Business Continuity Standards & Regulations

A summary of the leading regulatory requirements and standards related to business continuity

Regulatory requirements and standards influencing business continuity program design and performance continue to grow and mature. This section of our website summarizes many of the leading regulatory requirements and standards.


International Standards and Regulatory Requirements:


US-Specific Standards and Regulatory Requirements:



US Financial Institutions

FFIEC: Business Continuity Planning Booklet (2008)

Applies to the US banks and their service providers

The FFIEC is responsible for establishing standards to which financial institutions are held. The 2008 version focused on the role of the board and senior management, the addition of pandemic planning, a push toward risk management integration, the emphasis of proactive risk mitigation, and the overall attempt to eliminate ambiguity. This is a mandatory regulatory requirement.


UPDATE: In February 2015, the FFIEC released a new appendix to the Business Continuity Planning booklet. Appendix J: Strengthening the Resilience of Outsourced Technology Services highlights that a financial institution’s reliance on third-party service providers to perform or support critical operations does not relieve a financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. Learn more.


FFIEC: Interagency Statement on Pandemic Planning (2007)**

Applies to US financial institutions and their service providers

The statement outlines actions and strategies financial institutions should strongly consider when developing pandemic plans and strategies. The guidance is not mandatory, but most financial institutions should strongly consider implementing the strategies to meet supervisory expectations. This statement is not a regulatory requirement, but highly encouraged by regulatory agencies.

**NOTE: Now included in the 2008 FFIEC Business Continuity Planning Booklet


FFIEC: Interagency Statement on Pandemic Planning (2007)**

Applies to US financial institutions and their service providers

The statement outlines actions and strategies financial institutions should strongly consider when developing pandemic plans and strategies. The guidance is not mandatory, but most financial institutions should strongly consider implementing the strategies to meet supervisory expectations. This statement is not a regulatory requirement, but highly encouraged by regulatory agencies.

**NOTE: Now included in the 2008 FFIEC Business Continuity Planning Booklet


FFIEC FIL 67-97/82-96

Applies to US financial institutions and their service providers

Requires Board of Directors to ensure that a comprehensive business resumption and contingency plan has been implemented, to encompass distributed computing and external service bureaus.


FFIEC Policy SP-5

Applies to US financial institutions and their service providers

Policy mandating corporate wide contingency planning, including the development of recovery alternatives for distributed processing and service bureau information processing.


Federal Reserve Banks SR 96-22

Applies to US financial institutions

Reviews and enforces the FFIEC's Interagency Supervisory Statement on Risk Management of Client/Server Systems SP-12.


White Paper on Strengthening the Resilience of US Financial System (2002)

Applies to all US institutions providing financial services, especially those deemed "critical" by the agencies. The requirements do not, however, apply to the recovery of trading operations or retail financial services

The paper advises larger financial institutions on steps necessary to protect the financial system with three new business continuity objectives including; rapid recovery of critical operations following a wide-scale disruption, rapid recovery following loss of staff, and a high level of confidence that internal and external continuity arrangements are effective. The guidance contained in this white paper is often viewed as mandatory for select financial service entities.


Bulletin R-67: Federal Home Loan Bank

Applies to US banks

Follows the intent of BC177 which required documented, exercised, and maintained recovery plans for all user environments and business functions.


SEC 17 CFR 240 (2005)

Applies to the US securities broker-dealer industry

SEC regulations require that financial transaction histories be maintained for all electronic securities transactions, and backup power be in place to maintain continuity. This regulatory requirement is mandatory for applicable entities.


FINRA Rule 4370

Applies to all FINRA members

Rule 4370 — FINRA's emergency preparedness rule — requires firms to create and maintain business continuity plans (BCPs) appropriate to the scale and scope of their businesses, and to provide FINRA with emergency contact information.


NYSE Rule 446 / NASD 3510/3520 (2004)

Applies to all members and member organization of the NYSE or NASD

Rule requires members establish and maintain business continuity strategies and plans relating to an emergency or significant business disruption. It also requires that members' plans be reasonably designed to enable it to meet its existing obligations to customers. This regulatory requirement is mandatory for applicable entities.


