Last Friday, the SEC, FINRA and CFTC issued joint guidance (Joint Guidance) on the "best practices and lessons learned" from their review of the business continuity and disaster recovery plans of firms as a result of the October 2012 closure of equities and options markets due to Hurricane Sandy.[1]

Although the Joint Guidance is merely advisory, broker-dealers and hedge fund advisers would be well advised to review the guidance and, where appropriate, apply it to their own business continuity and disaster recovery plans (BCPs). This is particularly true since broker-dealers already are required by FINRA Rule 4370 to create and maintain a BCP "reasonably designed to enable the member to meet its existing obligations to customers,"[2] and investment advisers are required by Rule 206(4)-7 of the Investment Advisers Act of 1940 and their fiduciary duty to incorporate a BCP into their written compliance policies and procedures.[3]

BCPs As Regulatory Priority

As markets have become more complex, regulators have focused increasingly on improving enterprise risk management.[4] This is clearly evident from recent speeches by SEC Commissioners. Earlier this year, SEC Commissioner Luis A. Aguilar stated: "In my mind, there's not much difference between failing to have a business continuity plan and having a plan that you're not confident enough to use. Hurricane Sandy should serve as a warning sign. It is not enough to have the false comfort of a business continuity program on paper. It is critically important for entities to robustly test their contingency plans and be prepared to use them."[5]

A few weeks later, then SEC Chairman Elisse Walter noted that disruptions may be caused by threats other than natural disasters: "The May 6 flash crash, systems issues that arose during the IPOs of Facebook and BATS Global Markets, the hacking of Nasdaq's systems and the closing of U.S. markets in response to Superstorm Sandy all exemplify the types of problems and disruptions that can affect our marketplace."[6]

Considering these threats and the fact that trading is now constant on exchanges and in dark pools, the importance of those in the securities and commodities industry adopting and regularly updating BCPs cannot be overstated.

Joint Guidance on BCP Best Practices

The Joint Guidance suggests that a BCP should contemplate "the possibility of widespread lack of telecommunications, transportation, electricity, office space, fuel and water" as a result of an event and how this may affect the operations of a firm and its vendors by, among other things:

  • Identifying employees, systems, activities and vendors that are critical to the firm's operations (e.g., compliance, risk management, back office operations and financial and regulatory reporting);
  • Ensuring the ability of employees -- particularly critical operations employees -- to work remotely, either at an alternative location (which may be affected by an event that disrupts transportation services) or through remote access (which may be affected by an event that disrupts telecommunications services);
  • Securing an alternative location (possibly outside of the region) in advance of an event and preparing it with adequate supplies (e.g., desks, chairs, telephones, computers, printers, network connectivity, paper, toner, generators and necessary documents, procedures and manuals in hard-copy format), business services (e.g., multiple telecommunications service providers and other critical vendors) and transportation/hotel services (e.g., through pre-arranged contracts);
  • Obtaining multiple, redundant services (e.g., telecommunications service providers and broker-dealers) and infrastructure (e.g., mobile devices, softphones and T-1 lines);
  • Determining if vendors that provide critical services have adequate BCPs and whether these vendors could be impacted by the same possible events;
  • Instituting a communications plan with employees, customers and regulators;
  • Regularly updating their BCPs to include new regulatory and SRO requirements;
  • Training employees to be familiar with the BCP; and
  • Reviewing, testing and updating the BCP at least once each year.

Conclusion

In light of the Joint Guidance, financial firms -- particularly broker-dealers and investment advisers -- should not wait for future regulations to help guide the development of their BCPs[7] or the next natural disaster or cyberattack to test the adequacy of their current BCPs. As recent history has shown, kicking this proverbial can down the road can be costly not only in terms of costs and losses resulting from damage and business interruption, but also in regulatory sanctions. In 2012 FINRA sanctioned member firms for failures in their BCPs.[8]