Wiggin
Find a Person
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z View All

Publications

Home 9 Publication 9 SEC Issues Risk Alert on Business Continuity Planning for Investment Advisers

SEC Issues Risk Alert on Business Continuity Planning for Investment Advisers

September 3, 2013

On August 26, 2013, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert highlighting weaknesses and best practices observed during its recent examination sweep of investment advisers’ business continuity and disaster recovery planning.[1] While this sweep, which examined approximately 40 investment advisers located in regions affected by Hurricane Sandy, generally found that advisers adopted and maintained adequate business continuity plans (“BCPs”), the Risk Alert describes several weaknesses found in firms’ BCPs and in their responses to challenges presented by Hurricane Sandy.[2]

Background of Business Continuity Planning Requirements

There are no federal rules or regulations directly requiring investment advisers to adopt and implement BCPs. However, the SEC has consistently stated that an adviser’s fiduciary duty obligates it to take adequate measures to ensure that clients’ interests are not jeopardized in the event of a natural disaster, death of key personnel or other major business interruption.[3] Although the SEC has provided little guidance on the actual steps an adviser must take in order to ensure that clients’ interests are adequately protected, it is generally accepted that an adviser should adopt a written BCP tailored to its particular organization that addresses objectives such as: data back-up and recovery; alternative communications between the adviser and employees, clients, vendors and regulators; and an alternative work environment. The approaches for meeting these objectives will undoubtedly vary by firm, based upon, among other things, the number of employees and clients, reliance on technology in managing portfolios, resources available, and geographical location. Nonetheless, as outlined below, the Risk Alert contains insight that should be valuable for all investment advisers in adopting or assessing a BCP.

Weaknesses Observed

OCIE identified seven general areas that advisers should consider when reviewing their BCPs: recovery from widespread disasters; alternative work locations; vendor relationships; technology; communications with clients and employees; updating BCPs to meet current regulatory requirements; and testing. Below are some of the more significant areas of weakness identified by OCIE:

  • Geographically Diverse Recovery Site. OCIE expressed concerns that some advisers did not utilize recovery sites that were located in geographically diverse areas. The Risk Alert advises that firms located on coasts should consider setting up disaster recovery sites inland or sufficiently distanced from its principal offices to ensure that power outages and connectivity issues do not affect both locations. However, a recovery site location needs to be determined by an adviser’s own operations. For example, one consideration in setting up a recovery site is the location of key employees and whether such employees will be able to commute to an extremely remote location in the event of a disaster.

  • Testing Critical Business Systems. OCIE noted that most advisers reported having tested their BCPs annually. However, OCIE observed that some advisers failed to evaluate all critical business operations and systems during such tests. Specifically, OCIE noted that some advisers opted not to test cloud-based disaster recovery solutions because of the costs involved in such testing. As a result, OCIE found that some of these advisers were caught off guard when these solutions did not have adequate capacity to handle all of their customers during Hurricane Sandy.

  • Evaluating Service Providers’ BCPs. OCIE found that some advisers did not evaluate or failed to critically review service provider BCPs or similar reports, such as SSAE 16 reports. OCIE also specifically recommended that firms should understand the IT infrastructure of their service providers, and know whether service providers’ infrastructures are in the same geographical location in which the adviser is located. Additionally, OCIE noted that several advisers did not keep updated contact information for vendors and service providers.

  • Effectively Communicating with Employees and Clients During a Disruption. OCIE found that some advisers did not adequately plan how to contact employees during a disruption, and inconsistently maintained communications with clients. These types of deficiencies can be largely eliminated with unambiguous policies and procedures for notifying employees (i.e., a phone tree), and designating key employees who will be responsible for carrying out procedures such as contacting clients. Also, as the Risk Alert suggests, advisers should consider contacting clients before a major weather-related disruption to inquire about any transactions they will need executed in the event of a prolonged disruption. E-mail templates should be developed in advance for such communications.

Best Practices Observed

Some of the better practices observed by OCIE included:

  • Utilizing multiple back-up servers;

  • Selecting disaster recovery sites that run on a separate power grid;

  • Providing multiple means for employees to access the internet (e.g., wireless cards, back-up providers);

  • Moving important electronic equipment to higher floors; and

  • Having a plan in place to utilize third parties to communicate with clients (e.g., using vendors to send emails during a disruption, using an answering service to provide updates to clients).

