Regulators Issue Joint Guidance on Business Continuity Planning

by BakerHostetler

Last Friday, the SEC, FINRA and CFTC issued joint guidance (Joint Guidance) on the "best practices and lessons learned" from their review of the business continuity and disaster recovery plans of firms as a result of the October 2012 closure of equities and options markets due to Hurricane Sandy.[1]

Although the Joint Guidance is merely advisory, broker-dealers and hedge fund advisers would be well advised to review the guidance and, where appropriate, apply it to their own business continuity and disaster recovery plans (BCPs). This is particularly true since broker-dealers already are required by FINRA Rule 4370 to create and maintain a BCP "reasonably designed to enable the member to meet its existing obligations to customers,"[2] and investment advisers are required by Rule 206(4)-7 of the Investment Advisers Act of 1940 and their fiduciary duty to incorporate a BCP into their written compliance policies and procedures.[3]

BCPs As Regulatory Priority

As markets have become more complex, regulators have focused increasingly on improving enterprise risk management.[4] This is clearly evident from recent speeches by SEC Commissioners. Earlier this year, SEC Commissioner Luis A. Aguilar stated: "In my mind, there's not much difference between failing to have a business continuity plan and having a plan that you're not confident enough to use. Hurricane Sandy should serve as a warning sign. It is not enough to have the false comfort of a business continuity program on paper. It is critically important for entities to robustly test their contingency plans and be prepared to use them."[5]

A few weeks later, then SEC Chairman Elisse Walter noted that disruptions may be caused by threats other than natural disasters: "The May 6 flash crash, systems issues that arose during the IPOs of Facebook and BATS Global Markets, the hacking of Nasdaq's systems and the closing of U.S. markets in response to Superstorm Sandy all exemplify the types of problems and disruptions that can affect our marketplace."[6]

Considering these threats and the fact that trading is now constant on exchanges and in dark pools, the importance of those in the securities and commodities industry adopting and regularly updating BCPs cannot be overstated.

Joint Guidance on BCP Best Practices

The Joint Guidance suggests that a BCP should contemplate "the possibility of widespread lack of telecommunications, transportation, electricity, office space, fuel and water" as a result of an event and how this may affect the operations of a firm and its vendors by, among other things:

  • Identifying employees, systems, activities and vendors that are critical to the firm's operations (e.g., compliance, risk management, back office operations and financial and regulatory reporting);
  • Ensuring the ability of employees -- particularly critical operations employees -- to work remotely, either at an alternative location (which may be affected by an event that disrupts transportation services) or through remote access (which may be affected by an event that disrupts telecommunications services);
  • Securing an alternative location (possibly outside of the region) in advance of an event and preparing it with adequate supplies (e.g., desks, chairs, telephones, computers, printers, network connectivity, paper, toner, generators and necessary documents, procedures and manuals in hard-copy format), business services (e.g., multiple telecommunications service providers and other critical vendors) and transportation/hotel services (e.g., through pre-arranged contracts);
  • Obtaining multiple, redundant services (e.g., telecommunications service providers and broker-dealers) and infrastructure (e.g., mobile devices, softphones and T-1 lines);
  • Determining if vendors that provide critical services have adequate BCPs and whether these vendors could be impacted by the same possible events;
  • Instituting a communications plan with employees, customers and regulators;
  • Regularly updating their BCPs to include new regulatory and SRO requirements;
  • Training employees to be familiar with the BCP; and
  • Reviewing, testing and updating the BCP at least once each year.


In light of the Joint Guidance, financial firms -- particularly broker-dealers and investment advisers -- should not wait for future regulations to help guide the development of their BCPs[7] or the next natural disaster or cyberattack to test the adequacy of their current BCPs. As recent history has shown, kicking this proverbial can down the road can be costly not only in terms of costs and losses resulting from damage and business interruption, but also in regulatory sanctions. In 2012 FINRA sanctioned member firms for failures in their BCPs.[8]

[1] Business Continuity Planning, Joint Guidance from the SEC, FINRA and the CFTC (Aug. 16, 2013).
[2] FINRA Rule 4370, Business Continuity Plans and Emergency Contact Information, (noting that a BCP should be "flexible and tailored to the size and needs of a member" but at a minimum should address certain outlined considerations).
[3] "We believe that an adviser's fiduciary obligation to its clients includes the obligation to take steps to protect the clients' interests from being placed at risk as a result of the adviser's inability to provide advisory services after, for example, a natural disaster or, in the case of some smaller firms, the death of the owner or key personnel." Final Rule: Compliance Programs of Investment Companies and Investment Advisers, Release No. IA-2204, n.22 (Dec. 17, 2003).
[4] See, e.g., Examination Priorities for 2013, SEC's Office of Compliance Inspections and Examinations (Feb. 21, 2013), ("[L]ast fall Hurricane Sandy brought to light certain gaps in some registrants' business continuity plans. The staff is identifying the overall impact of the hurricane on certain entities' operations, including the obstacles they confronted when implementing their business continuity plans."); 2013 Annual Regulatory and Examinations Priorities, FINRA (Jan. 11, 2013), ("Given the steady number of cyber-security issues that affected the financial services industry in 2012, FINRA continues to be concerned about the safety and integrity of sensitive customer data. The frequency and intensity of threats, such as denial of service attacks and the number of data security breaches, raises concerns that the securities industry is vulnerable to disruption and unauthorized access to customer account information."); CF Disclosure Guidance: Topic No. 2, Cybersecurity, SEC's Division of Corporation Finance (Oct. 13, 2011), ("To the extent cyber incidents pose a risk to a registrant's ability to record, process, summarize, and report information that is required to be disclosed in Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective.").
[5] Addressing Market Instability through Informed and Smart Regulation, Speech by SEC Commissioner Luis A. Aguilar during PLI's SEC Speaks in 2013 (Feb. 22, 2013).
[6] Opening Statement at the SEC Open Meeting, Chairman Elisse Walter (Mar. 7, 2013).
[7] This past March, the SEC proposed a new regulation, Regulation Systems Compliance and Integrity (Regulation SCI), which would require certain self-regulatory organizations, alternative trading systems, plan processors, exempt clearing agencies, and potentially broker-dealers to, among other things, "conduct business continuity testing, and provide certain notifications in the event of systems disruptions and other events." SEC Proposes Rules to Improve Systems Compliance and Integrity, SEC Immediate Rel. No. 2013-35 (Mar. 7, 2013). The comment period for proposed Regulation SCI closed on July 8 and the SEC staff is currently in the process of reviewing the comment letters.
[8] Over the past year, at least one broker-dealer and two associated persons have been sanctioned for BCP failures. See Oakbrook Investment Brokers, Inc. and Robert George Stevens, Letter of Acceptance, Waiver and Consent No. 2010021010901 (Oct. 12, 2012) (expelling respondent firm and barring respondent person from associating with any FINRA member in any capacity where respondents, without admitting or denying the findings, consented to the letter alleging that, among other things, they failed over the course of four years to conduct an annual review of their BCP and to update the BCP to show any material changes); Carl A. Antonucci, Letter of Acceptance, Waiver and Consent No. 2010024993501 (Sept. 21, 2012) (fining respondent $7,500 and suspending him from association with any FINRA member in any capacity for six months where respondent, without admitting or denying the findings, consented to the letter alleging that, among other things, he falsely stated in FINRA examination materials that he had conducted telephone testing of the BCP when he had not done so).

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.