Skip to main content

Policy Objective:

The purpose of this policy is to formalize the Business Continuity program of LPL Financial and its affiliates and to provide guidelines for developing, maintaining and testing Business Continuity Plans (BCPs).

This policy establishes the basic principles and framework necessary to ensure emergency response, resumption and recovery, restoration and permanent recovery of LPL Financial and affiliate operations and business activities during a business interrupting event. For the purposes of this policy “LPL Financial” refers to LPL Financial and all affiliated companies including Concord Wealth Management, The Private Trust Company and Fortigent.

Policy Owner:

The Compliance, Legal and Risk (CLR) BCP department is responsible for drafting and updating the policy. Individual business owners are responsible for complying with the policy and managing, updating and testing their business continuity plans.

Policy Scope:

The Policy is designed to comply with FINRA Rule 4370 as well as business continuity best practices, and apply to all LPL Financial and its affiliates organizations and employees.

This policy applies to all LPL Financial staff, facilities and IT systems at all locations. LPL Financial shall be prepared for scenarios including, but not limited to, natural disaster, power outage, technology failures, pandemics and any other event that may disrupt our ability to do business.

This policy provides guidance for the resumption and recovery of time sensitive business operations in accordance with pre-established timeframes as well as ensuring that adequate plans are in place for the less time sensitive business operations.

Revision Process:

This Policy shall be reviewed no less frequently than annually by the Compliance, Legal and Risk BCP Department.

LPL’s Business Continuity Plan was reviewed and approved on May 22, 2017 and is updated throughout the year as necessary.

1) Policy Statement

LPL Financial and our affiliates are committed to providing timely service to our clients and accounting for the safety of our employees and communicating to them as appropriate during emergency situations. We recognize the importance of preparing for various disaster scenarios that could hinder our ability to provide service. We have taken aggressive steps to provide for business contingency and continuity planning under a variety of potential scenarios including regional disasters, single building disruptions, data center disruptions and pandemic events. LPL Financial recognizes that a business dependent on advanced technology must include contingency planning. To ensure that all critical business functions continue in case of a disruption, we have committed to develop the business continuity plan.

Responsibilities:

The Compliance, Legal and Risk department is responsible for administration of this policy. The following sections denote the business continuity program elements and the distribution of responsibilities for LPL Financial business continuity.

Key Stakeholders:

The key stakeholders who participate in institutional BC program policy, planning and governance are senior management and critical systems, services and applications owners:

  • Audit Committee of the Board of Directors;
  • Executive Management Committee;
  • Risk Oversight Committee;
  • Continuity, Privacy and Security Steering Committee;
  • Compliance, Legal and Risk;
  • Business Technology Services;
  • Corporate Shared Services;
  • Human Capital;
  • Finance;
  • Legal;
  • Internal Audit;
  • Legal;
  • Affiliate BCP Administrators;
  • Business Continuity Plan Owners;
  • Business Continuity Team Leads;

2) Recovery Priorities

The Business Continuity and Disaster Recovery plans developed by LPL Financial have been designed to focus on the resumption of operations and services in the event of a business disrupting event or disaster. Following a disaster situation, LPL Financial will prioritize under the following constraints when enacting our plans:

  1. Life Safety – Priority consideration is given to the life safety of employees and the community. Recovery activities that cannot be performed with reasonable security of injury or life safety will be deferred until deemed safe to perform.
  2. Safeguarding assets – second priority will be given to safeguarding of LPL Financial’s assets, including financial assets, physical building locations, equipment, information technology systems, data and records.
  3. Resumption of operations – after providing for the protection of people and assets, priority will be given to the resumption of services and operations. Services and operations will be restored by priority as established through the Business Impact Analysis.

3) Corporate Business Continuity and Disaster Recovery Plan Overview

The Compliance, Legal and Risk department, located in San Diego, CA, facilitates business continuity and disaster recovery planning processes. Individual business units own their respective recovery plans. The individual application development groups within the Business Technology Services department own the application recovery plans contained within the global disaster recovery plan (DRP).

4) Business Continuity Program Elements

The LPL Financial business continuity program is made up of business continuity, disaster recovery, emergency preparedness and crisis communications.

