Pandemic Puts Business Continuity Planning to the Test; Regulators Take Notice
The rapid expansion of the novel coronavirus and the COVID-19 pandemic has caused extreme stress if not panic throughout the financial markets, with ripple effects to many if not all financial advisory firms. Solid Business Continuity Plans (“BCPs”) can help financial advisers stabilize their operations and cope with this dramatic change of circumstances. Here are some reminders and simple yet effective tips for those who find themselves dusting off their BCPs.
Although investment advisers are not subject to an express business continuity rule under the Investment Advisers Act of 1940 or similar statute, and the SEC previously withdrew its proposed business continuity rule, business continuity plans are an integral part of an investment adviser’s fiduciary duty to clients (business continuity planning is noted as part of a compliance program under Advisers Act Rule 206(4)-7, albeit in broad strokes). An adviser’s BCP does not need to cover every possible event or scenario, but a good one is designed to address reasonably foreseeable events. Current events have now rendered health epidemics and pandemics as reasonably foreseeable events.
FINRA, via FINRA Rule 4370, specifically requires broker-dealers to create, maintain, and annually review their respective BCP. On March 9, 2020, FINRA issued Notice to Members 20-08 (“Pandemic-Related Business Continuity Planning, Guidance and Regulatory Relief”) in which it counseled broker-dealers to consider pandemics in their business continuity planning and provided guidance on pandemic preparedness and overall BCP diligence. The Notice was important for broker-dealers—and investment advisers would be wise to review it when considering how to mitigate operational challenges and other effects of this current crisis. See also Regulatory Notice 09-59.
Specific pointers:
- Check whether your BCP expressly addresses pandemics or similar health issues. Often, a BCP will include a bullet list of foreseeable risks it is designed to address, or a list of objectives which may include providing for the safety of personnel and the protection of critical data. If your BCP does not specifically mention them already, consider adding pandemics, epidemics, outbreaks, and similar health-related issues reasonably likely to impact operations.
- Make sure the BCP stays current with contact information for all staff and service providers—and emergency contact numbers for all staff.
- Delineate what systems and operations can and will continue in the event that offices need to be closed. The use of cloud-based systems has many advantages but, remember, cloud-based systems also introduce the risk of inadequate security. Caution is essential around mobile device management, cybersecurity, data flow, multiple wireless connections, and more.
- In general, maintain in a secure and accessible location:
- current contact information for clients and investors
- the necessary login information for regulatory filings, which may or may not be given a reprieve from filing deadlines in the event of a pandemic or other crisis
- Be able to easily and securely modify your website to, for example, be able to provide critical communications to clients and investors in the event you cannot reach them all as quickly as may be needed with direct and individualized communication.
To the extent your BCP does not address all the protocols for this specific COVID-19 event, create a BCP Supplement, COVID-19, 2020. Document the additional steps you are taking. For example:
- Document the responsive action items such as maintaining available supplies of disinfectant and sanitizer in the office and the authority for defining and suspending essential and non-essential travel.
- Document the members of an “Emergency Response Team” if not already spelled out in the BCP or if a smaller team can work more efficiently and effectively.
- Obtain backup phone numbers from employees if available (landlines for example).
Remember, hackers and others can take advantage of times of stress and chaos. Remind staff of this and that appropriate verifications must be made before clicking on links, sending documents, and of course transferring funds or securities.
Testing your remote access capabilities before a business continuity event arises is key. Some VPNs may not be able to handle all of your staff connecting simultaneously, whether due to the number of connections or bandwidth concerns. Some staff may not have remote access capabilities at all, however, are nonetheless essential to your operations. Those who have not previously tested their BCP are now faced with a live event. But, there is still opportunity for you to engage effective emergency protocols with the right tools and insight. Please contact us at CSS if you would like further assistance.
A final point: The SEC and other regulators likely will examine how you have handled this situation, just as they did after Hurricane Sandy. Following the SEC’s “sweep” examinations of Hurricane Sandy responses, the SEC issued a Risk Alert outlining what firms did well and what were the weaknesses. Review that alert now, so that history can advise the present and former weaknesses can turn to strength.
We hope you and your families stay well.