ROR- Disaster Recovery- NAFCU 20120208

Disaster Recovery

Presented By:

Robert Rutkowski, Esq.

• Legal necessity of disaster recovery plans

• AIRES Disaster Preparedness and Response Plan

• Compliance reports

• Catastrophic act reports

Today’s Discussion

2 | Disaster Recovery WELTMAN, WEINBERG & REIS CO., LPA

• Records preservation

Today’s Discussion

• Different types of disasters

• Disasters In-Depth: Computers and Electronic Disasters


• NCUA rules on security programs

Legal Necessity of Disaster Recovery PlansDisaster Recovery Plans

Legal Reasons to Have a Plan

• Not having one could be: – Breach of fiduciary duty of care

– Corporate negligence

– Breach of due diligence


• NCUA put forth regulations requiring CUs to have a plan in place

Examples

• In Re the TJ Hopper

• Diversified Graphics, Ltd. V. Groves


• Bank of Louisiana v. Sungard Recovery Services, Inc.

Complying with OSHA

• Generally provide safe, clean and healthy work environment not likely to cause death or serious injury


Complying with OSHA: Emergency Action Plan

• Have a written plan

• Procedures for reporting a fire or other emergency


• Procedures for emergency evacuation complete with exit routes

• Procedures for employees who remain to execute critical plan operations before evacuation

Complying with OSHA: Emergency Action Plan

• Procedures to account for all employees after disaster/evacuation

• Rescue or medical duty procedures


• Contact info for key staff having more information regarding plan

Complying with OSHA: Fire Prevention Plan

• List all major fire hazards

• Procedures for storing heat generating equipment

• Storage of hazardous materials

• Fuel source hazards


• Names of staff responsible for maintaining safeguards for fuel

Complying with OSHA: Exit Routes

• Must be at least two routes leading directly outside to a street or to a place having such access

• Walls must have a one hour fire rating


• If building is four or more stories, walls must have a two hour fire rating

Complying with OSHA

• OSHA also requires procedures for more specific potential hazards


Family and Medical Leave Act

• May allow for leave for serious injuries sustained during disaster

• Employee must have worked at least 12 months for the CU and is allowed 12 weeks leave for every 12 months


CU and is allowed 12 weeks leave for every 12 months worked

• Injury most qualify as “serious medical condition”– Broad definition

Family and Medical Leave Act

• Things that will probably NOT qualify for this type of leave: – Cleaning up one’s house

– Rebuilding after a flood/disaster

– Dealing with consequences of someone’s death


– Dealing with consequences of someone’s death

Insurance Coverage

• Review policies for coverage and exclusions

• All-risk building property damage policy– Ensures against most types of loss to property and business

– Does not cover loss from flood, earthquake, war, vermin, etc.


– Does not cover loss from flood, earthquake, war, vermin, etc.

• Riders/separate policies can be purchased for these disasters

Insurance Coverage: Available Options and Riders

• Business interruption insurance– Provides for loss of income caused by interruption of an ongoing

business as a result of a disaster or other included risk under the policy


• Extra expense insurance– Protects against increased costs in finding and maintaining an

alternate place of doing business during period of repair or in locating and setting up new quarters if damaged premises cannot be re-let


• Valuable papers insurance– Provides replacement for loss, damage or destruction of vital

papers

• Accounts receivable insurance


• Accounts receivable insurance– Provides protection for loss due to inability to collect accounts

receivable because records have been lost, destroyed or damaged


• Earthquake coverage

• Flood coverage


• Electronic data processing (EDP) equipment coverage– Protects against both physical loss of an EDP system, tapes,

peripheral equipment, etc., in the extra expense of duplicating data


• Miscellaneous– Additional riders and endorsements are available to provide

protection for other items


Reasonable Man Standard

• CU management is held to the standards of a reasonable man- what would a reasonable, rational, prudent person in a similar position do?


