The SEC’s Office of Compliance Investigations and Examinations (“OCIE”) recently issued a Risk Alert related to adviser business continuity and disaster recovery plans (“BCPs”). The Alert stems from an OCIE review of BCPs in wake of the wide-spread damage caused by Hurricane Sandy in October of 2012. In addition to general observations, the Alert highlights several “possible future considerations” advisers should take into account, including:
Other than as noted above, we find the SEC’s comments to be a solid reminder of evolving best practices advisers and funds should consider. As made clear by OCIE in the Risk Alert, the SEC staff considers BCPs to be a critical component of an adviser’s policies. Please do not hesitate to contact us should you need any assistance updating your plans.
- Enhancing design and implementation of BCPs by developing policies and procedures to address and anticipate widespread events;
- Evaluating how to operate in the event of an electrical failure, including a back-up site that is not affected by same power outage as main office;
- Reviewing the IT infrastructure of service providers and potential need for multiple back-up servers as well as plan for any disruption to service provider operations;
- Considering the need for alternate internet providers or guaranteed redundancy from providers. A suppliers’ failure to diversify connectivity represents a risk in its own right;
- Exploring back-up files and systems in an adviser’s primary office location as well as the possible use of cloud computing;
- Contacting clients prior to major storm to see if they have any transactions they need executed in event of extended outage [Vista360 comment – while a worthy consideration, we do not view this as a practical general practice];
- Testing operability of all critical systems under BCP using various scenarios.