5-10 years ago, when I was consulting in this area of infrastructure, the best practice was to have remote replication distant enough to be on a separate power grid -- and for my customers in earthquake susceptible areas, distant enough to be on a separate tectonic plate, as well.
At the time, there were no specific business continuity standards requiring compliance. As I have been out of this part of the industry for some years, I do not know if standards were developed. More recently I have been involved in U.S. regulatory compliance considerations, and to the best of my knowledge there are no specific remote replication standards to be met in the regulatory acts I've dealt with since 2002. This list includes both general use and industry specific federal regulations over data management such as ITAR, Sarbanes-Oxley, TREAD, and HIPAA.
The remote replication technologies I had expertise in were usually configured with private point-to-point telecom connections; alternatively, we could allow customers to implement a dedicated single-purpose VPN. The latter is not as secure as a private connection for data replication, of course, but by limiting it to single-purpose the possible attack vectors are significantly easier to control.
EDIT: I should point out that one method for managing data latency with remote replication, if done continuously, is to have two tiers: a relatively local facility -- typically on-campus but off-site, for synchronous updates; and a second tier at distance which is replicated from the first tier asynchronously.