This hurricane season might be the worst on record, and the structural damage and economic impact wrought by these storms are enough to imperil the business continuity plans of even the most seasoned firms. This is a true test for them. And for business owners fortunate enough to lie a safe distance away, it is important to sympathize—but also to watch and learn.
A little over a year ago, the Securities and Exchange Commission announced a proposed new rule requiring investment advisers registered with the SEC to adopt and implement written business continuity and transition plans. The purpose was a simple one: to reduce risks of a significant disruption—say, from a natural disaster or a cyber attack against a company’s operations—in order to minimize client and investor harm. The hurricanes of August and September easily qualify as a perfect test case.
Take Texas, where August’s Hurricane Harvey dumped more than 50 inches of rain in a single week.
Financial firms like Houston-based Salient announced that they had implemented their continuity plan and were “conducting normal business operations including portfolio management and trading activity from other locations in Texas and in San Francisco.”
The SEC said it was seeking to “facilitate the adoption and implementation of robust BCPs by all SEC-registered investment advisers.” Sufficient plans enumerated in the proposed rule would include:
- policies and procedures addressing maintenance of critical operations and systems, and the protection, backup, and recovery of data;
- pre-arranged alternate physical locations;
- communications with clients, employees, service providers, and regulators;
- identification and assessment of third-party services critical to the operation of the adviser; and
- a plan of transition that accounts for the possible winding down of the adviser’s business or the transition of the adviser’s business to others.
The agency used other hurricanes—Hurricane Katrina (2005) and Hurricane Sandy (2012) as its case studies and as support for the rule. “Various weather-related events have tested, on a large scale, the effectiveness of existing BCP components of advisers’ compliance programs,” the proposed rule said. The decision to require advisors to develop and maintain transition plans was deemed a “new obligation” under SEC regulations, which have not yet been finalized.
A recent survey of 599 investment adviser firms conducted by the IAA, ACA Compliance Group, and OMAM, a global multi-boutique asset management company, found that cyber security—not natural disaster recovery—is the top concern among compliance professionals. More than three-quarters of those business leaders surveyed said that their firms increased compliance testing in cyber security over the past year. Disaster recovery was identified as an area of concern by 20 percent of respondents (up from 12% the previous year) and 38% of firms reporting said they had increased testing for disaster recovery planning.
As Harvey raged across Texas and Louisiana, and estimates of the projected financial impact from the storm rose to $30 billion, FEMA urged “businesses of all sizes” to review and update their business continuity plans and to ensure their workforce knows what to do before and during the storm. Time will tell if the BCMs of companies in Harvey’s wake were sufficient.