Following Hurricane Sandy, the SEC contacted investment advisors in the Northeast to try to understand how they were impacted by the storm.* The SEC just released its findings, which it believes will help improve responses and reduce recovery time after “significant large scale events.”
Among the weaknesses noted by the SEC in certain advisors’ “business continuity plans,” or BCPs, were:
Some BCPs that did not adequately address and anticipate widespread events, such as adequate plans addressing situations where key personnel were unable to work from home or other remote locations.
Some advisers did not have geographically diverse office locations, and many smaller advisers had fewer geographically dispersed staff.
Some advisers did not evaluate the BCPs of their service providers.
- Some advisers did not engage service providers to ensure that back-up servers functioned properly and relied solely on self-maintenance.
- Some advisers did not adequately plan how to contact and deploy employees during a crisis, and inconsistently maintained communications with clients and employees.
- Some advisers inadequately tested their BCPs relative to their advisory businesses.
- Some advisers opted not to conduct certain critical tests because vendors provided disincentives or charged for testing.
The alert did not distinguish between large and small advisors or how appropriate BCP provisions addressing these weaknesses would be for smaller firms. Geographic diversity is the most obvious example in that case.
*Investment advisors are required to implement these types of BCPs under the SEC’s interpretation of Rule 206(4)-7.