Corpus Juris Secundum, Vol. 19, Section 491

• Directors and officers owe a duty to the corporation to be vigilant and to exercise ordinary or reasonable care and diligence and the utmost good faith and fidelity to conserve corporate property and if loss or depletion of assets results from their willful or negligent failure to


assets results from their willful or negligent failure to perform their duties, or a willful or fraudulent abuse of trust, they are liable provided the losses were natural and necessary consequences of omission on their part

World Trade Center:Credit Union ExampleCredit Union Example

Hurricane Katrina:Credit Union Example

AIRES Disaster Preparedness & Response Plan& Response Plan

Planning-Ensuring Financial Services to Members

• Is written Disaster Preparedness & Response Plan (DPR) in place?

• Does plan address periodic testing?


• Are updates to plan and testing efforts documented in Board minutes?

• Does plan identify specific threats to delivering vital financial services to members?


• Does plan identify critical systems and their role in providing members with vital financial services?

• Does plan ensure timeline for restoring critical systems?


• Does plan include multiple forms of communication?


• Does plan establish various methods for disseminating information to members?

• Does plan address communication between key staff, corporate CUs, vendors, league affiliates, local media


corporate CUs, vendors, league affiliates, local media and status reports to NCUA/state regulator?

• Does plan include evacuation and/or “shelter-in-place” guidance?


• Does plan include pre-event preparations? – Will back-ups of data be performed and accessible from a safe

location?

– Are members informed on how to contact CU after disaster occurs?


Resources: Allocation of Equipment, Facilities and Supplies

• Has CU determined its equipment, facility and supply needs in the event of a disaster?

• Is a list of critical systems including emergency vendor/supplier contact information maintained at CU


vendor/supplier contact information maintained at CU and alternate locations?

• Are appropriate contingencies developed in the event back-up or alternate systems fail?


• Is there a designated alternate worksite(s) which is a reasonable distance from the CU based on potential disasters identified in DPR?

• Is a secondary alternate worksite location designated?


• Is a secondary alternate worksite location designated?


• Has CU designated one or more off-site storage facilities for back-up information within a safe, but reasonable distance from CU?

• Has CU established a reliable means for disbursement of


• Has CU established a reliable means for disbursement of cash and/or checks in event of disaster?


• Does CU maintain sufficient insurance and is basic policy information included in plan?


Evaluation- Testing of Contingencies for All Critical Systems

• Is plan tested periodically- what was date of last test?

• Are agreements with shared service branches evaluated for ability to handle increased transactions in case of disaster?


disaster?

• Are disaster support agreements with system vendor(s) evaluated at least annually?

Evaluation- Testing of Contingencies for All Critical Systems

• Are disaster support agreements for buildings and facilities reviewed annually?

• Are temporary locations periodically tested for readiness?

• Are alternate communication means tested by key CU


• Are alternate communication means tested by key CU staff members?

• Has CU tested ability to communicate with local media?

• Are test results integrated into plan?

People-Maintaining Readiness of Staff and Officials

• Does plan include listing of key people and their responsibilities?

• Does plan clearly identify individual authorized to initiate/terminate the plan and their alternate?


initiate/terminate the plan and their alternate?

• Has CU considered special skills and capabilities of staff members to aid in various types of disasters?


• Does plan provide for each individual’s specific responsibilities and secondary duties?

• Does plan designate a Disaster Recovery Team?


• Does plan identify a site for team to assemble after disaster?


• Are all CU personnel provided with initial and periodic training as it relates to plan?

• Is emergency contact information current on 5300 Call Report?


Report?

Alliances- Establishing Relationships With Other Organizations

• Does plan identify essential alliances?

• Are communication plans in place for alliances?

• Has CU considered whether geographic separation with its alliances is important?

• Are alliances able to support emergency needs?


• Are alliances able to support emergency needs?

• Are alliances part of testing?

Review-Updating Internal Plans for Effectiveness

• Is plan periodically reviewed by officials and updated?

• Are post-incident response reviews performed after CU is affected by disaster or service disruption?


• Are deficiencies found by CU during testing and/or causes for service disruption corrected in plan?

Experience-Incorporate Lessons Learned From Others

• Are lessons learned from others evaluated and incorporated into CU’s preparedness efforts?

