On Tuesday, the US Securities and Exchange Commission (SEC) issued a risk alert detailing what private equity firms and other advisers are getting right, and wrong, about disaster recovery planning.
After Hurricane Sandy disrupted many advisers' business operations in late October, the SEC's Office of Compliance Inspections and Examinations reviewed the business continuity and disaster recovery plans of some 40 registered investment advisors in areas most heavily hit by the Category 3 hurricane.
It is unclear which private equity firms specifically, if any, were part of the post-Sandy assessment. The SEC did not return a request for comment by press time
“Advisers generally adopted and maintained written business continuity plans,” the risk alert said, which explained the SEC can examine registered advisors' business continuity plans because of their legal fiduciary duties to investors. “The degree of specificity of the advisers’ written [plans] varied; some had also developed specific [plans] for Hurricane Sandy just prior to the storm’s arrival.”
The alert went on to recognize firms that distributed business continuity plans to employees and noted that some firms had employees sign documents indicating they had received such plans.
The guidance comes just days after the SEC and sister financial regulators issued a joint review of Sandy's damage to financial markets, which PE Manager covered here.
The new risk alert mentioned some specific weaknesses found in investment advisers' disaster planning strategies. For example some firms did not sufficiently account for regional disasters, or the ability of key personnel, such as portfolio managers, to work remotely from the office.
Another weak point discovered was advisers' relationship with service providers during a crisis event, the risk alert said. For example, “advisers did not ensure that the service providers’ plans incorporated key business continuity controls that related to the advisers’ ability to execute their own BCPs.” In another related example, the SEC said some advisers opted not to test their cloud-based disaster recovery services to avoid test charges.
The full risk alert can be read here. See related article to the right for expert advice and commentary on how your peer firms are preparing for unexpected disaster events.