LawFlash

SEC Issues Guidance on Investment Advisers’ Business Continuity Plans

September 11, 2013

On August 27, 2013, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations issued a National Exam Program Risk Alert (the “Risk Alert”)1 regarding investment advisers’ business continuity and disaster recovery planning.2 The Risk Alert complements the issuance of a joint advisory issued by the SEC, the Commodity Futures Trading Commission and the Financial Industry Regulatory Authority, which focuses on “best practices and lessons learned” following the wide disruption to the markets caused by Hurricane Sandy in October 2012 (the “Joint Notice”).3

The observations presented in the Joint Notice are based on communications the SEC, the CFTC and FINRA have had with leading market participants regarding how those firms executed their business continuity and disaster recovery plans (collectively, “BCPs”) in the aftermath of Hurricane Sandy. The Risk Alert discusses corresponding observations of certain practices and weaknesses, and lessons learned, by the SEC’s National Examination Program staff in its review of the BCPs of approximately 40 investment advisers located in areas impacted by the storm.

The following is a list of some of the major topics that the Joint Notice encourages firms to consider in evaluating their BCPs, together with related recommendations included in the Risk Alert:

Widespread Disruption Considerations

  • The possibility of a widespread lack of critical utilities (i.e., telecom, transportation, electricity), office space, fuel and water, with consideration of redundancy services and the proximity of vendors for these services to the area affected by a potential BCP event.
  • The extent to which a BCP is dependent on remote access and services necessary for employees to work remotely during a crisis event; because remote access relies heavily on fully functional telephone and internet service, firms should also consider alternatives that do not require fully functional telecommunications systems for key control functions such as compliance, risk management, back office operations, and financial and regulatory reporting, should be evaluated.

Risk Alert recommendation: Advisers should develop policies and procedures for their BCPs to address and anticipate widespread events, including interruptions in key business operations and loss of key personnel over extended periods.

Alternative Locations Considerations

  • Whether primary sites and alternative locations such as back-up data centers and operations sites rely on the same critical utility services, and whether alternative locations should be located in a different geographic area.
  • The accessibility of and staff’s familiarity with alternative locations, and the ability of staff to travel to such locations when transit and lodging options may be impacted.
  • The appropriate number of staff and amount of space at alternative locations necessary to perform critical activities, such as risk functions, control functions, finance and treasury activities, and the appointment of designated supervisors of BCP functions.
  • The adequacy of operational and logistical requirements (for example, backup generator capacity) to supply critical functions and users.
  • The availability of BCPs, contact lists and other necessary documents, procedures and manuals at alternative locations, ideally in paper form, in the event that electronic files cannot be accessed.
  • The ability to pre-arrange reserved space at remote locations, including hotels, and transit for key personnel as well as whether to move critical staff in advance of a significant BCP event.

Risk Alert recommendation: Advisers should consider how they might operate in possible electrical failures and the loss of other utility (including internet connectivity) services, as well as the possibility of establishing a back-up office location or other sites in different areas — i.e., away from the coast, if that is where an adviser is located, or in areas that may not be affected by the same utility outages as an adviser’s main office.

Vendor Relationship Considerations

  • Whether vendors that provide critical services or supplies (for example, clearance and settlement, banking and finance, trading support, fuel, telecommunications, electricity and other utilities) have their own BCPs and whether those BCPs are adequate.

Risk Alert recommendation: Advisers should consider reviewing the IT infrastructure of their service providers, and in particular whether, based on risk, the adviser should have multiple back-up servers. Advisers should also consider how their operations might be affected if their (or a service provider’s) facilities are impacted by weather-related events.

Telecommunications Services and Technology Considerations

  • The adequacy of relying on a single telecommunications service provider, and the possible need to contract with multiple telecommunications carriers to provide a failover to a different carrier if necessary, to maintain fax, voice mail, and landline and VoIP services.
  • Whether there are mechanisms for and processes to provide customers, trading counterparties, and regulators with updated contact information if alternate telephone lines must be used.

Risk Alert recommendation: Advisers should consider having alternate internet providers or obtaining guaranteed redundancy from their internet providers, and should consider the failure of any key suppliers to diversify their own internet connectivity as a risk. Advisers are also urged to consider whether it is prudent to maintain back-up files and systems in the adviser’s primary office location.

