SEC, FINRA, and CFTC Issue Staff Advisory and Best Practices Relating to Registrants' Business Continuity Planning

 

[27476]

August 19, 2013

TO: TECHNOLOGY COMMITTEE No. 8-13
COMPLIANCE MEMBERS No. 33-13
SMALL FUNDS MEMBERS No. 46-13
INVESTMENT ADVISER MEMBERS No. 58-13 RE: SEC, FINRA, AND CFTC ISSUE STAFF ADVISORY AND BEST PRACTICES RELATING TO REGISTRANTS' BUSINESS CONTINUITY PLANNING

 

The SEC, FINRA, and CFTC have joined together to publish a staff advisory on business continuity and disaster recovery planning, which includes advice on recommended effective practices. [1]  This information was derived from a joint review by the regulators in the aftermath of Hurricane Sandy. [2]   The Advisory contains “best practices and lessons learned” in the following areas, each of which is briefly described below:

• Widespread Disruption Considerations;
• Alternative Locations Considerations;
• Vendor Relationships;
• Telecommunications Services and Technology Considerations;
• Communication Plans;
• Regulatory and Compliance Considerations; and
• Review and Testing.

According to the Advisory, the “regulators encourage firms to review their business continuity plans and consider implementing these best practices and lessons learned as appropriate to help improve responses to, and to reduce recovery time after, significant large scale events.”

Widespread Disruption Considerations

According to the Advisory, firms should consider the possibility of widespread lack of telecommunications, transportation, electricity, office space, fuel, and water in their business continuity planning.  They should also consider “multiple, redundant services and the proximity of vendors to the potential disaster area.”  It notes the importance of remote access as “an important component of business continuity planning” and suggests that firms consider the ability of employees to work from home and steps that can be taken to ensure adequate staffing during a crisis event.  Also, because remote access “relies heavily on fully functional telephone and internet service, firms should consider alternatives to telework” in their plans, particularly for “key control functions such as compliance, risk management, back office operations, and financial and regulatory reporting.”

Alternative Locations Considerations

The Advisory notes several issues a registrant should consider in connection with setting up or making arrangements for back-up data centers, back-up operational sites, and remote locations.  These include:

• The implications of a region-wide disruption;
• The need for geographic diversity;
• Whether the primary and back-up location rely on the same critical utility services;
• Employees’ accessibility to the site in the event of travel disruptions or road closures;
• What transportation, lodging, etc. will be provided to employees traveling to back-up sites;
• Whether the registrant should have a pre-arranged contract with shuttle service providers to transport employees to remote locations;
• Determining the appropriate number of staff necessary to work at a remote site, including the designation of supervisors at the site;
• Whether the remote site has sufficient generator capacity to support expanded business functionality;
• Whether the remote site has adequate resources in terms of workspace, equipment, and supplies as well as “contact lists and other necessary documents, procedures, and manuals.” Which should “ideally [be] in paper form in the event that electronic files cannot be accessed;” and
• Whether the firm has pre-arranged lodging or office space for staff to be moved to in advance of an event that may result in a business disruption.

Vendor Relationships

Firms should consider their critical vendor relationships and determine whether those vendors are able to provide critical services (e.g., clearance and settlement, banking and finance, trade support, fuel, telecommunications, utilities) in the event of a business disruption.  Firms should also consider: categorizing the risks associated with their vendors; evaluating their vendors’ business continuity plans; and having pre-arranged contracts in place with multiple fuel suppliers (and schedule deliveries) in advance of an event.

Telecommunications Services and Technology Considerations

Due to the vulnerability associated with relying on a single telecommunications service provider, the Advisory recommends that firms consider contracting with multiple carriers to provide a failover if necessary to maintain fax, voice mail, landline, and VoIP services.  It also recommends that firms consider “using multiple telecommunications providers, secondary phone lines, cloud technology, temporary phone lines, mobile telecom units, and Wi-Fi for staff without power, as well as back-up mobile phone services with difference carriers.”

Communications Plans

The Advisory’s discussion of communication plans is broken into two categories – communications with customers and other external parties and communications with staff.  With respect to the first, the Advisory recommends that firm’s consider a plan for providing customers and trading counterparties with contact information in the event of a business disruption, including updating the firm’s website to reflect the firm’s operational status and contact information during a disruption event.  Firms should also have a means to “authenticate the validity of customer requests.”  It also recommends that firms “consider implementing a communication plan that allows firms to better communicate and coordinate with regulators, exchanges, emergency officials, and other firms” in order to reduce the likelihood of inconsistent communications.  Along these same lines, the Advisory recommends that firms “participate in industry groups and task forces that may assist firms in strengthening their communication plans.”

With respect to internal communications, the Advisory recommends that firms consider establishing a centralized process for accounting for all staff (rather than relying on each business unit to contact staff members individually) and frequently update emergency contact lists.  Firms should also consider adopting more diverse methods of communication with employees and consider allowing staff, “particularly critical staff, to carry multiple communications devices on multiple carriers.”

Regulatory and Compliance Considerations

The Advisory recommends that firms consider “time-sensitive regulatory requirements.”  It notes that “some firms put a lower prioritization on month-end financial processes, which increased challenges due to [Hurricane Sandy’s] proximity to month end, and caused delays in firms’ production of certain month end data for regulatory computations and financial reporting.”  Additionally, the Advisory advises firms to regularly update their business continuity plans to reflect new regulatory requirements.

Review and Testing

According to the Advisory, firms should conduct full-scale business continuity tests “at least annually, but more frequently if changes are made.”  It recommends that firms consider “full staff BCP tests to evaluate whether all day-to-day functions, including trade processing, can be performed regardless of staff location.”  Such annual testing will help familiarize all personnel with the plan and their critical pre-established roles.  Firms should also consider incorporating stress tests into their business continuity plans.  An example of a stress test would be testing the firm’s liquidity position and level of excess customer reserves in order to “be better prepared to adjust liquidity or excess reserves (e.g., term repos versus overnight, ability to liquidate money market funds, ability to meet margin calls...) prior to an event.”

 

Tamara K. Salmon
Senior Associate Counsel

endnotes

[1]  See Business Continuity Planning, SEC, CFTC, and FINRA (Aug. 16, 2013) (the “Advisory”), which is available at: http://www.sec.gov/about/offices/ocie/jointobservations-bcps08072013.pdf. 

[2]  As noted in the Advisory, last October Hurricane Sandy resulted in significant and extensive damage to the northeast coast of the United States and led to the closure of the equities and options markets on October 29 and 30, 2013.  The firms that were contacted as part of this review were those “with a significant market presence.”