SEC Risk Alert: Business Continuity and Disaster Recovery Planning

The SEC has issued a new Risk Alert stemming from its observations of  the  business continuity and disaster recovery planning practices of  a number of  investment advisers.  The alert follows an National Examination Program (“NEP”) review of the plans of approximately 40 investment advisers following  Hurricane Sandy.  The SEC says the goal is to encourage investment advisers to review their business continuity and disaster recorvery plans (“BCPs”) to improve responses and recovery times for threats that might disrupt market operations.

Certain weakenesses observed, and that advisers would do well to heed,  include the following areas:

  • Preparation for widespread disruption. Some advisers whose BCPs did not adequately address and anticipate widespread events experienced more interruptions in their key business operations and inconsistent communications with clients and employees.
  • Planning for alternative locations.  Some advisers who switched to back-up sites or systems reported that the buildings where they usually conduct their business were closed for days.  At least, one adviser reported its building was closed for several weeks.  Other problems included extended outages of power, phone systems, and internet service and lack of geographically diverse office operations.
  • Preparedness of key vendors.  Some advisers failed to even evaluate the BCPs of their service providers or keep a list of vendor’s contact information.  Some advisers did not acquire or critically review service providers’ Statement on Standards for Attestation Engagements No. 16 reports. 
  • Telecommunications services and technology.  Some advisers failed to hire service providers to make sure back-up servers functioned properly, relying solely on self-maintenance, which led to more interruptions in their operations.
  • Communication plans.  Poor planning, inconsistencies and weak deployment in how to contact employees during a crisis.  Some plans did not identify which employees would execute and implement  various parts of the BCP.
  • Reviewing and testing.  Inadequate testing of operations and systems relative to size and nature of  advisory businesses.  Some problems here were based on adviser failures to conduct certain critical tests based on costs and other disincentives.  

The risk alert also encourages advisers to consider those best practices and lessons learned that were described in the Joint Review of Business Continuity and Disaster Recovery of Firms by the Commission’s National Examination Program, the Commodity Futures Trading Commission’s Division of Swap Dealers and Intermediary Oversight and the Financial Industry Regulatory Authority on August 16, 2013.  They are  available at http://www.sec.gov/about/offices/ocie/jointobservations-bcps08072013.pdf

While the alert serves as a friendly reminder, to avoid a potential enforcement action, the advice covered should be reviewed, and where appropriate, implemented.  The days of  preparing a boilerplate disaster recovery handbook to be left to collect dust on an adviser’s bookshelf have long passed.

SEC ANNOUNCES REGIONAL COMPLIANCE OUTREACH SEMINARS

The SEC has announced its schedule for the  upcoming Compliance Outreach Program regional seminars to be held in Chicago, New York, Atlanta and San Francisco.   Investment adviser and investment company senior officers, including chief compliance officers (CCOs) are invited to register and attend.  The first meeting will occur in Chicago on August 28. 

 This years’ Compliance Outreach Program, which started off  in Boston in May, will likely include panel discussions with SEC staff from the Office of Compliance Inspections and Examinations (OCIE), Division of Investment Management, and Division of Enforcement’s Asset Management Unit.  Topics will vary depending on location. For example, the Chicago seminar will address traded and non-traded real estate investment trusts, investment companies with special emphasis on alternative investment funds and money market funds, and current enforcement actions in the investment management industry.  The New York seminar will focus more on newly registered investment advisers, dual registrants and to investment advisers affiliated broker-dealers, and will topics like the SEC’s examination process, priorities, risk surveillance, and examination selection process.   

 As we’ve alerted our audience in previous blogs, investment advisers should attend these meetings because “[t]he seminars highlight areas of focus for compliance professionals.  They provide an opportunity for the SEC staff to identify common issues found in related examinations or investigations and discuss industry practices, including how compliance professionals have addressed such matters.”

Registration information about the regional seminars is available at:

http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370539720572#.Uef5kdK1Eec

 

The SEC’s “Presence Exams” letter to Private Fund Advisers

As part of its National Exam Program, the SEC’s Office of Compliance and Examinations (“OCIE”) has just mailed a letter to senior executives and Chief Compliance Officers of newly-registered investment advisers apprising them of what practices they can expect to be examined.  

While the letter primarily concerns risk-based exams of advisers to private funds that registered with the SEC after July 21, 2011, the significance the OCIE examination staff is attaching to certain adviser practices in these so-called “Presence Exams” should be weighed by all advisers regardless  – whether they’re new or a private fund.  As we have discussed these and other areas of exam focus in previous posts, OCIE’s hot areas referenced, and set for review, include:

  1. Marketing materials;
  2. Portfolio management;
  3. Conflicts of interest;
  4. Safety of Client Assets; and
  5. Valuation of Client holdings and assessment of fees based on valuations.

Through the SEC’s lens, each of these topics is being viewed in three phases: engagement; examination; and reporting.