Conclusion

In light of this Risk Alert — and OCIE’s consistent focus on disaster recovery planning in examinations — advisers are strongly encouraged to review their BCPs and ensure that they have invested the time and resources necessary to adequately protect their business and meet the SEC’s expectations in this important area.

[2] On August 16, 2013, the SEC, CFTC and FINRA jointly issued a staff advisory on business continuity and disaster recovery planning for a broad range of market participants, such as investment advisers, broker-dealers and exchanges. See /wp-content/uploads/2018/07/jointobservations-bcps08072013.pdf. While there is considerable overlap between the information contained in the joint advisory and OCIE’s August 26 Risk Alert, investment advisers should review both alerts when adopting or assessing a BCP.

[3] See Investment Advisers Act Release No. 2204 (Dec. 17, 2003). Additionally, the Risk Alert notes that Rule 204-2 under the Advisers Act requires advisers to maintain electronic books and records in such a manner “so as to reasonably safeguard them from loss, alteration, or destruction,” implying that electronic records cannot be properly maintained without effective business continuity planning.

Resources

Advisory SEC Issues Risk Alert on Business Continuity Planning September 2013.pdf

Related Services

Firm Highlights

News

Recognized for Excellence: Wiggin and Dana Named Law Firm of the Year, Attorney of the Year, and Earns 8 Additional Honors at the 2025 New England Legal Awards

Wiggin and Dana is proud to announce an extraordinary achievement at The American Lawyer’s 2025 New England Legal Awards, where the firm earned 10 top honors and was recognized as a finalist in additional categories. These awards celebrate excellence across the legal profession, and this year’s results underscore Wiggin and Dana’s commitment to delivering exceptional […]
Read More
News

Wiggin and Dana Celebrates Top Honors in Benchmark Litigation’s 2026 Rankings

Wiggin and Dana is proud to announce that Benchmark Litigation has once again recognized the firm’s excellence in litigation, naming 13 attorneys as “Litigation Stars” and three attorneys as “Future Stars” in its 2026 edition. The firm also earned Benchmark’s highest distinction, being ranked as a “Highly Recommended” firm. Benchmark Litigation praised Wiggin and Dana […]
Read More
News

The National Law Journal Shortlists Wiggin and Dana for Litigation Departments of the Year – White Collar

Wiggin and Dana is proud to announce that its White Collar Defense, Investigations, and Corporate Compliance Practice Group has been selected by The National Law Journal as a finalist for Litigation Departments of the Year, White Collar. The firm’s White Collar Defense, Investigations, and Corporate Compliance Practice Group includes former federal prosecutors from the U.S. […]
Read More
News

Benchmark Litigation Names Wiggin and Dana Partners to the 2025 “40 & Under List”

Wiggin and Dana Litigation Partners, Laura Ann K. Froning, Robyn E. Gallagher, and David Norman-Schiff were named to Benchmark Litigation’s 2025 “40 & Under List”. The Benchmark Litigation team bestows this distinction upon the nation’s most accomplished litigators aged 40 and younger who are considered the top emerging talent in litigation. The list is compiled based […]
Read More
News

Wiggin and Dana Expands Real Estate Practice with Addition of Vasiliki Yiannoulis-Riva

Wiggin and Dana LLP is pleased to announce that Vasiliki (Vasi) Yiannoulis-Riva has joined the firm as a Partner in the Real Estate, Environmental, Construction and Facilities Department, based in both the Stamford, CT and New York, NY offices. Vasi brings more than a decade of experience advising clients on commercial real estate transactions, leasing, […]
Read More
News

Chambers High Net Worth 2025 Honors Wiggin and Dana Lawyers and Private Client Services Practice

Wiggin and Dana is pleased to announce that the firm’s Private Client Services practice and its partners, Michael T. Clear, Daniel L. Daniels, Jevera K. Hennessey, Leonard Leader, Vanessa L. Maczko, Steven B. Malech, and Carolyn A. Reers, have been ranked in the ninth edition of the annual Chambers High Net Worth (HNW) 2025 Guide. Additionally, Jonathan […]
Read More