CFTC Rule 23.603

Applies to Swap Dealers (SDs) and Major Swap Participants (MSPs)

The Commodity Futures Trading Commission (CFTC) Rule 23.603 requires Swap Dealers (SDs) and Major Swap Participants (MSPs) to establish and maintain a written business continuity and disaster recovery plan that outlines the procedures to be followed in the event of an emergency or other disruption of its normal business activities. The business continuity and disaster recovery plan should be designed to enable the swap dealer or major swap participant to continue or to resume any operations by the next business day with minimal disturbance to its counterparties and the market, and to recover all documentation and data required to be maintained by applicable law and regulation.

Top

US Energy Sector

FERC COOP: Continuity of Operations Plan (2007)

Applies to the US energy industry

FERC reacted to 9/11/01 by making a statement providing regulatory guidance on certain energy infrastructure reliability and security matters, recognizing that electric, gas, and oil companies may need to adopt new procedures to safeguard their systems. This regulatory requirement is mandatory.


FERC RM01-12-00

Applies to the US electric power industry, specifically larger metro utilities (rural utilities exempt)

FERC requires a disaster recovery plan for all energy companies. This regulatory requirement is mandatory.


NERC CIP 002-009 (2006)

Applies to US electric power and utility companies

NERC CIP standards are comprised of eight standards (including cyber asset identification, security management controls, personnel and training, electronic security perimeters, physical security, system security management, incident reporting and response, and recovery plan for critical cyber assets), each of which is mandatory for electric power and utility companies. This regulatory requirement is mandatory.

Top

US Government

DOE O 150.1 (2008)

Applies to all departmental elements who are subject to Department of Energy directives

The order provides requirements and responsibilities to ensure that the Department is ready to respond promptly, efficiently, and effectively to a continuity event involving facilities, activities, or operations. This regulatory requirement is mandatory.


EMAP (Emergency Management Accreditation Program): Emergency Management Standard (2010)

Applies to all local, tribal, regional, state, national and private sector emergency management programs

EMAP serves as a set of standards defining a quality emergency management program. In addition, the EMAP provides a means for strategic improvement of emergency management programs, ultimately culminating in accreditation. This guideline is voluntary.


FCD 1: Federal Continuity Directive 1 (2008)

Applies to the executive departments of the US federal government, and are also useful for state, local, territorial, and tribal governments, and even the private sector

FCD 1 provides guidance to executive departments and agencies for developing continuity plans and programs by appropriately identifying and carrying out their most critical functions necessary to lead and sustain the Nation during a catastrophic emergency. This regulatory requirement is mandatory for applicable federal departments and agencies.


FCD 2: Federal Continuity Directive 2 (2008)

Applies to the executive departments of the US federal government, and are also useful for state, local, territorial, and tribal governments and the private sector

FCD 2 implements the requirements noted in FDC 1 by providing guidance, checklists and direction to US federal executive departments and agencies for identification of crucial functions. This regulatory requirement is mandatory for applicable federal departments and agencies.


HSPD-21: National Strategy for Public Health and Medical Preparedness (2007)

Applies to public health and disaster response professionals and organizations in all levels of government

HSPD-21 addresses preparedness for catastrophic health events by offering clear strategic direction on topics including: biosurveillance, countermeasure stockpiling and distribution, mass casualty care, community resilience, education and training, disaster health systems and risk awareness. This directive is mandatory.


NIST 800-34: Contingency Planning Guide for Information Technology Systems (2002)

Applies as recommended guidance to US federal departments and agencies

The NIST guide provides instructions, recommendations, and considerations for government IT contingency planning. This is guideline is voluntary although mandated in many federal departments and agencies.


NRF: National Response Framework (2008)

Applies to communities, tribes, states, the federal government, and private-sector and nongovernmental partners in the United States

The NRF provides guiding principles that enable all response partners to prepare for and provide a unified US national response to disasters and emergencies. It establishes a comprehensive, national, all-hazards approach to domestic incident response. This regulatory requirement is mandatory for applicable federal departments and agencies.


PAHPA: Pandemic and All-Hazards Preparedness Act (2006)

Applies to the US federal government, specifically the Department for Health and Human Services

PAHPA aims to improve the nation's public health and medical preparedness and response capabilities for emergencies, whether deliberate, accidental or natural. This regulatory requirement is mandatory.

Top

US Health Organizations

Health Insurance Portability and Accountability Act (HIPAA) (1996)

Applies to the US health delivery and insurance industries

HIPAA, an act that passed to ensure that customers are able to switch between health insurance providers as smoothly as possible without unavailability, total loss, or loss of integrity of their health data, dictates that organizations must have a contingency plan in place in order to conform to the Act. This regulatory requirement is mandatory.


