SEC Risk Alert: Business Continuity and Disaster Recovery Planning

The SEC has issued a new Risk Alert stemming from its observations of  the  business continuity and disaster recovery planning practices of  a number of  investment advisers.  The alert follows an National Examination Program (“NEP”) review of the plans of approximately 40 investment advisers following  Hurricane Sandy.  The SEC says the goal is to encourage investment advisers to review their business continuity and disaster recorvery plans (“BCPs”) to improve responses and recovery times for threats that might disrupt market operations.

Certain weakenesses observed, and that advisers would do well to heed,  include the following areas:

  • Preparation for widespread disruption. Some advisers whose BCPs did not adequately address and anticipate widespread events experienced more interruptions in their key business operations and inconsistent communications with clients and employees.
  • Planning for alternative locations.  Some advisers who switched to back-up sites or systems reported that the buildings where they usually conduct their business were closed for days.  At least, one adviser reported its building was closed for several weeks.  Other problems included extended outages of power, phone systems, and internet service and lack of geographically diverse office operations.
  • Preparedness of key vendors.  Some advisers failed to even evaluate the BCPs of their service providers or keep a list of vendor’s contact information.  Some advisers did not acquire or critically review service providers’ Statement on Standards for Attestation Engagements No. 16 reports. 
  • Telecommunications services and technology.  Some advisers failed to hire service providers to make sure back-up servers functioned properly, relying solely on self-maintenance, which led to more interruptions in their operations.
  • Communication plans.  Poor planning, inconsistencies and weak deployment in how to contact employees during a crisis.  Some plans did not identify which employees would execute and implement  various parts of the BCP.
  • Reviewing and testing.  Inadequate testing of operations and systems relative to size and nature of  advisory businesses.  Some problems here were based on adviser failures to conduct certain critical tests based on costs and other disincentives.  

The risk alert also encourages advisers to consider those best practices and lessons learned that were described in the Joint Review of Business Continuity and Disaster Recovery of Firms by the Commission’s National Examination Program, the Commodity Futures Trading Commission’s Division of Swap Dealers and Intermediary Oversight and the Financial Industry Regulatory Authority on August 16, 2013.  They are  available at http://www.sec.gov/about/offices/ocie/jointobservations-bcps08072013.pdf

While the alert serves as a friendly reminder, to avoid a potential enforcement action, the advice covered should be reviewed, and where appropriate, implemented.  The days of  preparing a boilerplate disaster recovery handbook to be left to collect dust on an adviser’s bookshelf have long passed.