4.1) Business Impact Analysis (BIA) and Risk Assessment

The Compliance, Legal and Risk BCP Department shall partner with the various departments within LPL Financial to conduct a business impact analysis (BIA) periodically across all of the organization. The purpose of the BIA is to determine criticality of each of the processes performed at LPL Financial, prioritize the business processes, and to identify gaps that may impact our ability to execute our plans.

The BIA identifies the business process’s Criticality Rating, Recovery Time Objectives (RTOs) and business process Recovery Point Objectives (RPOs).

Compliance, Legal and Risk uses the BIA results with the business units as a basis for developing business unit-specific business continuity plans (BCP’s), identifying key business processes and the associated risks if these processes were not available. Each business unit shall appoint a BCP Team Lead who will coordinate the development of the business unit-specific plans and testing.

Responsibilities:

Compliance, Legal and Risk BCP Department

  • Administering the Business Impact Analysis workshops with each department
  • Identifying gaps between technology capabilities and business requirements

All LPL Financial Departments

  • Participating in the Business Impact Analysis process
  • Accept, transfer or put a plan in place to minimize the risks of any associated gaps.

Business Technology Services TRM Department

  • Providing information on disaster recovery capabilities for LPL Financial technology.
  • Identifying enhancements, changes and new technology that may impact disaster recovery capabilities.

4.2) Corporate Business Continuity & Disaster Recovery Plan

LPL Financial shall have a business continuity and disaster recovery plan in place to comply with the applicable regulations and address a variety of worst case scenarios including pandemic events, loss of a data center or loss of access to a facility and loss of an entire region, but also adaptable to a lesser disruption, such as the loss of a single area or piece of equipment. This plan includes the recovery of critical LPL Financial and affiliated companies’ technology and functions across all channels of business provided at each of our home office locations.

Maintenance:

The Compliance, Legal and Risk BCP Department are responsible for the LPL Financial Corporate Business Continuity and Disaster Recovery Plan. The plan will be updated at least annually in accordance with FINRA Rule 4370 and as often as changes require, with changes captured in the revision history of the plan within RSA ARCHER. All material and significant changes should be incorporated as soon as possible and not held to satisfy the periodic schedule.

Testing:

The Corporate Business Continuity Plan will be tested no less than annually through tabletop exercises with our Emergency Response Team (ERT).

Responsibilities:

Compliance, Legal and Risk BCP Department

  • Updating the corporate plan as necessary and circulating for review.
  • Presenting the plan for approval to a member of senior management who is a registered principal to satisfy FINRA Rule 4370 (d)
  • Facilitate testing of the plan.

Continuity, Security and Privacy Steering Committee

  • Identifying material changes to business that would require an update to our corporate business continuity plans.

4.3) Department Business Continuity Plans

All departments that perform functions identified by the Business Impact Analysis as mission critical, critical, or essential with recovery time objectives within 3 days are responsible for creating, maintaining, and testing individual business continuity plans for the recovery of their critical business processes. Copies of the plans must be filed with the Compliance, Legal and Risk (CLR) business continuity department. All plans should include a recovery strategy for a regional disaster scenario. For example, San Diego business units should plan for a recovery in Charlotte or Boston and vice versa. Departments identified as important or Non-essential should have communication plans in place to reach employees during an emergency event.

Senior management over those departments is responsible for those plans.

Mission Critical, Critical, Essential, and Important are defined below. To determine where your department is ranked, refer to Section 2 of the business continuity plan.

Maintenance:

All LPL Financial organizations shall update their BCPs no less than quarterly and as often as changes require, with changes captured in the revision history of the plan. All major updates should be incorporated as soon as possible and not held to satisfy the periodic quarterly review process.

Testing:

All Departments identified as Mission Critical, Critical and Essential should test their plans no less than annually.

Related Roles:

Senior management of each LPL Financial organization shall make responsible and dependable employees available for designation of key BCP related roles.

BC Plan Administrator

Each LPL Financial organization in the scope of the business continuity plan shall have a plan administrator to act as the primary liaison with GRC on plan updates and testing. The administrator will coordinate plan updates with the team leads.

BCP Team Leads

Each LPL Financial department within the scope of the business continuity plan shall have a BCP Team Lead designated to coordinate departmental recovery efforts during a BCP event and review and update the plan documents as needed. BCP Team Leads should be at the AVP level or above.

