On August 27, 2013, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations issued a National Exam Program Risk Alert (the “Risk Alert”)1 regarding investment advisers’ business continuity and disaster recovery planning.2 The Risk Alert complements the issuance of a joint advisory issued by the SEC, the Commodity Futures Trading Commission and the Financial Industry Regulatory Authority, which focuses on “best practices and lessons learned” following the wide disruption to the markets caused by Hurricane Sandy in October 2012 (the “Joint Notice”).3
The observations presented in the Joint Notice are based on communications the SEC, the CFTC and FINRA have had with leading market participants regarding how those firms executed their business continuity and disaster recovery plans (collectively, “BCPs”) in the aftermath of Hurricane Sandy. The Risk Alert discusses corresponding observations of certain practices and weaknesses, and lessons learned, by the SEC’s National Examination Program staff in its review of the BCPs of approximately 40 investment advisers located in areas impacted by the storm.
The following is a list of some of the major topics that the Joint Notice encourages firms to consider in evaluating their BCPs, together with related recommendations included in the Risk Alert:
Widespread Disruption Considerations
Risk Alert recommendation: Advisers should develop policies and procedures for their BCPs to address and anticipate widespread events, including interruptions in key business operations and loss of key personnel over extended periods.
Alternative Locations Considerations
Risk Alert recommendation: Advisers should consider how they might operate in possible electrical failures and the loss of other utility (including internet connectivity) services, as well as the possibility of establishing a back-up office location or other sites in different areas — i.e., away from the coast, if that is where an adviser is located, or in areas that may not be affected by the same utility outages as an adviser’s main office.
Vendor Relationship Considerations
Risk Alert recommendation: Advisers should consider reviewing the IT infrastructure of their service providers, and in particular whether, based on risk, the adviser should have multiple back-up servers. Advisers should also consider how their operations might be affected if their (or a service provider’s) facilities are impacted by weather-related events.
Telecommunications Services and Technology Considerations
Risk Alert recommendation: Advisers should consider having alternate internet providers or obtaining guaranteed redundancy from their internet providers, and should consider the failure of any key suppliers to diversify their own internet connectivity as a risk. Advisers are also urged to consider whether it is prudent to maintain back-up files and systems in the adviser’s primary office location.
Communication Plans Considerations
Risk Alert recommendation: Advisers should consider contacting their clients before a major storm to see if they have any transactions (cash raised, funds transferred, wire instructions executed, etc.) that will need to be executed if an extended outage occurs.
Regulatory and Compliance Considerations
Risk Alert recommendation: In addition to considering any BCP updates that may be necessary to reflect new regulatory requirements, advisers are also urged to consider updates necessary to address any time-sensitive regulatory requirements, since the timing of a crisis event can be unpredictable in nature.
Review and Testing Considerations
Risk Alert recommendation: Advisers should consider testing the operability of all of their critical systems covered by their BCPs, under various different scenarios, in an effort to seek to address any critical weaknesses and to seek to improve the familiarity of their personnel with key systems while acting pursuant to a BCP.
Although the Joint Notice is a compilation of best practices and lessons learned in the aftermath of Hurricane Sandy, it is important to note that the Risk Alert also describes a number of weaknesses noted by the SEC’s National Examination Program staff in its BCP reviews. These include, for example, that some advisers’ BCPs did not adequately plan for situations in which certain key members of an adviser’s personnel were unable to work from home or other remote locations. Other advisers failed to evaluate their service providers’ respective BCPs, or even to maintain updated contact information for their service providers. Many of the recommendations contained in the Risk Alert, and referenced above, are responsive to specific weaknesses noted by the staff. As a result, it is possible that any future scrutiny by the SEC of advisers’ BCPs (in the context of a routine examination, or otherwise) will include a focus on the sorts of issues identified in the Risk Alert.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:Kroll-Amy
2Rule 206(4)-7 under the Investment Advisers Act of 1940, as amended (the “Advisers Act”) requires investment advisers that are registered as such with the SEC to adopt and implement written compliance policies and procedures. These policies and procedures typically include business continuity and disaster recovery plans, in light of the SEC’s position that an investment adviser’s “fiduciary obligation to its clients includes taking steps to protect the clients’ interests from risks resulting from the adviser’s inability to provide advisory services after, for example, a natural disaster.” See the Risk Alert and Final Rule: Compliance Programs of Investment Companies and Investment Advisers, Advisers Act Release No. 2204 (December 17, 2003), available at http://www.sec.gov/rules/final/ia-2204.htm.
3Joint Review of Business Continuity and Disaster Recovery of Firms by the SEC’s National Examination Program, the CFTC’s Division of Swap Dealers and Intermediary Oversight and FINRA on August 16, 2013, available at http://www.sec.gov/about/offices/ocie/jointobservations-bcps08072013.pdf.