SEC Examination Requests Related to COVID-19 Business Continuity and Operational Resilience

Author

Jami Jack

Publish Date

Type

Compliance Alert

Topics
  • Compliance
  • BCP
  • COVID-19
  • Cybersecurity
  1. Insights
  2. SEC Examination Requests Related to COVID-19 Business Continuity and Operational Resilience

The U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) announced in March that it intends to engage in an ongoing outreach with registrants to assess the impacts of COVID-19, including challenges impacting operational resiliency. In the last few weeks, ACA has seen an increase in the number of examinations announced by the SEC examination staff. These examinations are being conducted by teleconference or video interviews and include specific interview questions or document requests related to COVID-19 and firms’ business continuity plans (BCP) and third-party risk. In some instances, the firm received a questionnaire related to COVID-19/BCP items that were not included in the initial document request list.

What is being asked?

ACA started seeing these questions shortly after OCIE’s announcement, but the most recent round includes the following questions related to BCPs and continues to ask about third-party risk:

  • Does your BCP cover the continuity of operations during a pandemic?
  • Does your BCP address the continuity of operations upon the death or lengthy incapacity of one or more of its key personnel?
  • Has working remotely affected your oversight of any third-party vendors or service providers?
  • Does your BCP address the resiliency practices of its key third-party vendors?

ACA also noted the most recent requests include cybersecurity-related questions, which were not included in previous versions:

  • Has the firm identified any new cyber risks due to COVID-19, including with respect to personnel working remotely?
  • Has the firm experienced any cybersecurity breaches or ransomware attacks (i.e., threats to block access to data unless a ransom is paid) involving client information or records during the COVID-19 pandemic?

ACA Guidance

ACA recommends that registered investment advisers consider the SEC’s questions and requests when reviewing their BCP and vendor and third-party risk management programs. Additionally, advisers should ensure cyber risks related to extended work from home have been evaluated and that the firm is vigilant in protecting against breaches or attacks.

For More Information

For more information about the SEC’s requests, please reach out to your ACA consultant or contact us here.

Contact Us

Related insights

curved glass building looking up at a blue sky

2024 Investment Management Compliance Testing Survey Now Open

This survey, now in its 19th year, gathers anonymous information from U.S. investment advisers of all types and sizes for the purpose of reporting on industry trends.

Survey
  • Compliance
2024 ACA Conference

Highlights From the 2024 ACA Conference

As the curtains close on the ACA Conference 2024, the echoes of transformative dialogue and insightful revelations resonate, shaping the trajectory of GRC in financial services.

News
  • Compliance
  • RegTech
  • Cybersecurity
  • ESG
  • Performance
  • Managed Services
  • SEC
cyber lock

Critical Vulnerability Detected in Palo Alto Networks' GlobalProtect Gateways

A popular firewall used in the financial industry is under attack due to a critital zero-day vulnerability. Firms that use Palo Alto Networks' firewall need to update their software to protect their systems.

Cyber Alert
  • Cybersecurity