BCP Owner

Each LPL Financial department within the scope of the business continuity plan shall assign an executive as the BCP Owner for the business continuity plans. The owner will have oversight of the department planning efforts and responsibility for approving the BIA and testing results for the plans. The BCP Owner should be at the SVP level or above and have ownership of the processes in scope for that plan.

Responsibilities:

Compliance, Legal and Risk BCP Department

  • Identifying departments that are Mission Critical, Critical, Essential and Important through the Business Impact Analysis
  • Assisting with plan development
  • Monitoring compliance of this policy and maintenance of plans
  • Coordinating testing efforts and documenting results

Departments identified as Mission Critical, Critical and Essential

  • Assigning representatives to BCP related roles
  • Documenting plans to recover critical business processes
  • Identifying dependencies on technology, other departments and critical vendors
  • Identifying support requirements
  • Reviewing and updating plans on a quarterly basis
  • Testing plans no less than annually

Departments identified as Important or Non Essential

  • Documenting plans to communicate with employees during emergency events.

Business Technology Services TRM Department

  • Developing plans to support the resumption of critical business activities.

4.4) Disaster Recovery Plans

Technology will have a Disaster Recovery Plan and Procedures to replace failed hardware; restore data and systems; and operate at a reduced capability for Mission Critical systems in the event of a disaster until full service can be restored. In addition, Technology will have processes and procedures to support the enterprise BC and DR plans.

Maintenance:

Technology shall review and update if necessary all disaster recovery plans no less than quarterly and as often as changes require, with changes captured in the revision history of the plan. All major updates should be incorporated as soon as possible and not held to satisfy the periodic quarterly review process.

Testing:

All Departments identified as Mission Critical, Critical and Essential should test their plans no less than annually.

Related Roles:

Senior management within Technology shall make responsible and dependable employees available for designation of key DR related roles.

DR Coordinator:

The Disaster Recovery Coordinator within the Technology Risk Management department within Technology is in charge of the coordination of DR planning, testing, maintenance and execution of the plan.

DR Team Leads:

Management of each Technology Department is responsible for reviewing their related plans and communicating changes to the TRM department.

Disaster Recovery Plan Owner:

The Business Technology Services Department shall assign an executive as the Owner for the Disaster Recovery Plans. The owner will have oversight of the planning efforts and responsibility for approving plans and testing results for the plans. The Owner should be at the SVP level or above and have an ownership stake in the plan.

Responsibilities:

Business Technology Services TRM Department

  • Document plans and procedures for recovery of mission critical systems.
  • Coordinate DR planning, testing and plan execution

Compliance, Legal and Risk BCP Department

  • Identifying systems that are Mission Critical, Critical, Essential and Important through the Business Impact Analysis
  • Identifying gaps between business requirements and technology capabilities.

4.5) Emergency Preparedness Plans

LPL Financial shall have emergency preparedness plans in place to establish procedures for the safe, timely and orderly evacuation in case of fire, bomb threat or other emergencies of affected areas of LPL Financial or affiliated companies at each of our office locations.

LPL Financial’s Emergency Preparedness Plan is based on a team approach. The response efforts are directed and coordinated by the Building Site Commander. The Building’s Emergency Response Team (BERT) comprises the Building Site Commander, Floor Wardens and Department Captains.

All Building Emergency Response Team Members shall be familiar with the Building Emergency Preparedness Plan, the location of elevators, exits, stairwells and the location and operation of any available fire alarm or fire prevention devices.

BERT Team Members shall have available a current list of all Personnel Needing Assistance (PNA’s) who cannot use stairs unaided. Team members shall make arrangements for a “buddy” (PNA monitors) to assist these handicapped (PNA’s) occupants in exiting the building.

Maintenance:

All LPL Financial organizations shall review and update if necessary their rosters no less than quarterly and as often as changes require. Role changes should be incorporated as soon as possible and not held to satisfy the periodic quarterly review process.

Testing:

All buildings should perform evacuation drills no less than annually.

Related Roles:

Senior management at each building shall make responsible and dependable employees available for designation as Building Site Commanders, Floor Wardens, Department Captains, and Alternates.

Building Site Commander

Building Site Commanders should be individuals who spend the majority of their working hours in and are thoroughly familiar with the building and parking area.