• Has management reviewed the plans of its major vendors and utilized the best practices?


vendors and utilized the best practices?

NCUA Profile Form 4501A

• Changes to the NCUA Form 4501A – Credit Union Profile, effective Dec 31, 2011– Regulatory Information

• Added the question for CU’s with 100 employees or 50 or more employees with a Federal contract of at least $50,000:


more employees with a Federal contract of at least $50,000: What is the last date you filed an EEO-1 Survey with the Equal Employment Opportunity Commission?

• Added a question concerning whether the CU has a diversity policy or program

– CU Programs and Member Services

• Added a question about the CU’s current minority membership

• Added a question about the CU’s potential minority membership

Compliance Reports

Compliance Report

• Requires each federally insured CU to file annual statement certifying compliance with Part 748– File with regional director

– Federally insured state-chartered CU can send statement to regional director via state supervisory authority


regional director via state supervisory authority

• Have President or other managing officer sign and date

Compliance Report


Catastrophic Act Reports

Catastrophic Act Report

• Each federally-insured CU must notify regional director within five (5) business days of any catastrophic act

• Catastrophic includes any disaster, natural or otherwise, that results in some physical destruction or damage to


that results in some physical destruction or damage to CU, or causing an interruption in vital member services projected to last greater than two (2) consecutive business days

• Record of disaster must be prepared and filed at main office within reasonable time after catastrophic act occurs



• Record should include:– Office where catastrophic act occurred

– When it took place

– Amount of any loss

– Whether any operational or mechanical deficiencies contributed or



– Whether any operational or mechanical deficiencies contributed or might have contributed

– What has been done or is planned to correct deficiencies

Records Preservation

749.0: What is Covered In this Part?

• Requires all federally-insured CU to maintain record preservation program

• Serves to identify, store and reconstruct vital records in the event of destruction


the event of destruction

• Flexibility in the format that CU can use for maintaining writings, records or other information

749.1: What Are Vital Records?

• As of the most recent month-end:– List of share, deposit, and loan balances for each member’s

account which:

• Shows balance individually identified by a name or number

• Lists multiple loans of one account separately


• Lists multiple loans of one account separately

• Contains information sufficient to enable CU to locate each member, such as address and phone number

749.1: What Are Vital Records?

– Financial report, which lists all of the CU’s asset and liability accounts and bank reconcilements

– List of CU’s financial institutions, insurance policies and investments

– Emergency contact information


749.2: What Must a CU Do with Vital Records?

• Board of Directors responsible for establishing vital records preservation program within six (6) months after its insurance certificate is issued

• Must contain procedures for storing duplicate vital


• Must contain procedures for storing duplicate vital records at a vital records center


• Must designate staff member responsible for carrying out vital records duties

• Previously stored records may be destroyed when current records are stored


current records are stored


• Must maintain records preservation log showing:– What records are stored

– When records were stored

– Who sent the records for storage


• Develop methods to restore vital member services


• CU’s that have some or all of their records maintained by an off-site data processor are considered to be in compliance for the storage of those records if the service agreement specifies that the data processor uses safeguards against the simultaneous destruction or


safeguards against the simultaneous destruction or production and back-up information

749.3: What Is a Vital Records Center?

• A storage facility at any location far enough from the CU’s offices to avoid the simultaneous loss of both sets of records in the event of disaster


749.4: What Format May the CU Use for Preserving Records?

• Any format that can be used to reconstruct the CU’s records– Paper originals

– Machine copies

– Micro-film or fiche


– Micro-film or fiche

– Magnetic tape

749.4: What Format May the CU Use for Preserving Records?

– Any electronic format that:

• Accurately reflects information in the record

• Remains accessible to all persons who are entitled to access by statute, regulation or rule of law

• Is capable of being reproduced by transmission, printing or otherwise


otherwise

749.5: What Format May the CU Use for Maintaining Writings, Records or Info Required By Other NCUA Regulations?

