In August, I discussed how the frequency and severity of recent natural disasters has caused regulators to refocus on the quality and effectiveness of the business continuity and disaster recovery plans (BC/DR plans) that investment advisors rely on during business interruptions. It came as no surprise to me and my colleagues when the SEC issued a risk alert on Aug. 27 directing investment advisors to review their BC/DR plans to ensure that they addressed frequently overlooked areas of concern.
The SEC risk alert urges investment advisors to consider the following when reviewing their BC/DR plan:
- Widespread disruption. When Hurricanes Sandy and Katrina devastated the Northeast and the Gulf Coast, businesses went without electrical power, phone service and Internet service for weeks. Entire office buildings were destroyed by flooding and strong winds. Many advisors were unprepared for the widespread devastation.
- Alternative locations. In the case of a widespread disruption, an alternative office across town will likely be compromised and fail to provide advisors with a suitable secondary location.
- Vendor relationships. As more advisors store their electronic files in the cloud, it becomes imperative that advisors consider the geographic location and redundancy capabilities of their information technology vendors.
- Telecommunication and technology services. Advisors who have been slow to move into the digital age are often self-contained, localizing their electronic and hard-copy files. These firms lack the mobility of a cloud-based firm and should consider alternative methods for data storage.
- Communication plans. With today’s meteorological models and predictions, advisors are usually provided with advance warning of a major weather event. The risk alert urged advisors to consider implementing a communication plan to warn clients that there may be a period of time following the storm when the advisor cannot be contacted by normal means.
- Compliance. As I discussed in my column in August, I strongly recommend that a review of your BC/DR plan be part of your annual review process.
- Review of testing. A BC/DR plan isn’t worth the paper it is written on if it can’t be implemented. Testing your BC/DR plan will help you identify weaknesses and also serve as training for employees.
Your BC/DR plan should not be viewed as another regulatory obligation. If it is designed with your firm’s risk exposures and business needs in mind, your plan will not only protect your firm from unnecessary scrutiny, it may also help you maintain your client relationships and your business.
Reg S-ID Deadline Approaching
In my June column, I discussed the SEC and CFTC’s April 10 joint announcement that new identity theft prevention regulations (“Regulation S-ID”) would be imposed under the Dodd-Frank Act. Recently, the SEC reminded investment advisory firms that are subject to Regulation S-ID that they are required to be in compliance no later than Nov. 20.
SEC-registered investment advisory firms are first required to audit their client accounts to determine whether they maintain one or more covered accounts. If they do, they’re required to develop, implement and maintain a written identity theft prevention program. To simplify the process, the program may be incorporated into the firm’s existing policies and procedures manual. The requirements for the prevention program are set forth in the 115-page joint release from the SEC and the Commodity Futures Trading Commission.
As a result of the above, we are quite busy reviewing and revising business continuity and disaster recovery plans and preparing identity theft prevention programs. Please do not neglect these two very important matters. They certainly will be the focus of SEC scrutiny during upcoming regulatory examinations.