The Securities and Exchange Commission (SEC) recently proposed a rule that would require registered investment advisers to adopt or amend their current business continuity and transition plans (BCP). Under the proposed BCP rule, the plans must be reasonably designed to address operational risks related to a significant disruption in the adviser’s business.
Why the need for this BCP rule?
As in other industries, business continuity and transition plans would help ensure the continuity of operations in the event of significant business disruptions, such as a natural disaster, cyber-attack, technology failures, the departure of key personnel, and similar events. “While an adviser may not always be able to prevent significant disruptions to its operations, advance planning and preparation can help mitigate the effects of such disruptions and in some cases, minimize the likelihood of their occurrence, which is an objective of this rule,” said SEC Chair Mary Jo White said in a press statement.
In its proposal, the SEC acknowledges that many investment advisers already have taken steps to address and mitigate the risks of business disruptions. However, the agency also notes that its examiners have raised concerns about the adequacy of some advisers’ plans to address operational and other types of risks associated with business resiliency. The proposal specifically cites the havoc created by Superstorm Sandy as evidence that financial firms’ BCPs failed to address and anticipate widespread events.
Provisions of the proposed BCP rule
Under Rule 206(4)-4, it would be unlawful for an SEC-registered investment adviser to provide investment advice unless the adviser adopts and implements a written business continuity and transition plan and reviews that plan at least annually. The proposed BCP rule would require advisers to adopt and implement written business continuity and transition plans that include certain specific components, including:
- Maintenance of critical operations and systems, and the protection, backup, and recovery of data;
- Pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees;
- Communications with clients, employees, service providers, and regulators;
- Identification and assessment of third-party services critical to the operation of the adviser; and
- Plan of transition that accounts for the possible winding down of the adviser’s business or the transition of the adviser’s business to others in the event the adviser is unable to continue providing advisory services.
Under the SEC’s proposed BCP rule, advisers must review the adequacy of their BCPs and the effectiveness of their implementation at least once a year. The review generally should consider any changes to the adviser’s products, services, operations, critical third-party service providers, structure, business activities, client types, location, and any regulatory changes that might suggest a need to revise the plan.
The proposed BCP rule would require advisers to maintain copies of all written business continuity and transition plans that are in effect or were in effect at any time during the last five years after the compliance date.