• Any format, electronic or other, that:– Accurately reflects information

– Remains accessible to all persons who are entitled to access by statute, regulation or rule of law

– Is capable of being reproduced by transmission, printing or


– Is capable of being reproduced by transmission, printing or otherwise

749.5: What Format May the CU Use for Maintaining Writings, Records or Info Required By Other NCUA Regulations?

• CU must maintain necessary equipment or software to permit an examiner access to the records during examination process


Appendix A to Part 749: Record Retention GuidelinesRecord Retention Guidelines

What Format Should the CU Use for Retaining Records?

• NCUA does not recommend a particular format

• If stored on microfilm, microfiche, or in an electronic format, they must be accurate, reproducible and accessible to an NCUA examiner


accessible to an NCUA examiner


• If stored on CU premises, they should be immediately accessible upon examiner’s request

• If stored by a third party or off-site, they should be made available to examiner within a reasonable time after


available to examiner within a reasonable time after examiner’s request


• CU must maintain necessary equipment or software to permit an examiner to review and reproduce stored records upon request

• CU should ensure that reproduction is acceptable for


• CU should ensure that reproduction is acceptable for submission as evidence in a legal proceeding

Who is Responsible for Establishing a System for Record Disposal?

• CU’s Board of Directors may approve a schedule authorizing disposal of certain records on a continuing basis upon expiration of specified retention periods– Eliminates need for Board approval each time CU wants to

dispose of same types of records created at different times


dispose of same types of records created at different times

What Procedures Should a CU Follow When Destroying Records?

• CU should prepare an index of any records destroyed and retain index permanently

• Destruction of records should normally be carried out by at least two (2) persons whose signatures, attesting to


at least two (2) persons whose signatures, attesting to the fact that records were actually destroyed, should be affixed to the listing

What Are the Recommended Minimum Retention Times?

• Each state can impose its own rules

• CU should consider consulting with local counsel when setting minimum retention periods


• A record pertaining to a member’s account that is not considered a vital record may be destroyed once it is verified by supervisory committee

What Are the Recommended Minimum Retention Times?

• Individual shares and loan ledgers should be retained permanently

• Records, for a particular period, should not be destroyed until both a comprehensive annual audit by supervisory


until both a comprehensive annual audit by supervisory committee and a supervisory examination by the NCUA have been made for that period

What Records Should Be Retained Permanently?

• Official records– Charter, bylaw and amendments

– Certificates or licenses to operate under programs of various government agencies

• Ex: certificate to act as issuing agent for the sale of U.S.


• Ex: certificate to act as issuing agent for the sale of U.S. savings bonds


– Current manuals, circular letters and other official instructions of a permanent character from the NCUA and other governmental agencies



• Key operational records– Minutes of meetings of the membership, Board of Directors, credit

committee and supervisory committee

– One (1) copy of each NCUA 5300 financial report or its equivalent

– One (1) copy of each supervisory committee comprehensive


– One (1) copy of each supervisory committee comprehensive annual audit report and attachments


– Supervisory committee records of account verification

– Applications for membership and joint share account agreements

– Journal and cash record

– General ledger



– Copies of periodic statements of members, or the individual share and loan ledger (a complete record of the account should be kept separately)

– Bank reconcilements

– Listing of records destroyed


What Records Should a CU Designate for Periodic Destruction?

• Any record not described above unless it must be retained to comply with requirements of consumer protection regulations



• Should be scheduled so that the most recent of the following records are available for the annual supervisory committee audit and NCUA examination– Applications of paid-off loans

– Paid notes


– Paid notes


– Various consumer disclosure forms, unless retention is required by law

– Cash received vouchers

– Journal vouchers

– Canceled checks


– Bank statements

– Outdated manuals, canceled instructions, and nonpayment correspondence from NCUA and other governmental agencies

Appendix B to Part 749

Different Types of Disasters

Natural Disasters: Floods/Rain Storms

• Flash flooding soaks everything in water

• Raw sewage in water

• Floating debris

• Silt in water damaging computers and everything else


• Lightning starting fires or power outages

• Hail

Natural Disasters: Landslide

• Floating debris

• Destruction to property

• Disruption to utility services, transportation


Natural Disasters: Tornadoes

• High winds destroy everything in its path

• Downed power lines

• Items smashing into your building, ATMs, windows

• Roof rips off and destroys


valuable materials in offsite

storage facility

Natural Disasters: Hurricanes

• Just look at Hurricane Katrina

• Flooding

• Winds

• Rain


• Hail

• Tidal surges

• Killings

• Looting

• CHAOS!