Floor Wardens

Each floor of all LPL Financial locations will be under the direction of the designated Floor Wardens for the evacuation of occupants. The Floor Wardens shall be assisted in duties by the Alternate Floor Wardens, and Department Captains. A Floor Warden and alternate shall be assigned to a reasonable area of the floor that will not put the individual in any danger to perform their duties and evacuate. The actual square footage may vary depending on the specific layout for the floor space.

Department Captain

Each department should have an assigned Department Captain and alternate that is responsible for accounting for their department staff following an evacuation and the emergency preparedness of that department.

Responsibilities:

Corporate Security

  • Ownership of emergency preparedness and safety planning and execution of testing.

Real Estate & Facilities

  • Coordinating training on roles and responsibilities with Compliance, Legal and Risk.
  • Conducting evacuation drills at each of our building locations.
  • Documenting results and observations during evacuation drills.

Compliance, Legal and Risk BCP Department:

  • Coordinating training on roles and responsibilities with Corporate Security.
  • Ensuring testing is done in accordance with this policy.

Management at each LPL Financial facility location:

  • Identifying personnel to assign as BERT Team Members
  • Ensuring BERT Rosters are kept up to date

4.6) Crisis Communications Plans

LPL Financial will have a Crisis Communication plan in place to protect the LPL Financial brand and to ensure the safety of LPL Financial employees and the continued operation of essential services. The Crisis Communication plan provides the framework to make sound, strategic and timely decisions for communicating during a crisis and is intended to supplement the firm’s robust business continuity plan.

Maintenance:

The Crisis Communications Plan will be updated at least annually and as often as changes require, with changes captured in the revision history of the plan. All material and significant changes should be incorporated as soon as possible and not held to satisfy the periodic schedule.

Testing:

The Crisis Communications plan should be tested at least annually.

Related Roles:

Senior management within Corporate Communications shall make responsible and dependable employees available for designation of related roles.

Crisis Communications Plan Administrator:

Corporate Communications shall assign a representative to act as the administrator of the Crisis Communications Plans. The Crisis Communications Plan Administrator is in charge of the coordination of planning, testing, maintenance and execution of the plan.

Crisis Communications Department Team Leads:

Each department involved in the crisis communications plan shall have a team lead designated to review the plan for updates for their specific department.

Crisis Communications Plan Owner:

Corporate Communications shall assign an executive as the Owner for the Crisis Communications. The owner will have oversight of the planning efforts and responsibility for approving plans and testing results for the plans. The Owner should be at the VP level or above and have an ownership stake in the plan.

Responsibilities:

Corporate Communications:

  • Document plans and procedures for crisis communications.
  • Update plans as necessary.
  • Testing plans at least annually.

Compliance, Legal and Risk BCP Department:

  • Ensuring plans are updated and tested in accordance with this policy.
  • Keeping record of testing results.

4.7) Branch Office Business Continuity Plans

LPL Financial branch offices are required by the Branch Office Security Policy to have a business continuity plan in place. Templates are available to the Branch Offices on the Resource Center to document their plans. The Branch Examinations team in Compliance, Legal and Risk is responsible for checking to make sure they comply with this policy. LPL Financial is responsible for ensuring customers of an advisor affected by a disaster are able to transact business on their accounts and have access to their funds if they cannot reach their advisor. LPL Financial has a client line that customers can call if they are unable to contact their advisor. This information is provided to customers in the business continuity disclosure statement as part of the new account welcome package and on our website on www.lpl.com. Depending on the severity of the disaster situation, LPL Financial may also reach out to affected advisors and use additional means to communicate with their clients on how they can get in touch with us.

Responsibilities:

All LPL Financial Branch Office Locations

  • Document business continuity plans as required by the Branch Office Security Policy.

Compliance, Legal and Risk Branch Examinations Department

  • Check for compliance to this policy during branch examinations

Compliance, Legal and Risk BCP Department

  • Development and maintenance of business continuity disclosure statement that instructs clients on how to contact LPL Financial if their advisor is unavailable.
  • Provide templates for branch offices to document their business continuity plans.

4.8) Training

Business Continuity training is essential for effective resumption and recovery of operations. LPL Financial conducts corporate wide training on business continuity and disaster recovery and role-specific training for key personnel with BCP related roles and responsibilities.

Responsibilities:

Compliance, Legal and Risk BCP Department

  • Collaboration with Technology on the creation and administration of the corporate training program
  • Providing BCP role specific training at least annually and as changes to key roles occurs.

