The country is on edge from the recent warnings that terrorists are planning an attack before the November elections against financial services firms, and many experts say the financial service industry, including mutual fund companies, is ill prepared to prevent another attack.
"Starting 18 months ago, we've started to see signs of complacency creeping back in, even in places like lower Manhattan, where senior executives just don't think the threat is all that real anymore," said Dan Verton, a former Marine Corps intelligence officer and author of Black Ice, a book on the terrorism threat to financial institutions that has been used by the Department of Homeland Security. "They think that 9/11 was The Big One,' and that nothing can top that. If this latest warning hasn't erased that doubt, the only thing that probably will is if they succeed in an attack."
The warning was the most specific to date and was issued a little over a week ago by Department of Homeland Security Secretary Tom Ridge. Ridge elevated the country's color-coded warning level to orange, the second-highest mark behind red, for financial-service districts in Manhattan, Washington and Newark, N.J. Specific targets included the Citigroup tower and New York Stock Exchange in New York, Prudential Financial's headquarters in Newark, N.J., and the International Monetary Fund and World Bank in Washington.
However, news reports indicate the number of buildings under surveillance by Al Qaida and terrorist operatives is much greater. Citing intelligence and police department sources, several daily newspapers reported that information seized from a laptop taken from an operative captured in Pakistan contained detailed information and surveillance footage of up to 10 buildings in New York, including the American Stock Exchange and Nasdaq headquarters, as well as the Bank of America building in San Francisco.
In response to the threat, Prudential, which has about 1,000 employees working in the targeted building, has added security and law enforcement officials, tighter screening procedures and safety barricades, a spokesman said. These are in addition to other measures both at that building and throughout all of its locations, housing a total of 60,000 employees, he said.
Firms in the target and surrounding areas, as well as in other parts of the country, said they are beefing up security measures, but few could offer details. Some security experts say that's because firms are not getting enough direction from Ridge's department. "The Department of Homeland Security hasn't done the best job at translating the color-coded system into practical steps in the private sector," Verton said.
Besides implementing an electronic system to track who enters and leaves the buildings and also keeping tabs on what sensitive data makes its way outside of company property, firms can do a number of inexpensive things to make information less readily available to terrorists.
"Every company needs to make a detailed scrub of their public-facing Web site for sensitive information that would enable Al Qaida to target them," Verton said. "There have been cases where large office complexes in lower Manhattan have posted the load-bearing capacity of the elevators on their public Web site. They have posted charts and diagrams of the entire air conditioning and ventilation system. There's no business case for any of that information to be there, but yet it was there and would be the perfect force multiplier for a group like Al Qaida."
He also said that there have been reports of firms posting on the Web the number of workers at specific facilities, the floors they occupy and maps of underground parking garages--and that all of the laptop computers seized from suspects included information taken off of public Web sites. "To give it to the world is to give ammunition to the enemy," Verton said.
Verton suggested firms may consider a telecommuting policy during heightened states of alert so that only a certain percentage of a firm's workforce is at risk at any given time. "It would enable you to recover more quickly in the event of an attack because all of your key people would not be in the target zone at one time."
Steven Kuhr, the chief operating officer at Criterion Strategies, an emergency management firm in New York, said firms need a comprehensive three-pronged plan that incorporates risk assessment analysis, safety and emergency operations programming and business continuation. A former deputy commissioner in the New York City Office of Emergency Management, Kuhr also advocates requiring two forms of identification when entering the workplace during a period of high threat. He also says all employees should serve as security officers and undergo a one-hour training course.
"From a crisis management perspective, we recommend that every employee have an evacuation kit," which can either be purchased commercially or constructed for under $30. Each kit should contain a bottle of water, some energy bars, a comfortable pair of shoes, a flashlight with extra batteries, a whistle in case individuals are trapped in an elevator, a Metrocard, a couple hundred dollars in cash and a first-aid kit including a few-day's supply of personal medication. A small filter mask in case of a fire, a pair of goggles, a transistor radio to receive emergency news reports and a Swiss Army knife should also be included.
Chick Neubauer, a principal in Gage-Babcock, a security firm that reinforces and analyzes structural integrity and assures fire safety, said a vulnerability assessment can cost firms between $50,000 and $200,000 depending on its number of locations. Gage-Babcock's clients include the White House and the U.S. Capitol building, among several other high-profile locations.
Firms need to know how much protection their spending will buy. "If a firm doesn't want to spend $5 million [but] $1 million, its management needs to know what $1 million will buy them, but they also need to know what could happen and determine whether or not they can live with the possible outcomes. It's a business decision."
Michael W. Robinson, a partner at Levick Strategic Communications in Washington and the former director of public affairs and policy at the Securities and Exchange Commission, said that there are many things firms can do to lessen the effects of an attack. It is key for local managers at various locations to have the authority to make lifesaving decisions. Robinson said. "Fidelity in Boston, for example, has several buildings. So what may work in Building 1 may not work in Building 5," he said. "The people in Building 5 need to have direction from other people [who] are right there. People are going to have to make split-second decisions."