The Next Level Network Blog

IT Management, Security, Compliance for Regulated Firms

What to expect from an SEC Audit of Your DR & BCP

SEC audits are never welcome, but with this blog entry you can at the very least know what to expect and what to prepare for with your Disaster Recovery and Business Continuity Plan

Storms in the Northeastern United States have increased in frequency and severity with Hurricanes Sandy, Irene and Earl, wreaking havoc on SEC LOGOpower and communications.  In response, the SEC has begun proactively auditing hedge fund's Disaster Recovery and Business Continuity Plans. The purpose of the audits is to assess the impact of natural disasters on your firm's operations.

Their main driver is to ensure your firm's ability to continue operations during a disaster.  Making sure procedures are in place to treat all your clients equally and allow the ability to make redemptions.  In addition to reviewing your redemption requirements, they will be inspecting the following Information Technology related processes:

6 Things to Expect from SEC Audit of DR & BCP Plan

  1. How often BCP is tested?  It is recommended that firms should perform a full test bi-annually. 
  2. When was the firm's BCP last tested?  Your firm should have a document with specific dates and a checklist of functionality.
  3. What the BCP test consisted of?  A DR & BCP Site test should consist of a full "power-down" of production servers and EVEN the entire office.  Tests of Email, PDA, File, OMS should be preformed.
  4. Were any weaknesses revealed?  Keep a record of issues that arise.  There is no better test than an actual disaster.  The best laid plans of mice and men oft go astray, so take a breath and use this as a learning experience and a way to make your plan better.
  5. What changes were made to the BCP as a result?  This is extremely important.  Technology will fail us all but showing how you reacted and adjusted is the most important aspect of your BCP.
  6. How were changes communicated to employees?  Every firm should have a Call Tree.  In addition to corporate phone and email, the BCP "Leader" should be collecting personal mobile phone numbers for texting and a secondary, personal email account in case the firm's Disaster Recovery and Business Continuity Plan has failed.

 banner server rack lg


The SEC's requirement of regulated firms to have a Disaster Recovery and Business Continuity Plan will prove as excellent preparation for devastating weather events and as well as the pedestrian power outages.  These contingencies are necessary.  A great Disaster Recovery and Business Continuity Plan is constantly evolving - a partnership between Operations, Compliance & Information Technology is essential for success.

Replay Backup and Continuity Webinar

Topics: Compliance, Business Continuity Plan, DR, IT Support, SEC, Audit, Disaster Recover, BCP