Federal regulators who reviewed the business continuity plans used by financial advisers during Hurricane Sandy have issued a risk alert citing flaws in how the organizations prepared for the disaster, especially when it came to IT.
The examination by the Securities and Exchange Commission of about 40 advisers in areas affected by last year’s storm identified weaknesses that challenged advisers’ ability to stay operational — and compliant with the law. Most organizations know that having a solid business continuity plan makes economic sense. But these kinds of preparations are particularly critical for financial advisers, who have a fiduciary obligation to take steps to protect their clients’ interests from risks resulting from the adviser’s inability to provide services.
Natural disasters, it turns out, are not acceptable excuses for falling out of compliance in the eyes of the SEC, which urged advisers to consider:
- Developing policies and procedures that better anticipate widespread events by providing portfolio managers and other personnel the capability to work from home or other remote locations.
- Establishing backup sites that would have power, Internet access and phone service when these services are interrupted at headquarters. The potential for widespread impacts may necessitate locating backup sites far from the main office.
- Assessing the IT infrastructure of service providers, as it may reside nearby. Disruptions at the service-provider level may create unforeseen operational challenges.
- Lining up alternative Internet providers for guaranteed redundancy. Many advisers interviewed by the SEC reported losing Internet connectivity.
- Testing the operability of all critical systems to identify critical weaknesses to ensure minimal disruptions during a real event.
Advisory firms that have made the decision to virtualize their applications are already a step ahead of the competition, as IT administrators can easily add business-continuity solutions on top of the existing technology. Such solutions instantly and automatically restart affected workloads on intact servers based on designations made long before the disaster.
Continuity solutions also allow administrators to sequence which virtual machines fail over first, ensuring the most important applications are up and running as soon as possible in the event of interruptions in the primary data center.
Andrew Bowden, director of the Office of Compliance Inspections and Examinations at the SEC, said the agency issued the alert to better inform advisers of what steps they may need to take before the next calamity.
“We hope our observations in this risk alert and those in the earlier joint advisory will help industry participants better prepare for future events that threaten to disrupt market operations,” Bowden said.Tags: Technology,Virtualization