SEC Issues BCP Risk Alert

Under Rule 206(4)-7 of the Investment Advisers Act of 1940, registered investment advisers (RIAs) are required to develop and employ written policies and procedures—such as business continuity plans (BCPs)—that are reasonably designed to address the adviser’s fiduciary responsibilities. Under Rule 204-2(g), advisers must maintain books and records, including electronic storage media, “so as to reasonably safeguard them from loss, alteration or destruction.”

Hurricane Sandy caused immense damage to the Northeast coastline and closed U.S. equity markets on October 29 and 30, 2012. Following the superstorm, the Securities and Exchange Commission (SEC)’s National Examination Program (NEP) reviewed roughly 40 advisers’ business continuity and disaster-recovery plans. The risk alert follows a previous advisory (See “Plan for the Worst, Regulators Advise“), was issued by the SEC’s Office of Compliance Inspections and Examinations (OCIE), and contains staff observations of these plans, including noted weaknesses and possible future considerations.

“Our staff examined approximately 40 advisers in the aftermath of Hurricane Sandy to assess their preparedness for and reaction to the storm,” said OCIE Director Andrew Bowden. “We hope our observations in this risk alert … will help industry participants better prepare for future events that threaten to disrupt market operations.” 

 The risk alert covered these areas of concern, and provided the following points of advice and potential future action:

• Widespread disruption considerations: Advisers should develop BCPs that specifically address all business functions that may be threatened by disasters such as Hurricane Sandy and distribute the plans throughout their operations;
• Alternative locations considerations: Advisers should plan for possible electrical or other utility service failures and possibly maintain critical business functions at geographically diverse office locations;
• Vendor relationship considerations: Advisers should review the BCPs and evaluate the information technology (IT) infrastructure of their service providers and consider the use of multiple back-up servers;
• Telecommunications services and technology considerations: Advisers should make use of technology—such as offsite programs and internet-based access portals—that enables employees to work remotely, and either obtain guaranteed redundancy from their internet provider or have alternative providers available;
• Communications plans considerations: Advisers should plan to contact employees and clients before, during and after a major storm to communicate the status of the firm’s operations and back-up locations, as well as to learn whether clients have any transactions that would need to be executed in the event of an outage;
• Regulatory and compliance considerations: Advisers should update their BCPs to include new regulatory requirements, keeping in mind time-sensitive regulatory developments; and
• Review and testing considerations: Advisers should conduct regular—at least annual—tests of all critical systems in their BCPs under multiple scenarios.