Table of Contents
SERIES 7 | SERIES 65 | FINANCIAL REGULATION COURSES
FINRA Rule 4370 — Business Continuity Plans and Emergency Contact Information — requires every FINRA member firm to create, maintain, annually review, and update upon any material change a written business continuity plan identifying the procedures the firm will follow in response to an emergency or significant business disruption — ensuring that every broker-dealer has a documented, tested, and current plan for maintaining operations, protecting customer assets, and meeting existing obligations to customers when normal business operations are impaired by natural disasters, technology failures, cyberattacks, pandemics, power outages, or any other emergency that could prevent the firm from conducting its business in the ordinary course.
Rule 4370 was adopted in the years following the September 11, 2001 terrorist attacks — which demonstrated catastrophically that the securities industry could face simultaneous disruptions to physical infrastructure, communications systems, personnel availability, and market operations that no individual firm had planned for — and has been continuously refined in response to subsequent experience including Hurricane Katrina in 2005, Superstorm Sandy in 2012, the COVID-19 pandemic in 2020, and the increasing cybersecurity threats that represent the most significant business continuity risk facing member firms in the current environment.
For every registered representative, compliance officer, and senior manager of a FINRA member firm — and for every candidate preparing for the Series 7 examination — understanding the foundational requirements of Rule 4370 is essential professional knowledge about the regulatory framework within which broker-dealers manage operational risk.
The foundational requirement of Rule 4370(a) is the written business continuity plan — a documented set of procedures that must be reasonably designed to enable the member firm to meet its existing obligations to customers in the event of an emergency or significant business disruption.
The reasonably designed standard — consistent with FINRA's principles-based approach to many of its supervisory and operational requirements — gives member firms the flexibility to design business continuity plans appropriate to their specific business models, operational structures, and risk profiles. A large carrying firm with hundreds of employees, multiple offices, complex technology infrastructure, and direct custody of billions of dollars in customer assets requires a far more comprehensive business continuity plan than a small introducing firm with a handful of registered representatives operating from a single office who rely entirely on a carrying firm for technology and custody functions.
The plan must be tailored to the firm's size and needs — a one-size-fits-all approach is not required and would not be appropriate given the enormous diversity of FINRA member firm business models. However every plan must address the enumerated minimum elements specified in Rule 4370 to the extent they are applicable and necessary to the firm's business — the minimum elements establish a baseline that every firm must consider and address, even if the specific procedures developed in response to each element differ substantially based on the firm's particular circumstances.
Rule 4370(c) specifies the minimum elements that every business continuity plan must address to the extent applicable — the areas of potential business disruption that FINRA has determined require specific procedural planning regardless of the firm's size or business model.
Data back-up and recovery addresses how the firm will protect and restore its books and records in the event of a disruption affecting its primary data storage systems — including the frequency of back-up, the location of back-up systems relative to primary systems, the procedures for accessing back-up data, and the timeframe within which data recovery is expected to be achievable.
All mission critical systems addresses the identification and protection of the technology systems, applications, and infrastructure that are essential to the firm's ability to conduct its business — including order management systems, trading platforms, customer account systems, compliance surveillance systems, and communications infrastructure. The plan must address how each mission critical system will be maintained or restored in the event of disruption — including the use of redundant systems, failover capabilities, and third-party recovery services.
Financial and operational assessments addresses the firm's procedures for assessing its financial condition and operational status in the aftermath of a significant business disruption — enabling management to make informed decisions about the firm's ability to continue operations and to identify the actions needed to restore full operational capability.
Alternate means of customer communication addresses how the firm will communicate with customers during a disruption — including alternate telephone numbers, alternate email addresses, website notices, and other communication channels that remain functional when normal communication infrastructure is impaired.
Alternate physical location of employees addresses the firm's procedures for relocating operations to alternate work sites when the primary office is unavailable — including the identification of alternate work locations, the technology and communications equipment available at those locations, and the procedures for activating alternate location operations.
Critical business constituent, bank, and counterparty impact addresses the firm's procedures for assessing and managing the impact of disruptions affecting the financial institutions, clearing firms, counterparties, and other business constituents on which the firm depends for its operations — ensuring that the firm can identify and respond to disruptions in its supply chain of financial services.
Regulatory reporting addresses the firm's procedures for continuing to meet its regulatory reporting obligations during a disruption — including FINRA reporting, SEC reporting, and other regulatory filings that must continue even when normal business operations are impaired.
Customer access to funds and securities addresses perhaps the most immediately important customer protection consideration in business continuity planning — how the firm will ensure that customers can access their funds and securities during a disruption, and what arrangements the firm will make for transferring customer accounts to another firm if it determines that it is unable to continue its business.
Rule 4370(b) requires every member firm to review its business continuity plan at least annually to determine whether any changes are needed — and to update the plan more frequently whenever a material change occurs to the firm's operations, structure, business, or location.
The annual review requirement ensures that the business continuity plan remains a living, operational document rather than a static compliance artefact created once and never revisited. Business environments change — firms open new offices, adopt new technology systems, change their clearing arrangements, expand into new product areas, or experience significant personnel changes — any of which may require updates to the business continuity plan to ensure it remains accurate and effective.
The material change update requirement — in addition to the annual minimum — ensures that significant business changes are reflected in the plan promptly rather than waiting for the next scheduled annual review. A firm that relocates its primary office, changes its clearing firm, or implements a new order management system must update its business continuity plan to reflect these changes promptly — the annual review cycle alone is insufficient to maintain plan currency when material operational changes occur.
