SEC Issues Risk Alert on Business Continuity and Disaster

SEC Joins the Ranks of Doomsday Preppers,
Issues Risk Alert on Business Continuity and Disaster Recovery Planning
By Bill Strait, Associate General Counsel
I presume, of course, that you, my faithful readers, have seen Doomsday Preppers, the show on the National Geographic channel that peers into the lives of individuals who are determined to survive whatever apocalyptic event
they are convinced is just around the corner, falling from the sky, or waiting to snuff out their hillbilly existence. I love
the show and naturally assume that other compliance-types like me gravitate toward the doomsday outlook on life
that those individuals featured on the show have embraced (you might even be one of them – it’s okay, I won’t tell).
Let’s face it, we compliance-types are nervous by nature; born worriers driven by fear of everything from failure, to
natural disasters, to clowns (okay maybe that’s just me). Living our lives under the SEC’s magnifying glass does little
to assuage our proclivity for turning the weatherman’s chance of heavy precipitation into “The sky is falling!” In fact,
sometimes it seems as if the SEC is in the business of giving us even more to worry about. They did it again in August,
when they issued a Risk Alert focused on business continuity and disaster recovery planning.1 The underlying
message of that Risk Alert: There may not be a day after the end of days, but if there is you best have a plan in place
to ensure that you will be open for business.
The Risk Alert was issued by the SEC’s office of Compliance Inspections and Examinations following a joint advisory
report issued by the SEC and other regulators earlier in the month. Both the Risk Alert and the joint advisory report
prompt financial firms, and specifically investment advisers, to prepare for everything from ice storms to zombie attacks.2 The Risk Alert also includes the SEC staff’s observations after surveying some 40 investment advisory firms
to obtain information about how their business continuity plans held up when U.S. financial markets closed for two
days in October 2012 as a result of Hurricane Sandy. In the Risk Alert, the SEC directs advisers to review their business
continuity plans in light of its observations and revise their plans as necessary.
Officially, Rule 206(4)-7 under the Investment Advisers Act of 1940 (the “Advisers Act”) requires each investment
adviser to adopt and implement written policies and procedures reasonably designed to prevent the adviser from
violating the Advisers Act. The SEC has long advised that such policies and procedures should include business continuity plans (“BCPs”) because an adviser’s fiduciary obligation to its clients includes taking steps to protect the clients’
interests from risks resulting from the adviser’s inability to provide advisory services after, for example, a natural
disaster3 or the, perhaps too readily dismissed, zombie apocalypse.
While your natural tendency toward premature panic may have you donning a hardhat and crawling under the
nearest desk when confronted with the mere possibility of a natural or not so natural disaster, the SEC, based on
its observations, thinks that you can and should do better, and offers up some recommendations that may help to
ensure that you are open for business on the day after. The following is a brief summary of those recommendations:
Widespread Disruption Considerations. Advisers should enhance the design and implementation of their BCPs by
developing policies and procedures to address and anticipate widespread events, including possible interruptions in
key business operations and loss of key personnel for extended periods.
Alternative Locations Considerations. Advisers should evaluate how to operate when faced with the possibility of
electrical failure and loss of other utility services (e.g., cable, phone, internet connectivity). Establish a back-up site
with consideration to widespread disruption that is accessible in the event of disaster and has adequate space and
resources.
Vendor Relationship Considerations. Advisers should consider reviewing the adequacy of BCPs and IT
infrastructure of service providers – as these providers could be impacted by the same challenges facing you. Consider whether it is necessary to have multiple back-up servers.
Telecommications Services and Technology Considerations. Advisers should consider having alternate
telecommunications and internet providers available, or obtain guaranteed redundancy from internet providers.
Ensure staff remains fully functional if working from home. Explore the appropriateness of keeping back-up files and
systems in the adviser’s primary location.
Communication Plans. Advisers should consider contacting clients before a major storm to see if they have
transactions they will need executed. Also, consider adopting diverse methods of communication and a plan for
providing customers and trading counterparties with contact information so that business can continue.
Regulatory and Compliance Considerations.You guessed it, like cockroaches, SEC examiners are fully expected to
survive a nuclear winter, and when you crawl from under the irradiated dust, examiners will be waiting to see if you
remain in compliance with all regulatory requirements. As a result, the SEC recommends that advisers regularly
update their BCP to include new regulatory requirements.
Review and Testing Considerations. Advisers should consider testing the operability of all critical systems under
the BCP using various scenarios. Such testing may minimize disruptions to operations because critical weaknesses
may be identified and resolved and personnel may become more fluent with using key systems while in BCP “mode”.
Even though zombies are notoriously slow moving (who decided that anyway), testing your BCP should facilitate
speed and efficiency.
The review following Hurricane Sandy and the SEC ’s recent Risk Alert provide insight into ways that advisers were
and can be affected by disasters or major events. Northern Lights Compliance Services, LLC (“NLCS”) maintains a
comprehensive BCP for all critical organization functions that would be necessary in the event of a disaster. This plan
details NLCS’s efforts to exercise reasonable measures to protect employees and to safeguard investment advisers.
NLCS ensures that the BCP’s critical components and procedures (including those relating to its IT systems and data
centers) are reviewed and tested on a monthly basis. Further, NLCS managers and employees participate in and evaluate quarterly disaster recovery tests to ensure continued and efficient operations in the event of a disaster. In order
to safeguard business processes and day-to-day services, NLCS maintains two backup data centers located in Kansas
City and at an alternate location in Omaha and also has access to a live alternate worksite with more than adequate
space and resources in Fremont, NE.
1
National Exam Program Risk Alert, SEC Examination of Business Continuity Plans of Certain Advisers Following Operational Disruptions Caused by Weather-Related Events Last Year, http://www.sec.gov/about/offices/ocie/business-continuity-plans-risk-alert.pdf.
2
*Disclaimer: The SEC does not specifically list “zombie attacks”, however I believe it could be inferred.
3
See Final Rule: Compliance Programs of Investment Companies and Investment Advisers, Advisers Act Release No. 2204 (December 17, 2003), available at www.sec.gov/rules/final/ia-2204.htm.
80 Ark ay Drive, Hauppauge, NY 11788
|
631.470.2600
|
w w w.nlcompliance.com
|
[email protected]
|
0012-NLCS-10/14/2013