The SEC Wants to Know How Your BCP Fared During Hurricane Sandy

By Dina Ferriero | Tuesday, January 15th, 2013

In the wake of Hurricane Sandy, many hedge funds and investment firms in the Northeast region took account of their firms' operations and assessed the aftermath. Business continuity plans and disaster recovery procedures were undoubtedly put to the test as power outages and flooding wreaked havoc on the area. In a previous Hedge IT post, we discussed many of the lessons that fund managers took away from this experience. Today we’re taking an even closer look at how investment firms fared during the disaster, as agencies such as the SEC and FINRA are now conducting in-depth examinations of many such organizations.

These post-Sandy investigations are being conducted on several firms throughout the Northeast, and although they are not technically intended as a sweep exam, they’re being used as a mechanism to gather information on the lessons that were garnered through the storm. The SEC may potentially use the responses in aggregate as a basis for implementing new BCP recommendations or guidelines in the future.

Additionally, these exams aim to raise awareness about the importance of having a comprehensive business continuity plan in place and conducting regular testing.

What can you expect from an SEC/FINRA exam?

Questions in the post-Sandy exam request information on a range of topics covering both disaster recovery systems and business continuity procedures. Be sure your firm is able to respond to the items and provide supporting documentation where appropriate in order to successfully complete a potential post-Sandy sweep:

Provide documentation of the firm’s business continuity plans, including procedures for responding to an emergency or disaster.

Identify the individuals within the organization (names and titles) who are responsible for initiating the emergency procedures outlined in the BCP.

Provide documented results of the most recent assessment/testing of the firm’s BCP. Include details on how often the plan is tested, when the tests occur, what specific steps are taken as part of the tests, any weaknesses identified during the tests, and changes that were made to the BCP as a result of these discoveries.

Provide evidence of any weaknesses that were uncovered through implementation of the firm’s BCP during Hurricane Sandy. Indicate whether the firm expects to modify the existing BCP as a result of the hurricane or any issues it may have revealed.

Provide copies of communications with employees regarding the firm’s operations during the time when the BCP procedures were in effect.

Provide copies of communications with external third parties (i.e. clients, banks, etc.) during the time when the BCP procedures were in effect.

Provide service agreements or other documentation demonstrating the firm’s use of a disaster recovery or backup site during the October 28, 2012 – present timeframe. Include details on the periods of time the site was used, reason for use and whether, at any time, the firm was fully relying on the disaster recovery site.

Provide evidence of the most recent test (with results) of the disaster recovery site.

Investment firms with comprehensive business continuity and disaster recovery plans in place that engage in regular, proactive testing exercises (which we highly recommend!) should have little to no difficulty responding to these requests.

To learn more about best practices for DR & BCP, be sure to check out the vast collection of free resources in our Knowledge Center, or contact an experienced Eze Castle Integration expert.