Almost 10 months since Superstorm Sandy caused widespread destruction to the northeastern U.S., an area not known for frequent hurricane activity, the people and businesses affected have still not fully recovered. As we now reenter the peak of hurricane season, businesses along the eastern seaboard are probably taking a closer look now than in years past at their disaster preparedness in light of last year’s events. The impact of Hurricane Sandy was certainly not limited to the U.S. In reality, there were global implications as, for example, U.S. equity and options markets were closed for two full trading days following the storm. As a result, the SEC, FINRA and the CFTC undertook a joint review of their individual business continuity and disaster recovery planning. Last week, on August 16, these three regulatory agencies issued a joint release outlining some lessons learned and best practices noted in their investigations and review.
The release focused on a number of specific areas including:
- Widespread disruption considerations;
- Alternative locations considerations;
- Vendor relationships;
- Telecommunications services and technology considerations;
- Communication plans;
- Regulatory and compliance consideration; and
- Review and testing.
The primary motif in the release was that firms should consider the impact of potential catastrophic events on their business operations and how the effects could be mitigated, to some extent, by prior planning. For example, the regulators recommend firms consider redundancy in telecommunications and technology services that are vital to operations. If data is maintained in a cloud infrastructure, redundant back-up data storage in a different location might be advisable. Frankly, there is nothing really earth-shattering about the best practices identified or the recommendations made, but it serves as a reminder that companies should have a plan in place to deal with these types of unforeseen situations. Moreover, the recent problems at Nasdaq that resulted in a 3 hour “flash freeze” serve to reinforce these concepts even further.
The most interesting piece from a public company perspective, however, is the inclusion of the regulatory and compliance considerations and the review and testing recommendations. The release specifically stated:
- Firms should consider time-sensitive regulatory requirements, since a crisis event can occur at any time. For example, some firms put a lower prioritization on month-end financial processes, which increased challenges due to the storm’s proximity to month end, and caused delays in firms’ production of certain month end data for regulatory computations and financial reporting.
- Firms should regularly update their BCPs [Business Continuity Plans] to include new regulatory and SRO requirements. Firms run the risk of failing to comply with new regulatory and SRO requirements when their BCP is not regularly updated. For example, the Chicago Mercantile Exchange and National Futures Association enacted new requirements for the daily reporting of financial data in 2012. It appeared that this new requirement may not have been included in some firms’ BCP processes and therefore may not have been properly prioritized.
One has to wonder whether this is an indication that the SEC may want to see some level of risk assessment and analysis by public companies related to their business continuity plans in future SEC or other filings. Moreover, because the agencies included a specific discussion on best practices related to periodic review and testing of such plans, I would presume the SEC may also like to see disclosures in this area as well (i.e., are public companies reviewing the plans that are in place on a periodic basis and are they testing their ability to implement and carryout these plans).
While there is no express requirement to include these types of disclosures in public filings (other than perhaps as risk factors if material), areas that are in focus for the SEC tend to generate comment letters if they are not addresses by issuers in their filings. This is especially true for issuers in certain industries, such as investment advisors and broker-dealers, where there is a regulatory obligation to maintain a business continuity plan. Thus, I would not be surprised if the SEC issues comment letters in the near future asking for these types of disclosures, especially in light of the recent joint release.
Additionally, the agencies seem to make it clear that unexpected disasters may not be an excuse for failing to maintain compliance regulatory requirements. Therefore, public companies should assess their ability to comply with applicable regulatory requirements in the wake of catastrophic events and include regulatory matters in their continuity and disaster recovery plans. If public companies are not already including disclosure related to the areas addressed in this joint release, it may be wise to do so or else they may run the risk of receiving comment letters asking for additional information.