Natural Disasters: Snow

• Blocks roads

• Extreme cold

• High winds

• Drifting snow makes transportation difficult (including going home)


going home)

• Snow is heavy and can collapse roof causing damage on inside of structure

• In spring: watch for floods resulting from quick thawing!

Natural Disasters: Extreme Temperatures and Drought

• Extreme cold: – Icy road conditions- employees and vendors cannot or are not

willing to drive into work

– Emergency teams needed elsewhere

– Power lines downed by weight of ice


– Power lines downed by weight of ice

• Extreme heat: – Peak energy hours causing black/brownouts

• Drought

Technological Disasters

• Fire

• Blackout or brownout

• Industrial explosion

• Hazardous materials accident


• Pipeline explosion

• Transportation disruption

• Water main, gas main or sewer break

Social Disasters

• Arson

• Bombing threat/bombing

• Terrorism

• Civil disturbance


– Disgruntled employees, stealing sensitive info

• Criminal activity

• Labor strife

Disasters In-Depth: Computers and Electronic

DisasterDisaster

Computers and Electronic Disasters

• Typically involves: – Loss of or damage to data

– Inability of programs to function

– Loss of data communication


Computers and Electronic Disasters

• Can occur because of natural disaster: – Floods

– Fires

– Earthquakes

• Can occur because of manmade disasters:


• Can occur because of manmade disasters:– Air conditioning failures

– Viruses

– Hacking

– Vandalism

Three Steps in Computer & Electronic Disaster Planning

• Risk assessment

• Risk reduction


• Recovery

Risk Assessment

• What is the probability that a particular disaster will occur?

• How serious is the effect likely to be if it does occur?


• Put together a disaster recovery team

Risk Reduction: Three Major Techniques

• Watching your power

• Guarding your computers


• Caring for your systems

Source: “Data Disaster: Planning for a Computer Meltdown”, nfib.com,

11/1/05

Watching Your Power

• Develop an alternate power supply– Backup generation, which can keep your computer running for a

short time period during a power outage, can help prevent data loss

• Protect against power surges


• Protect against power surges– Good surge protectors cost around $100

Watching Your Power

• When the air crackles, disconnect the modem– Electricity can easily travel through telephone lines during an

electrical storm and can damage computer equipment through your modem


• Be sure that you are insured– Policies should cover hardware and software

– Ask about availability and costs of critical records coverage

Guarding Your Computers

• Use a password and change it frequently

• Protect your files– Sophisticated software allows you to grant system access on a

selective basis

• Segregate responsibilities


• Segregate responsibilities– Segregate manual and computer responsibilities- this prevents

any one employee from obtaining all the tools necessary to manipulate the system or cover up theft


• Back it up!– Most important security rule of all

– Back up your drive with all data weekly or daily (or even more frequently), depending on volume of transactions

– Rule of thumb: you should never be in a position where reentry of


– Rule of thumb: you should never be in a position where reentry of data requires more than a day’s work


• Keep your backup disks or tape in a safe place, preferably miles away from your business– Put in a fireproof office safe or at an office across town

– Store at a commercial data center

– Consider a “round robin’ arrangement where you always have two


– Consider a “round robin’ arrangement where you always have two to four backups circulating

• When you send a fresh backup to location #1, you move its backup to location #2 and so on


• Keep a paper trail– Since you may need to reenter data, keep your paper audit trail

strong and clear

• Develop emergency operating procedures


• Develop emergency operating procedures– How will you restore data and get your system up and running

again?

– If you have to run without computers, do you have adequate paper-based systems in place?


