Last week’s issue of the Hedge Fund Law Report included a comprehensive analysis of business continuity plans (BCPs) in the hedge fund context. See “Key Elements of a Hedge Fund Adviser Business Continuity Plan
,” Hedge Fund Law Report, Vol. 3, No. 7 (Feb. 17, 2010). That analysis enumerated the key elements of such plans, identified the rationale for each element and highlighted various practical considerations (including the increased focus of institutional investors on BCPs during due diligence and the related focus of the SEC on such plans during inspections and examinations). As the article noted, one of the key elements of any hedge fund adviser BCP is the disaster recovery plan (DRP). Generally, DRPs are – conceptually and literally – subsets of BCPs, which in turn generally are subsets of a hedge fund adviser’s compliance manual. BCPs, as the name implies, focus on procedures to enable a hedge fund manager to continue its business operations and investments without interruption in the event of a range of identified risks and events. Such events may be natural (e.g., hurricanes, earthquakes, pandemics), man-made (e.g., terrorism, theft, other crimes) or technological (e.g., power outages, disruption of exchanges, computer viruses). DRPs, by contrast, focus on procedures to enable a hedge fund manager to get back to business as quickly as possible following a business interruption occasioned by one of the listed categories of risks and events. BCPs are about avoiding disasters; DRPs are about recovering from them. Yet despite the conceptual difference, in practice, they are two sides of the same coin, are often mentioned in the same breath, would both be triggered in many similar circumstances and would call for many of the same actions. Institutional investors are focusing with renewed vigor on DRPs (as they are on BCPs) in the course of their initial and ongoing due diligence. (By “ongoing due diligence,” we mean that a savvy current investor may ask to see a robust DRP as a condition of remaining invested.) There are at least five reasons for this. First, recently uncovered frauds have demonstrated that man-made “disasters” pose serious investment risks. See “Federal Judge Approves Settlement Agreements Arising out of Marc Dreier’s Criminal Fraud; Hedge Fund Victims ‘Squabble’ Over Proposed Recovery
,” Hedge Fund Law Report, Vol. 3, No. 7 (Feb. 17, 2010). Second, institutional investors are starting to perceive and prepare for disasters from an insurance perspective, as quintessential “catastrophes” – high magnitude, low probability events against which precautions can be taken. In this analogy, having a workable DRP is like moving away from beachfront property in a hurricane-prone region. See “The Hedge Fund Transparency Act and its Unintended Consequences for Cat Bonds
,” Hedge Fund Law Report, Vol. 2, No. 20 (May 20, 2009). Third, as a practical matter, many institutional investors outsource a portion of their due diligence to consultants (such as pension consultants) or operational risk due diligence providers. If such service providers perceive the benefits of a DRP at one hedge fund manager on who they perform due diligence, they will look for DRPs at other hedge fund managers. See “How Can Hedge Fund Investors Hone Their Due Diligence in Light of Alarming Rate of ‘Verification Problems’ Discovered in Recent Study of Hedge Fund Due Diligence Reports?
,” Hedge Fund Law Report, Vol. 2, No. 44 (Nov. 5, 2009). Fourth, many hedge fund managers have grown to rely to an increasing degree on technology. Such managers can be adversely and more severely impacted by technological interruptions, but by the same token, they generally can recover from such interruptions faster. Finally, there is the issue of fiduciary duty: a hedge fund manager has a fiduciary duty to its clients (which for most purposes in the hedge fund world means its hedge funds or managed accounts), and no provision in the Investment Advisers Act or at common law provides an exception to that duty during disasters. Put another way, hedge fund managers are required by their fiduciary duties to prepare for foreseeable adverse events. See “For Hedge Fund Managers, How Would a Statutory Definition of ‘Fiduciary Duty’ Affect the Scope of the Duty and the Standard for Breach?
,” Hedge Fund Law Report, Vol. 2, No. 34 (Aug. 27, 2009). In recognition of the practical and marketing imperatives to hedge fund managers of having in place robust and best-of-breed DRPs, this article discusses: a more comprehensive definition of a DRP; the key elements of a hedge fund manager DRP (including recovery point objectives, recovery time objectives and the importance to smaller hedge fund managers of coordinating with service providers); the impact of a hedge fund’s strategy on design of its manager’s DRP; the role played by DRPs in institutional investor due diligence; specific technology issues (including the roles of Blackberries, trading, trade capture and accounting systems, and IT personnel); the potentially paradigm-shifting utility of “cloud computing” in disaster recovery planning; and testing and maintenance of DRPs.