SEC Issues National Exam Program Risk Alert Regarding Investment Advisers’ Business Continuity Plans
September 20, 2013
On August 27, 2013, the Office of Compliance Inspections and Examinations of the Securities and Exchange Commission (the “SEC”) issued a National Exam Program Risk Alert (the “Risk Alert”) resulting from its review of the business continuity and disaster recovery plans (“BCPs”) of approximately 40 advisers in areas that were impacted by Hurricane Sandy in October 2012.
The Risk Alert notes that advisers should adopt BCPs as part of their compliance programs under Rule 206(4)-7 under the Investment Advisers Act of 1940, as amended (the “Advisers Act”), “because an adviser’s fiduciary obligation to its clients includes taking steps to protect the clients’ interests from risks resulting from the adviser’s inability to provide advisory services after, for example, a natural disaster.” In addition, Rule 204-2 under the Advisers Act (the recordkeeping rule) requires advisers to maintain books and records including electronic storage media “so as to reasonably safeguard them from loss, alteration, or destruction.”
Pursuant to the Risk Alert, the SEC encourages advisers to review their BCPs and notes several considerations that should be taken into account in conducting such review. A summary of the considerations for advisers noted in the Risk Alert is set forth below.
- Widespread Disruption Considerations. Advisers should consider enhancing their BCPs to address and anticipate widespread events, including how the business will function in light of possible interruptions in key business operations and/or loss of key personnel for extended periods.
- Alternative Locations Considerations. Advisers should consider how to operate when faced with the possibility of electrical failure and the loss of other utility services, including loss of internet connectivity.
- Vendor Relationship Considerations. Advisers may want to review service providers’ IT infrastructure and evaluate how to operate when the adviser or a service provider’s facilities encounter weather-related disruptions.
- Telecommunications Services and Technology Considerations. Advisers should explore the availability of alternate internet providers, obtaining guaranteed redundancy from internet providers, and the appropriateness of keeping back-up files and systems in their primary office location.
- Communications Plans Considerations. Advisers should consider contacting clients before major storms to check whether clients have any transactions that will need to be executed if an extended outage occurs.
- Regulatory and Compliance Considerations. Advisers should regularly update their BCPs to incorporate new regulatory requirements and should consider how their BCP will allow them to comply with time-sensitive regulatory requirements.
- Review and Testing Considerations. Advisers should considering testing the operability of all critical systems under various scenarios in order to minimize disruptions to operations by identifying critical weaknesses.
The full text of the Risk Alert is available here.