Communication Plans Considerations

  • Providing trading counterparties and clients with contact information, and keeping the firm’s website updated to include operational status and general contact information.
  • Establishing relationships with multiple broker-dealers to facilitate alternative market entry points.
  • Implementing a communication plan that allows firms to better communicate and coordinate with regulators, emergency officials (and other firms), with a focus on reducing the likelihood of inconsistent communications.
  • Establishing a centralized process for accounting for all firm staff members, and frequently updating emergency contact lists with relevant firm staff members.
  • Adopting diverse methods of communication with staff, particularly critical staff, including providing them with multiple communications devices on multiple carriers, if necessary.

Risk Alert recommendation: Advisers should consider contacting their clients before a major storm to see if they have any transactions (cash raised, funds transferred, wire instructions executed, etc.) that will need to be executed if an extended outage occurs.

Regulatory and Compliance Considerations

  • Remaining aware of time-sensitive regulatory requirements that coincide with a potential BCP event.
  • Updating BCPs to include new regulatory requirements.

Risk Alert recommendation: In addition to considering any BCP updates that may be necessary to reflect new regulatory requirements, advisers are also urged to consider updates necessary to address any time-sensitive regulatory requirements, since the timing of a crisis event can be unpredictable in nature.

Review and Testing Considerations

  • Conducting full BCP tests, at least annually, but more frequently if changes to the BCP or to the business are made.
  • Conducting annual or more frequent BCP training to familiarize all personnel with the BCP and their any critical roles they have been pre-assigned in carrying out the BCP.
  • Incorporating stress tests into the firms’ BCPs (for example, performing a stress test on the firm’s liquidity position and reviewing the level of excess customer reserves, to be better prepared to adjust liquidity or excess reserves prior to an event).

Risk Alert recommendation: Advisers should consider testing the operability of all of their critical systems covered by their BCPs, under various different scenarios, in an effort to seek to address any critical weaknesses and to seek to improve the familiarity of their personnel with key systems while acting pursuant to a BCP.

Although the Joint Notice is a compilation of best practices and lessons learned in the aftermath of Hurricane Sandy, it is important to note that the Risk Alert also describes a number of weaknesses noted by the SEC’s National Examination Program staff in its BCP reviews. These include, for example, that some advisers’ BCPs did not adequately plan for situations in which certain key members of an adviser’s personnel were unable to work from home or other remote locations. Other advisers failed to evaluate their service providers’ respective BCPs, or even to maintain updated contact information for their service providers. Many of the recommendations contained in the Risk Alert, and referenced above, are responsive to specific weaknesses noted by the staff. As a result, it is possible that any future scrutiny by the SEC of advisers’ BCPs (in the context of a routine examination, or otherwise) will include a focus on the sorts of issues identified in the Risk Alert.

 

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Kroll-Amy
Weissmann-Michael
Joseph-Roger
Burke-Timothy
Eisenbiegler-Frederick

1http://www.sec.gov/about/offices/ocie/business-continuity-plans-risk-alert.pdf.

2Rule 206(4)-7 under the Investment Advisers Act of 1940, as amended (the “Advisers Act”) requires investment advisers that are registered as such with the SEC to adopt and implement written compliance policies and procedures. These policies and procedures typically include business continuity and disaster recovery plans, in light of the SEC’s position that an investment adviser’s “fiduciary obligation to its clients includes taking steps to protect the clients’ interests from risks resulting from the adviser’s inability to provide advisory services after, for example, a natural disaster.” See the Risk Alert and Final Rule: Compliance Programs of Investment Companies and Investment Advisers, Advisers Act Release No. 2204 (December 17, 2003), available at http://www.sec.gov/rules/final/ia-2204.htm.

3Joint Review of Business Continuity and Disaster Recovery of Firms by the SEC’s National Examination Program, the CFTC’s Division of Swap Dealers and Intermediary Oversight and FINRA on August 16, 2013, available at http://www.sec.gov/about/offices/ocie/jointobservations-bcps08072013.pdf.

This article was originally published by Bingham McCutchen LLP.