Operational resilience starts with a broader framework
Business continuity planning is essential for financial services firms.
That’s one reason FINRA Rule 4370, which originally appeared in 2004 as NASD Rules 3510 and 3520, is still so relevant today for operational resilience. The rule requires member firms to maintain a written business continuity plan tailored to their firm’s size, business model, and customer relationships, and reasonably designed to address emergencies or significant business disruptions.
That foundation matters.
But for many financial services firms today, it’s no longer enough.
Modern disruptions sprawl across multiple lanes. Cyber incidents can simultaneously trigger operational outages, communications issues, legal reviews, and third-party problems. A vendor failure can interrupt client service, delay internal decision-making, and expose dependencies that never appeared in the original continuity plan.
True operational resilience means that when disruption hits, your firm can continue operating, coordinate decisions, communicate clearly, protect sensitive information, manage third-party dependencies, and recover effectively.
And it means that those capabilities hold true whether the disruption comes from a cyber incident, technology outage, vendor failure, unauthorized access, or several of those events at once.
What FINRA Rule 4370 Gets Right About Operational Resilience
FINRA Rule 4370 gets an important principle right: continuity planning should be risk-based, practical, and specific to your firm.
Rather than prescribing a one-size-fits-all template, the rule requires member firms to create plans that are appropriate for helping them meet their unique customer obligations while also addressing existing broker-dealer relationships during a crisis.
That flexibility is one of the rule’s strengths.
It also gets the scope of continuity planning largely right, pushing firms to think through issues like:
- Data backup and recovery
- Mission-critical systems
- Alternate communications
- Alternate locations
- Regulatory reporting
- Customer access to funds and securities
- Counterparty and business constituent impact
- Financial and operational assessments
This way, when normal operations are interrupted, you’ll already have an understanding of what functions have to continue, who needs to stay connected, and what needs to happen first.
Continuity Plans Don’t Cover All Bases
Business continuity plans are a critical component of resilience, but they lack the rigor and context of a complete security framework.
Many of the disruptions financial services firms face now don’t fit neatly into a traditional continuity box.
A ransomware event may start as a cybersecurity incident, escalate into a business interruption, trigger legal and notification questions, involve outside forensic support, and expose dependence on key technology or managed-service providers.
Unauthorized access to customer information may require response and recovery actions even when the business is technically still operating.
Events like these affect client services and governance processes as much as they do operations.
They require more integration across multiple teams, from incident response to legal, compliance, and technology recovery.
Put simply: Rule 4370 helps you think about how to keep operating through disruption.
Modern resilience asks a larger question: Can your firm detect disruption early, coordinate effectively, protect critical data and services, communicate appropriately, and recover in a way that’s defensible to clients, regulators, and leadership?
What Modern Operational Resilience Frameworks Include
A stronger operational resilience framework for financial services firms should connect multiple disciplines that are often managed separately.
1. Governance and decision ownership
Firms need defined leadership roles, escalation paths, and backup decision-makers around:
- Who declares an incident
- Who activates continuity procedures
- Who manages stakeholder communications
- Who coordinates legal or compliance input
Clear decision-making ownership helps keep responses tight when every moment counts.
2. Incident response readiness
Because so many disruptions today start as cyber events, firms need to know:
- How suspicious activity is detected
- How incidents are triaged
- When escalation is required
- When outside support should be involved
You also need to know when a technical event ripples out to affect clients, counterparties, leadership, or customer information.
3. Continuity of critical operations
Firms need to know which systems, data, communications channels, and workflows are business-critical. This includes activities across reporting, approvals, and client services.
An operational resilience framework connects these to:
- Recovery sequence
- Restoration priorities
- Workarounds
- Leadership decision-making
4. Communications under pressure
Disruptions require skilled communications handling, with procedures for:
- Internal updates
- Executive reporting
- Customer and stakeholder messaging
- External communications to regulators, insurers, legal counsel, or third-party providers
In many cases, notification obligations are part of the resilience picture, too.
5. Third-party and vendor resilience
For many firms, operational resilience is inseparable from vendor resilience. In addition to day-to-day operations partners, other key providers could include infrastructure support, cybersecurity, cloud systems, and data storage.
That means resilience planning should account for:
- Vendor escalation paths
- Support expectations
- Communications during disruption
- Alternate processes
- What happens if the provider itself is the source of the event
6. Testing proves readiness
Static plans don’t provide resilience. Firms should test:
- Decision-making
- Escalation paths
- Communications workflows
- Continuity assumptions
- Vendor coordination
Plans should evolve as systems, people, vendors, and threats change.
Why the Broader Financial Services Context Matters
For broker-dealers, FINRA Rule 4370 remains a key continuity requirement and operational resilience.
But resilience expectations now extend beyond a single rule or firm type. Financial services organizations increasingly face overlapping expectations around safeguarding customer information, vendor oversight, incident coordination, and operational readiness.
That broader picture matters for RIAs, broker-dealers, investment advisers, and other firms alike.
A firm may have a continuity plan that technically addresses disruption scenarios but still fall short if it has:
- Weak incident coordination
- Unclear notification responsibilities
- Inadequate third-party preparedness
- No practical bridge between security response and operational recovery
Questions to Ask About Your Firm’s Readiness
If your firm is reviewing its operational resilience posture, here are some questions worth asking now:
- Is our current business continuity plan aligned to how we actually operate today?
- Do we know which systems and business processes require the fastest restoration?
- Are our incident response and continuity plans connected?
- Are communications and notification responsibilities clearly assigned?
- Have we validated our dependence on key vendors and service providers?
- Have we tested leadership decision-making, not just technical recovery?
These are practical indicators of whether your firm can go from planning to execution when something goes wrong.
The Real Standard
FINRA Rule 4370 positions business continuity planning as a necessary foundation.
But operational resilience requires firms to connect continuity planning, incident response, communications, third-party readiness, recovery decision-making, and customer information obligations all together.
It requires coordinating people, systems, vendors, communications, and decision-making under pressure.
If your firm is evaluating its operational resilience framework, Coretelligent can help you think more broadly about the systems, dependencies, communications, and response capabilities that support real readiness.