Statement of Business Resiliency

Continued service to our customers is the main tenet of Fidelity's business continuity management program. Priority is given to critical activities that include, but are not limited to, trading, account maintenance, and customer service. Business Continuity, Resiliency Planning & Testing are integrated to deliver customer service with minimal disruption. Fidelity implements the measures described below as part of our overall continuity plan to ensure that critical services are maintained for our customers.

Resiliency Program

Fidelity uses resiliency model that includes architecting the environment with the ability to absorb shocks in the technologies being used. Our primary goal is to mitigate all failure points internally that would require us to activate contingency plans. Due to the critical nature of our processing, Fidelity’s core systems, applications, and network infrastructure are designed with the objective of eliminating single points of failure. In addition, we have an oversight function, Enterprise Business Resiliency (EBR) as the second line of defense monitoring the Resiliency Program at Fidelity. EBR includes Business Continuity and Technology Resiliency and Recovery team’s providing Business Recovery and Resiliency standards and compliance tracking. We apply our resiliency compliance standards across the Fidelity ecosystem, and as required with partners, and vendors.

Mainframe systems are in two redundant Fidelity-owned data centers, and distributed platforms are spread within two redundant data centers, across the United States. In addition, our applications in the Cloud utilize multi region zones and multiple geo physical locations provided by our Cloud providers.

  • The data centers are equipped with redundant power and cooling systems, high-speed network connectivity, and 24/7 on-site monitoring and maintenance.
  • In the event of a hardware or application failure, the redundant node within these centers will assume processing capabilities of the failed node. Regional failure will result in switching to the alternate region.
  • Fidelity uses multiple application replication techniques, advanced storage, and database replication technology to ensure continuous availability of storage and data resources to our systems.

Fidelity’s online services rely on a distributed, redundant infrastructure and are architected to be available 24/7 apart from scheduled weekly and monthly maintenance windows. Design consideration is given to every system component so that each is highly available. The software is designed with resiliency in mind an example, active/active applications and deployed to take advantage of the resilient infrastructure.

Our distributed consumer platforms are spread across redundant data centers, and redundancy is provided within and across sites. In the event of an outage, consumer application traffic is routed away from the impacted region and the remaining sites handle full production loads. This feature is exercised monthly, consistent with our software and infrastructure resiliency standards.

In the event of a complete site failure, traffic is redirected to the alternate region/zone using application and network load balancing technologies. Fidelity maintains a fault-tolerant, high-speed network:

  • The availability and utilization of Fidelity’s proprietary network is monitored 24/7/365, and we respond to changes in usage and business requirements.
  • Our network capacity model provides adequate bandwidth, even in contingency situations.
  • Our network is designed to be fully redundant. Components such as switches, routers, and load balancers have redundancy to mitigate single points of failure.
  • We use redundant Internet Service Providers to mitigate potential provider network issues.

Fidelity executes multiple exercises throughout each calendar year. Fidelity’s business processes, critical infrastructure, application and data environments are exercised based on defined criticality and in accordance with our Resiliency standards.

Business Continuity

Fidelity’s business continuity management program focuses on maintaining and recovering critical business processes that enable uninterrupted service to customers.

  • A Business Impact Analysis (BIA) is conducted annually to determine the criticality of business processes.
  • Risk assessments are conducted to identify threats requiring mitigation, and recovery plans are adjusted accordingly.
  • Customer-facing business processes operate in at least two geographically diverse locations that are fully equipped and staffed. For example, Fidelity hosts several call centers, which are distributed across the United States.
  • Back-office operations operate in multiple locations and/or have capability to work remotely and/or move work.
  • Business recovery exercises are required at least annually. Recovery strategies of critical processes are required semiannually. Quarterly Emergency Notification System tests are performed to assess the ability to contact key managers and associates. Recovery exercises consist of performing critical process activities and validating the operating status of working remotely, application accessibility, data accessibility, and business processing capability.
  • Third-party suppliers are subject to contract provisions requiring information security and business continuity capabilities consistent with service expectations. Critical suppliers are subjected to periodic risk-based assessments, with additional actions taken as needed to ensure the resiliency of our supply chains.

In support of the business continuity programs each Fidelity business unit is required to exercise recovery of critical functions at least annually. This includes, but is not limited to, employee notification validation, event management education and training, functional recovery exercises, and tabletop exercises.

Our continuity planning teams work closely with local governments and officials in the event of an outage impacting our operations. Additionally, NFS has identified three large-scale scenarios that require particular focus: pandemics, events impacting market operations, and cyber events. Detailed response plans have been developed, and cross- disciplinary teams have been trained to address disruptions as well as these specific events.

Each Fidelity business unit has developed the capabilities to recover both operations and systems. All continuity plans are designed to account for disruptions of various lengths and scopes, and to ensure that critical functions are recovered to meet their business objectives. Dedicated teams within our technology organizations ensure that critical applications and data have sufficient redundancy and availability to minimize the impact of an event. Key components of NFS’s business continuity plan include:

  • Alternate physical locations and preparedness
  • Alternative means to communicate with our customers and employees
  • Strategies to address loss or impact to technology/applications

Fidelity is focused on addressing the potential risks associated with a contagious illness outbreak, including the impact on our employees, our customers, and continuity of operations. A firm-wide, cross-disciplinary team maintains a comprehensive, globally integrated strategy designed to prepare Fidelity Investments to respond effectively to a contagious illness. We are also in close contact with industry and health experts and closely monitor information provided by the Centers for Disease Control and Prevention and the World Health Organization.

To obtain a copy of this notice at any time, contact a Fidelity representative.

Our approach centers around augmentation of our existing continuity program, which focuses on a variety of continuity solutions for process, system, and infrastructure outages, as well as reduced staffing scenarios.

Specific alternate work methods contemplated for a contagious illness scenario include, but are not limited to:

Telecommuting

  • Geographic diversification of critical functions
  • Extended and flexible operating hours
  • Regional work sharing

Because contagious illness scenarios can vary widely, our continuity teams work closely with management to implement any strategy and take necessary steps to maintain business operations based on consultation with our enterprise teams and external resources.

Fidelity's Enterprise Business Resiliency program has been certified ISO 22301 compliant by BSI Americas.

This certification process requires regular program auditing by BSI Americas and, in addition to regular reviews by regulatory agencies and Corporate Audit, demonstrates the rigorous review of our resiliency program.