Is your business continuity plan ready for SEC scrutiny?
Granted, no advisors could have foreseen a pandemic.
But business continuity plans are ranking high on the SEC’s must-read list as the commission continues its remote compliance reviews of RIAs for the duration of the outbreak.
That’s according to Lori Weston, a compliance consultant, who urged advisors to update their existing plans — especially concerning disaster preparedness — and then follow up with them, during a webcast hosted by TD Ameritrade.
“Most firms have a business continuity plan that is designed to address multiple scenarios,” she said. But, she added, “who could have predicted an event that would have impacted the entire globe simultaneously?”
“No one’s [business continuity plan] is working well,” Peter Driscoll, director of the commission’s Office of Compliance Inspections and Examinations, said last month.
But that doesn’t mean firms can disregard them either, Weston said on the webcast.
Although there’s no SEC regulation on the books mandating that firms maintain business continuity plans, the SEC reviewed the plans of 40 RIAs following Hurricane Sandy in late 2012, when many companies were forced to vacate their offices basically overnight.
From that study, the commission derived a set of best practices that it published in a risk alert the following August, Weston says.
“Even though there’s no formal regulation requiring it,” Weston says, “there’s an expectation that advisors would have these because it’s prudent and because it’s an element of their fiduciary duty to clients.”
Most continuity plans are set up with temporary replacement worksites in mind, Weston says, but not indefinite periods of working from home. These and other aspects of the plan will need to be updated, while existing rules in the plan still must be followed, she says.
For example, “even if every other firm in the industry is experiencing the same disruption,” Weston says, “firms whose plans specified they would contact their regulators in the event of any major disruption to their business need to go ahead and do so.”
That includes the SEC as well as firms’ respective state regulators, Weston says.
Continuity plans exist not only to protect planners’ businesses but also to ensure they maintain their fiduciary duties to their clients — from the protection of their assets to confidential information — during a crisis, she says.
Weston says such a plan also should include contingency guidelines such as the following:
· How do you back up your files?
· How do you access those files if you are experiencing technical difficulties?
· Who do you contact in the case of those difficulties?
· How will you communicate with colleagues and clients if your primary communication system is down?
· Where and how will you work if your office becomes uninhabitable?
· How and how often do you conduct a cybersecurity analysis?
· What procedure will you follow if client data is compromised during a cybersecurity attack?
Firms also need to maintain their regular compliance protocols, even while upping their contact with clients, Weston added.
“It’s absolutely critical that you stay connected with your clients through this crisis,” she says, and document each exchange.
However, If your firm has a no-text policy, then do not begin texting. And if a client does text a request or question, an advisor should take a photo of that text and send it to the firm’s compliance officer, Weston says.
More broadly, firms need to continue to maintain minutes of staff meetings and changes to their portfolios, she says. Those firms not already using electronic signatures might want to start. Advisors, she says, also should talk to their third-party vendors about their own business continuity plans to ensure they are strong enough to meet their own firms’ standards.
When the SEC reviews business continuity plans, advisors should be prepared to add post-pandemic updates they have made.
The commission, Weston says, “will want to know how the BCP works or how it didn’t work. And if an advisor experienced problems with the BCP, [the commission] will want to see the advisor documenting those problems and [explaining] how did they fix them or plan to fix them.”