Individuals with BCP related roles

  • Ensuring a transfer of knowledge during role transitions

Business Technology Services TRM Department

  • Collaboration with GRC on the creation and administration of the corporate training program
  • Providing DR role specific training at least annually and as changes to key roles occurs.

4.9) Governance & Management Reporting

As demonstrated in this policy, Business Continuity is an institutional concern affecting all organizations and therefore must receive the proper guidance and oversight. The organizations listed in the Key Stakeholders section of this policy shall participate in the LPL Financial BC program governance.

Reporting business continuity planning status and progress is a key element of creating an effective BC program in the organization. GRC shall report the status and progress of the BC program to senior management and key risks to the Risk Oversight Committee at least annually.

Policy Compliance:

Consistent compliance with this policy is essential to its effectiveness. LPL Financial and affiliated companies are expected to adhere to this policy and to follow it consistently. The Compliance, Legal and Risk BCP Department will assess the preparedness of all the organizational groups, business units, disaster recovery technology capabilities and report periodically to senior management. The assessment will include the status on plan maintenance, testing, the business impact analysis and exposures.

Internal Audit, as part of its work program, will review the business continuity plans periodically to ensure compliance of the overall Business Continuity Program.

5) Business Continuity Program Tools

LPL Financial utilizes different tools for the management of the business continuity program. RSA Archer is used to administer the Business Impact Analysis, develop and document plans and reporting. Crisis Connect is used for emergency and crisis communications.

5.1) RSA Archer

RSA Archer (The Security Division of EMC) is business continuity management software that LPL utilizes to conduct the Business Impact Analysis, create and maintain business continuity and disaster recovery plans and report status on key items and risks.

Responsibilities:

Compliance, Legal and Risk BCP Department

  • Administration of the RSA Archer planning tool
  • Training of users on the system

Departments identified as Mission Critical, Critical, Essential or Important

  • Assigning an administrator to make updates to the plan.
  • Defining technology, process, vendor and people dependencies within the system.
  • Reviewing the plan information within the system no less than quarterly.

Human Resources

  • Providing report from Workday with employee data to populate the software tool

Business Technology Services TRM Department

  • Maintaining technology information, dependencies and disaster recovery capabilities within the system

5.2) LPL Alert

LPL Alert is an emergency notification system that LPL Financial utilizes to notify key BCP personnel of an emergency event and automatically initiate conference calls with key response teams.

Responsibilities:

Compliance, Legal and Risk BCP Department

  • Administration of the LPL Alert tool
  • Training of users on the system

Departments identified as Mission Critical, Critical, Essential or Important

  • Assigning an administrator to make updates to the system.
  • Maintaining team information within LPL Alert.

Human Resources

  • Providing report from Workday with employee data to populate the software tool.

Business Technology Services TRM Department

  • Maintaining Technology Team information within LPL Alert.

6) Applicable Regulations:

The Business Continuity Plans of LPL Financial and affiliated companies are designed to comply with the relevant regulatory rules. LPL Financial is governed by FINRA and the SEC and subject to FINRA Rule 4370 “Business Continuity Planning”. PTC is governed by the Office of the Comptroller of the Currency (OCC) and subject to abiding by FFIEC guidelines for business continuity planning.

The complete rules and guidelines can be found at the following sites:

  • FINRA Rule 4370: http://www.FINRA.org/Industry/Issues/BusinessContinuity/
  • FFIEC Guidelines: http://ithandbook.ffiec.gov/it-booklets/business- continuity-planning.aspx

Responsibilities:

Compliance, Legal and Risk BCP Department

  • Ensuring plan compliance to applicable regulations.

Affiliate BCP Contacts

  • Addressing applicable regulations within the business continuity plan document.
Securities and advisory services are offered through LPL Financial (LPL), a registered investment advisor and broker-dealer (member FINRA/SIPC). Insurance products are offered through LPL or its licensed affiliates. Simmons Bank is not registered as a broker-dealer or investment advisor. Registered representatives of LPL offer products and services using the marketing name Simmons Investment Services, and may also be employees of Simmons Bank. These products and services are being offered through LPL or its affiliates, which are separate entities from, and not affiliates of, Simmons Bank. Securities and insurance offered through LPL or its affiliates are: