therefore they were somewhat more free to discuss 
matters, but it's clear that we don't understand who all needs 
to have access to the information, how do you sanitize 
information so that you can be conveying it to people who 
aren't necessarily cleared. I mean, all of those issues still 
have to be explored.
    DHS approached the FSSCC in I would say late spring and 
asked for our agreement to work with them on the development of 
an information sharing pilot that would sort of go to the next 
generation of an information sharing methodology between the 
government and the private sector. We have agreed with them to 
go forward with that and I think Katrina and Rita have 
intervened to sort of put that on the back burner for the 
moment, but I'm sure that will be something they return to in 
the fall.
    Mr. Platts. The interaction I guess between the private 
sector and the government, what is specifically in New York, if 
there is a major incident, what's the process of structures in 
place for yourself, your organization or members as far as 
being in touch with the New York City emergency response 
office, the NYPD? Is that a very formalized structure that you 
have a contact, people that you go to, and if one of the things 
that's down is communications, how do you make that contact, 
even if you have the right person to be in touch with?
    Mr. Gaer. For us, our proximity is probably one of our 
biggest assets in that situation. We have both formal and 
informal ways that we communicate with government here in the 
city as well as regional and national government. We're briefed 
on an ad hoc basis as far as threats and threat levels, 
especially ones that are germane to the financial services 
area. I think it was about a year or so ago when there were 
threats against Merrill Lynch and I think it was Prudential in 
Newark, where we were advised of these threats ahead of time 
and we were able to harden beforehand. We interact with local 
law enforcement, the Joint Terrorism Task Force, very well, as 
a matter of fact, sometimes to almost the shock of visitors who 
come to our facility in the rigorous amount of security that's 
around the building and how they have to get into the building, 
they're very, very shocked and then later impressed at how 
secure we keep the building.
    But the communication between ourselves and between 
government, again, it's formal and's informal on an as-needed 
basis. I have a list of contacts, our president, our chairman, 
the crisis management team can get in touch with people at 
their homes on their cell phones or what have you, so it's been 
a very post September 11th, it's been a very kind of open 
cooperative environment.
    Mr. Donahue. A number of the infrastructures in New York, 
you mentioned that you have a seat at the OEM, others do as 
well. In the event of an emergency in this city, we know that 
our people are supposed to go to OEM. Security Industries 
Association has a seat, my organization has a seat, the 
Exchange's technology arm has a seat. People know they're 
supposed to immediately go there so they can be part of that 
centralized communication.
    You mentioned GETS cards earlier, there has been a fairly 
wide distribution of GETS card within the financial 
infrastructure in the country, certainly in New York, so people 
have the ability to communicate if any telecommunications are 
available they get priority. The city has implemented a 
corporate emergency access system where we have cards that will 
give us access to no-go zones, for example, as I'm sure you 
know. Post September 11th, south of Canal Street people were 
not allowed to come for the first few days. This program would 
allow us to get people into our facilities and get things 
working, even though it might be in an area ruled not open to 
the public. So there are a number of steps the city has taken 
to improve communication and coordination that way.
    Mr. Randich. That privileged physical access is a huge 
improvement since September 11th.
    Mr. Platts. Is it fair to say with the physical access or 
the seat at the table with OEM, that this is since September 
11th, this is lessons learned and then since the blackout to 
keep kind of honing each incident and get a little better?
    Mr. Gaer. Yes.
    Mr. Donahue. Absolutely.
    Ms. Allen. Those are lessons that have gone to the original 
coalition, ChicagoFIRST and other models as well.
    Mr. Platts. Your work with the creation of ChicagoFIRST 
really was a lot of that was derived from New York, we were 
talking earlier----
    Ms. Allen. Right, the lessons learned from September 11th 
and we spent time with the OEM of New York because New York was 
actually ahead of all other regions and we used their model and 
shared back with them what we had developed on the regional 
    Mr. Platts. Thank you.
    Mr. Donahue, in your testimony you talked about 
participating in the TopOff 3 drill. I'm sorry, Mr. Gaer, 
sorry. And you referenced that and all the different 
participants. What I was curious, your read on how successful 
the exercise was from the standpoint of, again, lessons learned 
and what would work or not, and how you responded to the 
exercise in implementing the lessons learned.
    Mr. Gaer. I think you can only judge how successful an 
exercise is by its objectives and I think for these particular 
tests the objectives being that you had so many participants 
from diverse areas, you couldn't really go through every 
permutation of everything, so to speak, that's going to happen. 
We actually judged it from our point of view to be very 
encouraging, to have been very successful. Where we are right 
now is honing in on our industry-wide disaster recovery test, 
although it's not going to include the telecom sector per se or 
the power sector per se. We're really working in our industry 
to get it right in our industry first and our first test last 
year was a very kind of bland, basic test which was very 
successful and it actually exceeded people's expectations and 
there was a lot of discussion prior where you get everybody on 
board as to when you can do it and what are we going to do and 
what are we going to run through and it turned out that people 
were more prepared than we thought they were going to be.
