This summer, the SEC proposed a new rule that would require all investment advisers registered with the SEC (RIAs) to adopt business continuity and transition plans. These rules are being proposed in response to the inability of several investment advisers to continue servicing clients in the wake of cybersecurity attacks and natural disasters such as Hurricane Katrina and Hurricane Sandy. Although the concept of a business continuity plan is not new, it is contemplated by existing Rule 206(4)-7, the proposed rules mandate the adoption of such a plan and provide specific requirements for such plans. These requirements are designed to remedy weaknesses that the SEC has identified in such plans through the examination process. The SEC’s goal is to minimize service disruptions and mitigate potential harm to clients in the event of any such disruption. The proposed rule would make it a fraudulent or deceptive business practice to provide investment advisory services without maintaining a business continuity or transition plan.
Business Continuity Plans
Business continuity plans are designed to ensure continuity of service in the event of an internal or external disruption. Business continuity events include cyber-attacks, natural disasters, the departure, death or disability of key personnel and equipment failures. Under the proposed rule, a business continuity plan must include four features:
- Maintenance of critical operations and systems, and the protection, backup and recovery of data;
- Pre-arranged alternate physical location(s) of the RIA’s office(s) and/or employees;
- Communications with clients, employees, service providers and regulators; and
- Identification and assessment of third-party services critical to the operation of the RIA.
With respect to maintaining critical operations, the plan should identify and prioritize critical functions and operations and consider alternatives and redundancies. Specifically, RIAs should consider which systems are:
- Used for prompt and accurate processing of portfolio securities transactions on behalf of clients; and
- Critical to the valuation and maintenance of client accounts.
The RIA must be able to communicate trades to broker-dealers and oversee and manage client accounts during a business disruption. Additionally, the plan should address an inability to access either electronic or hard data.
In determining a pre-arranged alternate location, the RIA should identify an alternate location that is unlikely to suffer from a similar business disruption. For example, an alternate location located a few miles from the original office would be insufficient. The RIA may plan to use an alternate location in another location or geographic region and allow remote access to employees.
The plan should also address how the RIA will continue to communicate with employees, clients and regulators in the event of a disruption. Notably, the RIA must be able to notify its employees of the disruption and how they should communicate with clients and regulators. The plan should account for the possibility that the internet would not be available for such communications.
Finally, the plan should identify and prioritize all third-party service providers who are essential to the RIA’s operations. The RIA should assess how these third-party service providers will maintain business continuity in the event of a disruption to their businesses. If such services providers do not have business continuity plans, the RIA should consider alternative providers.
Transition plans are designed to ensure orderly transition of the client accounts in the event that the RIA exits the market and is no longer able to serve its clients. For smaller RIAs, these plans are intended to provide for an orderly transition in the event of the death or disability of the one or two individuals providing advisory services at the RIA. The transition plan may take the form of an orderly wind down of the RIA’s business or a transfer of the client accounts to another adviser. The plan should account for transitions occurring in both normal and stressed market conditions and should consider the types of clients, the RIA’s contractual obligations and relevant regulatory regimes. The plan should include:
- Policies and procedures intended to safeguard, transfer and/or distribute client assets during transition;
- Policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account;
- Information regarding the corporate governance structure of the RIA;
- The identification of any material financial resources available to the RIA; and
- An assessment of applicable law and contractual obligations governing the RIA and its clients implicated by the transition.
The proposed rules will not take effect until final rules are adopted by the SEC. Regardless of whether the final rules are adopted, RIAs should begin developing business continuity and transition plans or reviewing their existing plans and evaluate whether any changes would be required by the proposed rule. The proposed rule would allow each RIA to tailor the detail of its plan based on the specific circumstances of each RIA’s business, structure, clients and personnel. There is no one-size-fits-all plan; those of single-adviser firms will differ greatly from larger firms with multiple offices and numerous employees.
Members of the Securities Group would be happy to help you develop a plan or revise your existing plan. If you would like more information regarding the Proposed Rules and how they may apply to your company, please contact a member of our firm’s Securities Group at 585-232-6500.