SEC Examination Requests Related to COVID-19 Business Continuity and Operational Resilience
The U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) announced in March that it intends to engage in an ongoing outreach with registrants to assess the impacts of COVID-19, including challenges impacting operational resiliency. In the last few weeks, ACA has seen an increase in the number of examinations announced by the SEC examination staff. These examinations are being conducted by teleconference or video interviews and include specific interview questions or document requests related to COVID-19 and firms’ business continuity plans (BCP) and third-party risk. In some instances, the firm received a questionnaire related to COVID-19/BCP items that were not included in the initial document request list.
What is being asked?
ACA started seeing these questions shortly after OCIE’s announcement, but the most recent round includes the following questions related to BCPs and continues to ask about third-party risk:
- Does your BCP cover the continuity of operations during a pandemic?
- Does your BCP address the continuity of operations upon the death or lengthy incapacity of one or more of its key personnel?
- Has working remotely affected your oversight of any third-party vendors or service providers?
- Does your BCP address the resiliency practices of its key third-party vendors?
ACA also noted the most recent requests include cybersecurity-related questions, which were not included in previous versions:
- Has the firm identified any new cyber risks due to COVID-19, including with respect to personnel working remotely?
- Has the firm experienced any cybersecurity breaches or ransomware attacks (i.e., threats to block access to data unless a ransom is paid) involving client information or records during the COVID-19 pandemic?
ACA recommends that registered investment advisers consider the SEC’s questions and requests when reviewing their BCP and vendor and third-party risk management programs. Additionally, advisers should ensure cyber risks related to extended work from home have been evaluated and that the firm is vigilant in protecting against breaches or attacks.
For More Information
For more information about the SEC’s requests, please reach out to your ACA consultant or contact us here.