    For the TopOff, the interaction between ourselves and the 
various other industries and agencies I thought went very well. 
Certainly in every exercise there are areas where you need 
improvement and again I would probably highlight, as other 
members of the panel have, the improvements between the telecom 
sector and financial services sector would probably be 
something we should concentrate on.
    Mr. Platts. A followup to that, Mr. Donahue, was the coming 
exercise October 15th that you reference in your testimony. 
Could you walk me through what's going to happen there and what 
involvement, because you reference sponsors and the various 
institutions that are going to participate, the involvement of 
any Federal agencies that will be participating or just kind of 
watching, taking in that exercise?
    Mr. Donahue. I think, first of all, what will happen on the 
15th is 200-plus firms are going to, there are essentially two 
tests occurring that day concurrently, the Futures Industry 
Association is doing its second iteration of its industry-wide 
test. The securities industry and Bond Market Association are 
coordinating a test for their members on the cash side, which 
is the first time that piece of the securities industry has 
conducted such a test and essentially, what will happen is that 
each of the participants in the test will go to their backup 
data center locations and their back up business process center 
locations and seek to establish connectivity with key industry 
infrastructures, DTTC being one, the New York Stock Exchange 
being another. Steve, I don't know if NASDAQ is participating, 
but NASDAQ would be another infrastructure that they are, I'm 
assuming you are, and that would be another infrastructure that 
they connect to. Establish connectivity and run a few 
transactions through.
    We're not going to try to simulate a day's activity or 
anything like that, but run transactions through so make sure 
you can get transactions to the trading facility, for example, 
and then you can get feedback from the trading facility 
acknowledging receipt of the order, acknowledging execution of 
the order, whatever it may be, so you can function on your 
backup if you need to in the light of an emergency take place.
    Mr. Platts. Is FCC or Treasury going to be in any way 
participating or watching how it goes?
    Mr. Donahue. They will be getting a report on the test 
results after the fact. At this point it is essentially, this 
is the model the industry followed in preparation for Y2K. We 
conducted tests that we had organized and we implemented. We 
were reporting to our regulatory agencies, to Treasury as well 
in this instance, how that it proceeded, because it's clearly 
of interest to them, but it's not something they would have 
direct involvement in on the actual day of the event.
    Mr. Platts. I think another good example of the private 
sector not waiting for government to say, hey, do this, but 
responding appropriately to being well prepared.
    Mr. Randich, in your testimony you went through in detail 
some of your security preparations from buffer zones around the 
data center, fingerprinting policy for employees and 
contractors. A pretty extensive range of security measures. 
What would be your assessment on how common that is in the 
financial sector, whether it be specifically here in New York 
or a broader sense nationally.
    Mr. Randich. Significantly more so than it was in September 
11th, just being in the business and having to go visit our 
customers and peers. It's like going through the airport 
several times a day, so that's very good news.
    The one area I think is important to note kind of where 
it's limited and where it would be important to improve, one of 
the advantages we have is that our two data centers are located 
in corporate parks, remote areas in one case, even beyond the 
suburbs. That basically allows us to, where the single owner 
tenant of the facility gives us 100 percent control over the 
security and the infrastructure and sometimes I feel that 
organizations that have their critical assets in a multi-tenant 
high-rise in the metro area don't have the level of control 
that they might need.
    Mr. Platts. Again, in any urban setting your ability to 
have that, proximity of other buildings, even if it's your own 
building is a lot more challenging in an urban setting.
    Mr. Randich. Very much.
    Mr. Platts. Would any of you like to comment on that issue 
of the breadth or depth of security in the private sector?
    Mr. Gaer. I actually could and I'd like to put a little bit 
of a twist on it in that yes, security, at least from the 
Exchange level, we have as members virtually every investment 
bank, large trading house, etc., they're members of ours and 
we're kind of this hub, or a utility for liquidity and price 
formation, so we need to take extra steps to be as secure with 
our--in our physical as well as our virtual presence. But what 
I'm seeing, what I've seen personally from being in Europe and 
being in London in particular, London has definitely tightened 
up security post what they call 7/7, but I will tell you that 
the security that you find, especially here in the New York 
metro area is light years ahead of what is happening outside 
the United States and that's important to us for reasons of 
cyber security, which I believe is probably going to be one of 
the next great frontiers that we are all going to have to 
tackle as an industry in our DR testing.
    Mr. Platts. I think that interdependence with cyber 
security, because you can harden a facility, but you could be 
on the other side of the world and depending on the cyber 
security protections out there, they can still do great harm, 
and that's come to light in some of the recent reports on China 
and some of their--at least what appears to be concerted 
Government efforts on an incredible scale to break into 
sensitive data bases in the United States, not just government 
offices. So that challenge is one that is global and what 
happens elsewhere is going to impact us.