A member of senior management — who must also be a registered principal — must be designated to approve the business continuity plan and must be responsible for conducting the required annual review. This senior management designation ensures that business continuity planning is treated as a priority at the highest levels of the firm's leadership rather than being delegated entirely to operational or compliance staff without meaningful executive oversight.
Rule 4370(e) requires every member firm to disclose to its customers — in writing — how its business continuity plan addresses the possibility of a future significant business disruption and how the firm plans to respond to events of varying scope.
The customer disclosure requirement reflects the fundamental investor protection principle that customers should know how their broker-dealer will protect their interests and maintain access to their accounts during a disruption. A customer who understands that their firm has a documented business continuity plan with specific procedures for maintaining customer access to funds and securities is better positioned to make informed decisions about their financial relationship with that firm.
The disclosure must be provided to customers at account opening — ensuring that new customers receive the information before establishing a relationship with the firm — and must be posted on the firm's website in a clear and conspicuous manner for ongoing customer access. The disclosure does not require the firm to publish its complete business continuity plan — which may contain operationally sensitive information that could compromise the plan's effectiveness if widely known — but requires a meaningful summary that gives customers a genuine understanding of the firm's continuity capabilities and response procedures.
Disclosure statements must be updated when changes to the firm's business continuity plan materially change the firm's planned response to a significant business disruption — the disclosure must remain accurate and current rather than reflecting outdated procedures.
Rule 4370(f) requires every member firm to provide FINRA with prescribed emergency contact information — specifically the names and contact details of two emergency contact persons whom FINRA may contact in the event of a significant business disruption affecting the firm or the markets more broadly.
The two emergency contacts must be designated through the FINRA Contact System — the electronic database through which FINRA maintains contact information for all member firms. The emergency contacts must be members of senior management who have knowledge of the firm's business operations — ensuring that the individuals whom FINRA can reach during an emergency have the authority and knowledge to make operational decisions and provide accurate information about the firm's status.
Emergency contact information must be updated promptly following any material change — and firms must review and if necessary update their emergency contact designations within seventeen business days after the end of each calendar year. This annual verification requirement ensures that the emergency contact information in FINRA's systems remains current even when no material changes have occurred — preventing the accumulation of outdated contact information that could impair FINRA's ability to reach member firms during a crisis.
The COVID-19 pandemic of 2020 represented the most comprehensive real-world test of the securities industry's business continuity planning since the September 11 attacks — and provided a valuable demonstration of both the effectiveness of Rule 4370's framework and the areas where additional planning was needed.
The rapid transition to remote work arrangements — necessitated by government-mandated office closures and social distancing requirements — required member firms to activate the alternate work site provisions of their business continuity plans on a scale and duration that few firms had specifically planned for. Technology infrastructure designed to support a fraction of the firm's workforce in remote work was suddenly required to support the entire workforce — exposing capacity and security vulnerabilities that many plans had not adequately addressed.
FINRA issued guidance during the pandemic — including Regulatory Notice 20-08 — providing flexibility in the application of certain regulatory requirements while maintaining the core investor protection standards that could not be compromised regardless of operational challenges. The pandemic experience led many firms to substantially revise their business continuity plans to address pandemic-specific scenarios and long-term remote work capabilities that had not previously been planning priorities.
The most significant current application of Rule 4370's business continuity framework is the management of cybersecurity risk — the risk that malicious actors will compromise the firm's technology systems through ransomware attacks, data breaches, distributed denial of service attacks, or other cyber intrusions that impair the firm's ability to conduct its business.
FINRA's Annual Regulatory Oversight Reports — including the 2026 report — consistently identify cybersecurity and cyber-enabled fraud as among the highest priority regulatory concerns for member firms, noting that the frequency, sophistication, and financial impact of cyberattacks affecting broker-dealers has increased substantially in recent years. Business continuity plans must specifically address cyber incident response — including the procedures for detecting and containing a cyber intrusion, restoring compromised systems, communicating with customers and regulators, and preventing recurrence.
The supervisory procedures required by FINRA Rule 3110 must address business continuity planning — ensuring that the development, maintenance, testing, and annual review of the business continuity plan are subject to appropriate supervisory oversight rather than treated as a purely operational function divorced from the firm's compliance framework.
FINRA Rule 4370 is tested on the Series 7 examination in the context of operational risk management, customer protection, and the regulatory requirements applicable to member firm business continuity planning.
The key points to retain are these.
FINRA Rule 4370 — Business Continuity Plans and Emergency Contact Information — requires every member firm to create, maintain, annually review, and update upon material change a written business continuity plan with procedures reasonably designed to enable the firm to meet its existing obligations to customers during an emergency or significant business disruption. The plan must be tailored to the firm's size and business — addressing the specified minimum elements to the extent applicable including data back-up and recovery, mission critical systems, alternate customer communication, alternate work locations, customer access to funds and securities, and regulatory reporting continuity.
A designated member of senior management who is a registered principal must approve the plan and conduct the required annual review. The plan must be updated more frequently than annually whenever a material change occurs to the firm's operations, structure, business, or location. Customer disclosure of how the business continuity plan addresses significant disruptions must be provided at account opening and posted on the firm's website — the disclosure summarises the plan without requiring full publication. Two emergency contacts must be designated through the FINRA Contact System — updated promptly upon material change and verified within seventeen business days after year-end. Emergency contacts must be senior management members with knowledge of the firm's business operations — ensuring FINRA can reach decision-makers during a crisis affecting the firm or the markets.
