SEC Exam Review Prompts Risk Alert on Adviser Business Continuity Plans

posted in: Business Continuity | 0

Prompted by wide-ranging damage and the disruptions to the capital markets caused by Hurricane Sandy, the SEC’s National Examination Program (“NEP”) reviewed the business continuity plans and disaster recovery plans (together, “BCPs”) of approximately 40 investment advisers in areas affected by the storm and issued an advisory with its findings.  The NEP made general observations, described noteworthy practices and weaknesses, and identified possible considerations for advisers going forward, in the following seven categories: (1) widespread disruption considerations; (2) alternative location considerations; (3) vendor relationship considerations; (4) telecommunications services and technology considerations; (5) communication plan considerations; (6) regulatory and compliance considerations; and (7) review and testing considerations.   For example, the NEP observed that some advisers did not acquire or critically review service providers’ Statement on Standards for Attestation Engagements No. 16 reports (“SSAE 16 reports”) and BCPs, and that in doing so, these advisers did not ensure that the service providers’ plans incorporated key business continuity controls affecting the advisers’ ability to execute their own BCPs.  Additional weaknesses were noted, such as (a) a failure to have geographically diverse office locations, (b) a failure to identify which personnel were responsible for executing and implementing various parts of the BCP, and (c) a reluctance to undertake critical systems testing due to costs.  The advisory also sets forth several possible future considerations to improve functionality during times when operations are impaired, such as (i) reviewing the IT infrastructure of service providers, particularly with respect to their physical locations, (ii) engaging alternate internet providers or obtaining guaranteed redundancy from their current provider, and (iii) testing the operability of all critical systems under the BCP using various scenarios.  The NEP encourages advisers to consider their BCPs’ effectiveness in light of the observations in the advisory.