SEC Publishes Risk Alert On Investment Advisers' Business Continuity and Disaster Recovery Planning
[27539]
September 4, 2013
TO: BANK, TRUST AND RETIREMENT ADVISORY COMMITTEE No. 29-13BROKER/DEALER ADVISORY COMMITTEE No. 41-13
OPERATIONS COMMITTEE No. 44-13
SECURITIES OPERATIONS ADVISORY GROUP
TRANSFER AGENT ADVISORY COMMITTEE No. 67-13 RE: SEC PUBLISHES RISK ALERT ON INVESTMENT ADVISERS’ BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING
The SEC’s Office of Compliance Inspections and Examinations (OCIE) has published its latest Risk Alert, which is the publication OCIE developed to publicly share information and observations obtained from conducting inspections of registrants. The latest Risk Alerts relates to OCIE’s observations and lessons learned from reviewing the business continuity plans (BCPs) of approximately 40 advisers that were located in those geographic areas impacted by Hurricane Sandy in October 2012. [1] The Risk Alert contains observations of OCIE staff in six areas, which are listed below along with a summary of the weaknesses noted and possible future considerations related to each. It also “encourages advisers to review their plans and consider their effectiveness in light of the observations and information” contained in the Alert. [2]
Prior to discussing the staff’s observations, the Risk Alert notes that the compliance policies and procedures required of registered investment advisers pursuant to Rule 206(4)-7 “should include BCPs because an adviser’s fiduciary obligation to its clients includes taking steps to protect clients’ interests from risks resulting from the adviser’s inability to provide advisory services after, for example, a natural disaster.” [3] Also, the recordkeeping rule under the Investment Advisers Act of 1940, Rule 204-2, imposes upon advisers “responsibilities to maintain books and records including a requirement to maintain electronic storage media ‘so as to reasonably safeguard them from loss, alteration, or destruction.’” [4]
OCIE encourages firms “to review their BCPs and consider implementing these lessons as appropriate to help improve responses to, and to reduce recovery time after, significant large scale events.” [5] It also encourages advisers to “consider the best practices and lessons learned as described in the Joint Review of Business Continuity and Disaster Recovery of Firms,” which was jointly published by OCIE, the CFTC, and FINRA earlier this month. [6]
Areas Addressed in the Risk Alert [7]
A. Widespread Disruption Considerations
Weaknesses Noted: According to the Risk Alert, some advisers’ BCPs did not adequately address and anticipate widespread events. Such advisers generally experienced more interruptions in their key business operations and inconsistent communications with clients and employees.
Possible Future Considerations: OCIE encourages advisers to enhance the design and implementation of their BCPs by developing policies and procedures to address and anticipate widespread events, including possible interruptions in key business operations and loss of key personnel for extended periods.
B. Alternative Locations Considerations
Weaknesses Noted: Some advisers did not have geographically diverse office locations. Also, many smaller advisers had fewer geographically dispersed staff.
Possible Future Considerations: Advisers should consider: (1) evaluating how to operate when faced with the possibility of electrical failure and the loss of utilities; (2) establishing back-up sites that would not be impacted by a power outage at the adviser’s main office; and (3) establishing a back-up site inland if the adviser’s business is located on a coast.
C. Vendor Relationship Considerations
Weaknesses Noted: Some advisers failed to evaluate the BCPs of their service providers. As a result, they did not ensure that their service providers’ plans incorporated key business continuity controls that impacted the advisers’ ability to execute their own BCPs. Also, some advisers failed to keep an updated list of vendors and contact persons at those vendors.
Possible Future Considerations: Because the advisers’ service providers may be in the same geographic area as the adviser, advisers should consider reviewing the IT infrastructure of their service providers. If necessary to reduce risk, advisers may want to consider whether it is necessary to have multiple back-up servers to reduce their risk. Advisers also should evaluate how to continue operations when the facilities of the adviser or its service provider are faced with the risk of weather-related events, including flooding.
D. Telecommunications Services and Technology Considerations
Weaknesses Noted: Some advisers did not engage service providers to ensure that their back-up servers functioned properly, which led to more interruptions in key business operations.
Possible Future Considerations: Advisers should consider: (1) having alternate internet providers available; (2) obtaining guaranteed redundancy from internet providers; and (3) exploring the appropriateness of keeping back-up files and systems in the adviser’s primary office location.
E. Communications Plans Considerations
Weaknesses Noted: Some advisers: did not adequately plan how to contact and deploy employees during a crisis; inconsistently maintained communications with clients and employees; and did not identify which personnel should execute and implement the various parts of the adviser’s overall BCP.
Possible Future Considerations: Advisers should consider contacting clients (directly and/or via email blasts) before a major storm to see if they have any transactions they will need executed if an extended outage occurs.
F. Regulatory and Compliance Considerations
This is the one heading in the Risk Alert that does not contain Weaknesses Noted or Possible Future Considerations. Instead, under this heading OCIE reminds advisers to regularly update their BCPs to include new regulatory requirements and to consider time-sensitive regulatory requirements.
G. Review and Testing Considerations
Weaknesses Noted: Some advisers inadequately tested their BCPs relative to their advisory business (e.g., they failed to test all critical business operations and systems) and some opted not to conduct certain critical test because vendors provided disincentives or charged for such testing.
Possible Future Considerations: In order to minimize disruptions to operations, identify critical weaknesses, and enable personnel to become more fluent with using key systems while in the BCP mode, advisers should consider testing the operability of all critical systems under the BCP using various scenarios.
Tamara K. Salmon
Senior Associate Counsel
endnotes
[1] See SEC Examination of Business Continuity Plans of Certain Advisers Following Operational Disruptions Caused by Weather-Related Events Last Year, SEC National Examination Program Risk Alert, Vol. II, Issue 3 (Aug. 27, 2013) (“Risk Alert”), which is available at: http://www.sec.gov/about/offices/ocie/business-continuity-plans-risk-alert.pdf.
[2] Risk Alert at p. 8.
[3] Risk Alert at p. 2.
[4] Ibid.
[5] Ibid.
[6] Ibid. See also, ICI Memorandum No. 27476 (Aug. 19, 2013), which summarizes and provides a link to the Joint Review.
[7] In addition to discussing “Weaknesses Noted” and “Possible Future Considerations,” the Risk Alert also lists “General Observations and Notable Practices” under each of the headings except “F”. These have been omitted from this summary.