In the aftermath of Hurricane Sandy, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) performed a widespread review of how investment advisers mobilized their Business Continuity and Disaster Recovery Plans (BCPs). This review of approximately 40 advisers resulted in a Risk Alert, providing guidance on how investment advisers should prepare for widespread disasters. Although the industry review was targeted at advisers affected by Hurricane Sandy, the lessons learned should be considered by all investment adviser and broker-dealer firms across the country.
Although each firm has different threats, resources, and risk profiles, considering the following guidance should help a firm prepare to continue providing services to its clients in times of disaster. The full Risk Alert may be reviewed online here.
OCIE staff (“the Staff”) reminded advisers that under Rule 206(4)-7 of the Investment Advisers Act of 1940 (the “Advisers Act”), as amended, each investment adviser is required to adopt and implement written policies and procedures reasonably designed to prevent the adviser from violating the Act. Rule 204-2 of the Advisers Act requires an adviser to maintain its electronic books and records in a manner designed to “reasonably safeguard them from loss, alteration, or destruction.” These rules have been interpreted to require that advisers adopt a BCP. It is also an adviser’s fiduciary duty to be prepared to service clients in times of disaster, whether localized to the adviser’s office (such as fire) or widespread across a region (such as flooding or power grid failure). The Risk Alert focuses on the unique nature of widespread damages.
The Staff recommended that advisers develop policies and procedures that anticipate widespread events, including possible interruptions in key business operations and the loss of key personnel for extended periods of time. This could involve, for example, considering whether universal remote access by employees would alleviate the burden of damaged office space or infrastructure, achieving redundancy in key services and operations, identifying multiple contingency plans, and annually testing remote backup systems. The Staff also noted that some firms quickly implemented new policies specifically for Hurricane Sandy; thus, where appropriate, addressing specific anticipated disasters can help a firm prepare for its particular challenges.
The Staff noted that many advisers switched to backup or remote sites or systems in advance of Hurricane Sandy, again stressing the need for advisers to anticipate disruptions in their services. The Staff recommended that offsite backups be in “geographically diverse” locations in order to avoid outages when entire power grids or other services go offline. The Staff was critical of some advisers who maintained backups physically close to the main service offices, as power grid outages would affect both sites equally. Redundancy and diversity are key considerations for any BCP.
The Staff noted that some advisers require vendors and third-party service providers to annually test their BCPs. This helps predict which services will respond appropriately in times of natural disaster or other widespread disruption. It could also help determine if infrastructure is in the same geographic location as the adviser — in such cases, consideration of redundant systems may be appropriate. These considerations apply not just to preparing for disasters at the adviser’s office; advisers should also consider how to respond when a vendor’s office or infrastructure faces long-term outages.
Telecommunications Services and Technology
The Staff recommended exploring new technology solutions, such as whether moving to a “cloud computing” model could improve remote access and avoid data loss in times of localized disaster. Increasingly, where the physical data is located should be a concern for advisers. And sometimes low-tech solutions are the best solutions; the Staff notes that simply elevating ground-level equipment can avoid catastrophic flood damage. Advisers also need to consider how employees are able to access the data both from the office and from remote sites, often including their homes. Weaknesses identified in this area included some advisers failing to ensure that backup servers functioned properly.
In addition to ensuring that the Staff is apprised of updates with respect to outages, remote access, and service status, an adviser should review its client communications policies. For example, some advisers during Hurricane Sandy regularly communicated with clients throughout the disaster recovery process. The Staff also noted that such communications might involve reaching out to clients before a storm (by phone or email) to alert the clients to possible outages and requesting advance notice of any transactions the clients may need executed during a possible outage period.
The Staff reminded advisers to regularly review and update their BCPs, and noted that due to the unexpected nature of disasters, all regulatory notices are time-sensitive.
Review and Testing
The Staff alerted advisers that they should consider testing the operability of all critical systems under their BCPs using various scenarios. This will help to familiarize staff with the policies and procedures, and should help identify gaps in the BCPs. This could involve testing physical equipment (such as backup generators) periodically as well as considering the response to specific types of natural disaster.