HIPAA Security Rule 164.308(a)(7)(i)

Applies to the US health delivery and insurance industries

This Rule identifies Contingency Planning as a standard under Administrative Safeguards. HIPAA Contingency plans address the “availability” security principle. The availability principle addresses threats related to business disruption –so that authorized individuals have access to vital systems and information when required. A data backup plan, disaster recovery plan, and emergency mode operation plan are required under the safeguards specifications.


Health Information Technology for Economic and Clinical Health Act (HITECH) (2009)

Applies to covered entities, business associates, vendors of personal health records (PHR) and related entities

Signed into law on February 17, 2009, this Act extends various HIPAA security and privacy requirements and lays the groundwork for increased enforcement. In a push to increase the use of electronic health records, the Act addresses breach notification requirements, protected health information (PHI) access rights and disclosure restrictions, and penalties and enforcement related to data breach events. Most importantly, the HITECH Act requires a covered entity to notify each individual as soon as the covered entity discovers or reasonably believes there has been a breach of PHI. Further, notice is to be provided to individuals without unreasonable delay, and in no case later than 60 calendar days following discovery of the breach. The time for notification must be calculated beginning on the date that the breach is first discovered, not on the date that that a covered entity has completed an investigation of a possible breach.


Joint Commission: Environment of Care Standards (2005)

Applies to healthcare delivery organizations

The Joint Commission sets standards for healthcare organization and issues accreditation to organizations that meet those standards. They dictate that all hospitals must have an emergency management program so that patient care can be continued effectively in the event of a disaster. This regulatory requirement is mandatory.


Joint Commission IM.2.30 (2008)

Applies to health care delivery organizations

The Joint Commission’s Standard IM.2.30 aims to ensure the continuity of information is maintained in hospitals. The standard mandates that a business continuity/disaster recovery plan is developed and maintained that identifies the most critical information needs for patient care, treatment, and services and the impacts if the systems were not available. The plan should also identify alternative means for processing and providing recovery of data.


Homeland Defense's Pandemic Preparedness Handbook (2007)

Applies to corporate and governmental emergency response and public health planners

This handbook has been prepared primarily to assist those working in the public health sector and especially those involved in pandemic preparedness planning to ensure appropriate measures are being taken to plan for combating potential pandemics. This handbook is voluntary.


FDA 21 CFR Part 11 (1999)

Applies to the life sciences and pharmaceutical industry

FDA regulations outline criteria for accepting electronic records, for documenting and validating authorized change processes to systems, and require backup power and backup software for key systems. This regulatory requirement is mandatory.

Top

US Private Sector

NFPA 1600 v2016 
Standard on Disaster/Emergency Management and Business Continuity Programs

Applies to public, not-for-profit, non-governmental organizations (NGO), and private entities on a local, regional, national, international, and global basis.

NFPA provides organizations wanting to address preparedness management with a consensus standard that advocates an "all hazards approach" to prepare for any incident. NFPA also advocates a team-based approach to response, restoration and recovery preparation with strong senior management support and involvement. This is a voluntary guideline.

NFPA 1600 v2013 is also one of the three standards selected for inclusion in the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep).


OSHA 3327-05R: Guidance on Preparing Workplaces for an Influenza Pandemic (2009)

Applies to all US organizations

OSHA guidelines state that all employers should consider using their planning guidance to help identify risk levels in workplace settings and appropriate control measures that include good hygiene, cough etiquette, social distancing, the use of personal protective equipment and staying home from work when ill. This is a voluntary (but highly encouraged) guideline.

Top

About Business Continuity


About Avalution

Explore Business Continuity 101

Business Continuity 101 answers the most common questions we receive about business continuity and explores the key planning activities and outcomes that drive success.


Avalution Recognized as a Leader by Gartner

Avalution has again been positioned as a Leader for Catalyst in Gartner's July 2017 Magic Quadrant for Business Continuity Management Program Solutions, Worldwide. View the Release.

Quick Connect


Quick Connect

Business continuity and IT disaster recovery planning is all that we do.
If you’re looking for assistance with building or improving your program, contact us today!


I'm Ready to Connect

or View Our Services Page