• Limit physical access– Only employees that need access should have access to

computer systems containing sensitive information

• Allow business use only


• Allow business use only– Viruses often spread from disk to disk or disk to drive- employees

should not be able to load personal software onto your business computer


• Exercise caution when downloading– Many viruses enter a system when files are downloaded from

electronic bulletin boards or software exchanges

• Give your computers periodic checkups


• Give your computers periodic checkups– Updated anti-viral software regularly

• Ask for help– Utilize a consultant if necessary

Caring For Your System

• Keep food and beverages away from your computers

• Maintain the right temperature– Watch for excessively warm or damp rooms

– Dry, cool environment is best


– Dry, cool environment is best

• Clean your computer– Many system crashes occur because of dust and dirt

Caring For Your System

• Write down a plan– Make sure your computer protection and security program is

written down!

• Don’t think that “it can’t happen to you”


• Don’t think that “it can’t happen to you”– Aside from man-made and natural disasters, computer often

suddenly break down for inexplicable reasons

Recovery Planning

• Who calls whom and what information should they be prepared to give?

• Who performs the needed diagnostics?

• Who restores the files?

• What are the instructions for packing and shipping


• What are the instructions for packing and shipping corrupted files?

Recovery Planning

• Key elements: – Communication

– Designated operators

– Designated manager

– External resources


– External resources

– Insurance

Source: “Disaster Planning for Computers and Networks”, Boss, Richard W., ala.org/ala/pla/plapubs/technotes/disasterplanning.htm

Communication

• Don’t assume that regular telephone service will be available

• Key personnel should have cell phones


• Instructions for dealing with a computer/electronic disaster should be stored in a watertight, wall-hung cabinet near the entrance door

• All important telephone numbers should be available

Designated Operators

• Server operator on duty each hour

• Should have instructions to call support desks for servers that have been affected


• Should participate in occasional disaster drills

Designated Managers

• A manager should be available by phone 24 hours a day, 7 days a week


External Resources

• Vendors are an important resource for diagnosing problems that result from a disaster

• Should be able to pinpoint problems remotely


• Make sure you have a provision in the contract for emergency support

Insurance

• Coverage for servers, computers, networks, clients

• Must have a current inventory of all hardware and software, including purchase data and price– Store a copy at a remote site

• Take photographs of damage promptly after disaster


• Take photographs of damage promptly after disaster

NCUA Rules on Security Programs

NCUA Rules

• Part 748: Security Program, Report of Crime and

Catastrophic Act and Bank Secrecy Act Compliance -§748.0: Security program– Requires each federally insured CU to develop written security

program within 90 days of effective date of insurance


program within 90 days of effective date of insurance

Security Response Programs: Overview

• Effective June 1, 2005

• Requires all federally-insured CUs to adopt a response program to direct them when they detect/suspect unauthorized access to their member information


unauthorized access to their member information

• www.ncua.gov/ref

Overview

• Six main categories of planning and action– Assessment of situation

– Notification to regulatory and law enforcement agencies

– Contain and control the situation

– Corrective action


– Corrective action

– Notification to members

– Revising service provider contracts

Overview

• Need be designed to do the following– Protect from robberies, burglaries, larcenies and embezzlement

– Ensure security and confidentiality of member records

– Respond to incidents of unauthorized access to or use of member information that could result in substantial harm or serious


information that could result in substantial harm or serious inconvenience to a member

– Assist in identification of persons who commit or attempt such actions and crimes

– Prevent destruction of vital records

Questions & Answers

• Any questions?


Thank you

• Contact Me

Robert Rutkowski

Partner, Credit Union Practice Group

Weltman, Weinberg & Reis Co., LPA


Weltman, Weinberg & Reis Co., LPA

(216) 739-5004

[email protected]

www.weltman.com

www.thatcreditunionblog.com

Better Yet – Call Dawn!!

Dawn Pagon,National Manager of Client Relations

Credit Union Practice Group

(216) 739-5021


(216) 739-5021

[email protected]

Documents

ROR- Disaster Recovery- NAFCU 20120208