Business continuity planning (BCP) is a necessity for organizations that wish to remain in operation following a major disaster or business disruption. But aside from being essential, in many instances, it is the law.

BCP is becoming increasingly regulated in many industries. Financial services, healthcare and government agencies are facing new laws that require organizations conduct a comprehensive planning program. Additionally, laws such as the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act affect organizations across industry boundaries. These laws (and in some cases, government guidance) set minimum requirements, outline penalties for non-compliance and provide access to planning resources.

With increased regulation, standards setting organizations are issuing new guidelines on best practices in contingency planning. These national and international organizations provide best practices, standards and guidance. Below are brief outlines of the regulations, government guidance and standards that affect businesses as a whole as well as those that require continuity planning in specific industries. *

All

Sarbanes-Oxley Act of 2002

The Foreign Corrupt Practices Act

Emergency Planning and Community Right-to-Know Act of 1986

NFPA 1600 (Standard)

ISO 17799; British Standard 7799 (Standard)

British Standards Institute Publicly Available Specification 56

UK Civil Contingencies Bill

9/11 Commission Final Report

Financial and Banking

The New Basel Capital Accord

NASD Rules 3510 and 3520

New York Stock Exchange (NYSE) Rule 446

FFIEC BCP Handbook

NCUA Letter To Credit Unions

Financial Modernization Act of 1999

Interagency White Paper on Sound Practices to Strengthen the Resilience of the US Financial System

Expedited Funds Availability Act

Various OCC Comptroller’s Handbooks

Financial Services and Market Act

Food and Pharmaceutical

FDA Code of Federal Regulations, Title XXI

Government

Presidential Decision Directive 67

Presidential Decision Directive 63

Executive Order 12656

Office of Management and Budget (OMB) Circular A-130

NIST’s Contingency Planning Guide for Information Technology Systems (Standard)

Federal Information Security Management Act of 2002

Healthcare

Health Insurance Portability and Accountability Act

Service Organizations

Statement on Auditing Standards (SAS) 70 audit reports (Standard)

Telecommunications

Telecommunications Act of 1996

Executive Order 12472

Utilities

State Public Utilities Codes

North American Electric Reliability Council - Standard 1200 (Standard)

Federal Energy Regulatory Commission RM01-12-000

* This information is not intended to provide any legal guidance or advise on the regulations, only to provide a brief summary of each. Additionally, many states have laws for industry sectors that may also have to be considered.