Last Friday, the SEC, FINRA and CFTC issued joint guidance (Joint Guidance) on the "best practices and lessons learned" from their review of the business continuity and disaster recovery plans of firms as a result of the October 2012 closure of equities and options markets due to Hurricane Sandy.[1]
Although the Joint Guidance is merely advisory, broker-dealers and hedge fund advisers would be well advised to review the guidance and, where appropriate, apply it to their own business continuity and disaster recovery plans (BCPs). This is particularly true since broker-dealers already are required by FINRA Rule 4370 to create and maintain a BCP "reasonably designed to enable the member to meet its existing obligations to customers,"[2] and investment advisers are required by Rule 206(4)-7 of the Investment Advisers Act of 1940 and their fiduciary duty to incorporate a BCP into their written compliance policies and procedures.[3]
BCPs As Regulatory Priority
As markets have become more complex, regulators have focused increasingly on improving enterprise risk management.[4] This is clearly evident from recent speeches by SEC Commissioners. Earlier this year, SEC Commissioner Luis A. Aguilar stated: "In my mind, there's not much difference between failing to have a business continuity plan and having a plan that you're not confident enough to use. Hurricane Sandy should serve as a warning sign. It is not enough to have the false comfort of a business continuity program on paper. It is critically important for entities to robustly test their contingency plans and be prepared to use them."[5]
A few weeks later, then SEC Chairman Elisse Walter noted that disruptions may be caused by threats other than natural disasters: "The May 6 flash crash, systems issues that arose during the IPOs of Facebook and BATS Global Markets, the hacking of Nasdaq's systems and the closing of U.S. markets in response to Superstorm Sandy all exemplify the types of problems and disruptions that can affect our marketplace."[6]
Considering these threats and the fact that trading is now constant on exchanges and in dark pools, the importance of those in the securities and commodities industry adopting and regularly updating BCPs cannot be overstated.
Joint Guidance on BCP Best Practices
The Joint Guidance suggests that a BCP should contemplate "the possibility of widespread lack of telecommunications, transportation, electricity, office space, fuel and water" as a result of an event and how this may affect the operations of a firm and its vendors by, among other things:
-
Identifying employees, systems, activities and vendors that are critical to the firm's operations (e.g., compliance, risk management, back office operations and financial and regulatory reporting);
-
Ensuring the ability of employees -- particularly critical operations employees -- to work remotely, either at an alternative location (which may be affected by an event that disrupts transportation services) or through remote access (which may be affected by an event that disrupts telecommunications services);
-
Securing an alternative location (possibly outside of the region) in advance of an event and preparing it with adequate supplies (e.g., desks, chairs, telephones, computers, printers, network connectivity, paper, toner, generators and necessary documents, procedures and manuals in hard-copy format), business services (e.g., multiple telecommunications service providers and other critical vendors) and transportation/hotel services (e.g., through pre-arranged contracts);
-
Obtaining multiple, redundant services (e.g., telecommunications service providers and broker-dealers) and infrastructure (e.g., mobile devices, softphones and T-1 lines);
-
Determining if vendors that provide critical services have adequate BCPs and whether these vendors could be impacted by the same possible events;
-
Instituting a communications plan with employees, customers and regulators;
-
Regularly updating their BCPs to include new regulatory and SRO requirements;
-
Training employees to be familiar with the BCP; and
-
Reviewing, testing and updating the BCP at least once each year.
Conclusion
In light of the Joint Guidance, financial firms -- particularly broker-dealers and investment advisers -- should not wait for future regulations to help guide the development of their BCPs[7] or the next natural disaster or cyberattack to test the adequacy of their current BCPs. As recent history has shown, kicking this proverbial can down the road can be costly not only in terms of costs and losses resulting from damage and business interruption, but also in regulatory sanctions. In 2012 FINRA sanctioned member firms for failures in their BCPs.[8]
[1] Business Continuity Planning, Joint Guidance from the SEC, FINRA and the CFTC (Aug. 16, 2013).
[2] FINRA Rule 4370, Business Continuity Plans and Emergency Contact Information, (noting that a BCP should be "flexible and tailored to the size and needs of a member" but at a minimum should address certain outlined considerations).
[3] "We believe that an adviser's fiduciary obligation to its clients includes the obligation to take steps to protect the clients' interests from being placed at risk as a result of the adviser's inability to provide advisory services after, for example, a natural disaster or, in the case of some smaller firms, the death of the owner or key personnel." Final Rule: Compliance Programs of Investment Companies and Investment Advisers, Release No. IA-2204, n.22 (Dec. 17, 2003).
[4] See, e.g., Examination Priorities for 2013, SEC's Office of Compliance Inspections and Examinations (Feb. 21, 2013), ("[L]ast fall Hurricane Sandy brought to light certain gaps in some registrants' business continuity plans. The staff is identifying the overall impact of the hurricane on certain entities' operations, including the obstacles they confronted when implementing their business continuity plans."); 2013 Annual Regulatory and Examinations Priorities, FINRA (Jan. 11, 2013), ("Given the steady number of cyber-security issues that affected the financial services industry in 2012, FINRA continues to be concerned about the safety and integrity of sensitive customer data. The frequency and intensity of threats, such as denial of service attacks and the number of data security breaches, raises concerns that the securities industry is vulnerable to disruption and unauthorized access to customer account information."); CF Disclosure Guidance: Topic No. 2, Cybersecurity, SEC's Division of Corporation Finance (Oct. 13, 2011), ("To the extent cyber incidents pose a risk to a registrant's ability to record, process, summarize, and report information that is required to be disclosed in Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective.").
[5] Addressing Market Instability through Informed and Smart Regulation, Speech by SEC Commissioner Luis A. Aguilar during PLI's SEC Speaks in 2013 (Feb. 22, 2013).
[6] Opening Statement at the SEC Open Meeting, Chairman Elisse Walter (Mar. 7, 2013).
[7] This past March, the SEC proposed a new regulation, Regulation Systems Compliance and Integrity (Regulation SCI), which would require certain self-regulatory organizations, alternative trading systems, plan processors, exempt clearing agencies, and potentially broker-dealers to, among other things, "conduct business continuity testing, and provide certain notifications in the event of systems disruptions and other events." SEC Proposes Rules to Improve Systems Compliance and Integrity, SEC Immediate Rel. No. 2013-35 (Mar. 7, 2013). The comment period for proposed Regulation SCI closed on July 8 and the SEC staff is currently in the process of reviewing the comment letters.
[8] Over the past year, at least one broker-dealer and two associated persons have been sanctioned for BCP failures. See Oakbrook Investment Brokers, Inc. and Robert George Stevens, Letter of Acceptance, Waiver and Consent No. 2010021010901 (Oct. 12, 2012) (expelling respondent firm and barring respondent person from associating with any FINRA member in any capacity where respondents, without admitting or denying the findings, consented to the letter alleging that, among other things, they failed over the course of four years to conduct an annual review of their BCP and to update the BCP to show any material changes); Carl A. Antonucci, Letter of Acceptance, Waiver and Consent No. 2010024993501 (Sept. 21, 2012) (fining respondent $7,500 and suspending him from association with any FINRA member in any capacity for six months where respondent, without admitting or denying the findings, consented to the letter alleging that, among other things, he falsely stated in FINRA examination materials that he had conducted telephone testing of the BCP when he had not done so).