    Is there an interaction with those European markets and 
what we are doing here in New York? We talked a lot about 
sharing of best practices here, how much of that is occurring 
    Mr. Gaer. I can only speak from our industry and I would 
have to say very little as far as an international effort, I 
would say very little.
    Mr. Donahue. Depends on the level that you're talking 
about. At the infrastructure level, it's quite a bit. Swift is 
the international payments messaging network, our counterparts 
in Europe, Euroclear and Clear Stream are the two securities 
depositories over there. There are very definitely interactions 
in those core organizations and what's the best practices we 
participate in Swift committee, we meet with Euroclear and 
exchange business continuity standards very regularly.
    Once you go beyond the infrastructure, I would agree 
completely that different firms are not necessarily 
coordinating the way that we're seeing here in the States.
    Ms. Allen. We have some BITS members at the Canadian 
Bankers Association and APACS, which is the payment system in 
the UK. We've shared best practices with the Japanese, with the 
Australians with the OECD countries, but it's nothing formal.
    Mr. Randich. We've hosted walk-throughs of our data center 
many, many times. We're continually doing it, and it's 
interesting, not much European interest, but we've had the 
South Americans, the Asians and even the Middle Eastern and 
Indian markets come take a look.
    Mr. Platts. The hope certainly is that as we are in a 
global economy, that is everywhere and that the lessons being 
learned here and especially as I've heard loud and clear, the 
efforts in the Greater New York area really setting a great 
high standard, high bar for the rest of the country and the 
world, and the lessons learned now being in Chicago and looking 
to regionalize elsewhere around the country and ultimately 
around the world is going to be so important.
    Mr. Towns apparently wanted, and he had to leave for 
another engagement and apologizes that he couldn't stay through 
your whole participation, but on technology, as technology 
continues to advance every day, the ability to insure the 
security of those technological advances, and do you think our 
technology sector is doing enough to provide security day one 
when these new products are hitting the market, software and 
hardware as well, or do we need to take a closer look at what 
they're putting on the market from a security standpoint?
    Ms. Allen. I would say there's improvement, and certainly 
we are working very closely with the largest provider of 
operating systems and software. We have a set of business 
requirements and a work plan with them to meet some of the 
business requirements we have, but it's a longer term process, 
because you have to change the culture of the United States, 
actually all of the software industry, in how it's developed, 
which has been to get it out there fast and let us be the Beta 
tests for them.
    Today we've got to look at those same providers of 
technology, whether it's the software, the infrastructure, the 
systems, to really test code much more rigorously, to develop 
code much more rigorously, to do the testing and to have the 
safeguards before they bring a product to market. That's that 
``higher duty of care''--in particular, if it's a provider 
where they have a dominant share of the market for the 
infrastructure industries. So I think there does need to be 
more attention from not only the private sector, but also the 
government on this area and I think your question is correct. 
We have to look at this globally, because these players are 
global players, they're global players and it's going to be--
Microsoft tells us that the time between a vulnerability and 
exploitation of that vulnerability is getting down to seconds 
now. There's no way you can physically patch all the problems 
there so it means you've got to change the way you look at 
    Mr. Randich. I think they're coming along slowly. It used 
to be a product would differentiate itself from the market with 
function, price, ease of use. Security has clearly been 
elevated as a measure of decisionmaking factor in the choice. 
But by no means should any of us believe you could buy security 
off the shelf. At the end of the day we have to take 
responsibility for it by choosing the best, most progressive 
solution members and tying the loose ends ourselves.
    Mr. Platts. Again, kind of where we started with questions 
in that American way of partners between public private sector 
and individual responsibility and in the end doing what you 
    I want to thank each of you and I wanted to give each of 
you, if there's anything you think you didn't get to highlight 
or want to touch on to reaffirm, to give you the opportunity 
before we close.
    Ms. Allen. I want to thank you for holding this hearing. We 
feel the more that Members of Congress understand the issues 
from the private sector perspective, the better it is. We would 
be happy to educate others in any way we can.
    Mr. Platts. We've been happy to have the hearings and have 
your participation as well as the other panelists earlier and 
it is a great educational process for Mr. Towns, myself and our 
committee staff and then having that as a resource beyond just 
our committee, to do a full committee with the other Members.
    We're on the same team. We are all part of a functioning 
economy in coordination, and the financial sector in New York 
especially, and ultimately receive quality for it.
    Please, each of you, don't hesitate to call on us for 
things you want to share as we move forward in a month or year 
or whatever that you think we should be aware of. We're always 
glad to have that feedback so we can partner well with the 
private sector in what we're doing in Washington.
    We will keep the hearing record open for 2 weeks if there's 
anything from this panel or previous panels to submit for the 
    Again, we thank each of you and wish you and your 
organization and members great success in your efforts, and 
this hearing stands adjourned.
    [Whereupon, at 1:19 p.m., the subcommittee was adjourned.]