The SEC proposed a new rule that would require SEC-registered investment advisers to implement written business continuity and transition plans designed to address operational risks related to significant disruptions in the investment advisers' operations. The rule would be included in the Investment Advisers Act as Rule 206(4)-4. The SEC also proposed amendments to Investment Advisers Act Rule 204-2 that would require SEC-registered investment advisers to make and keep all business continuity and transition plans that are or were in effect at this time or at any time within the past five years.

The SEC proposed rule would require investment advisers to adopt and implement written policies and procedures concerning (i) business continuity after a significant business disruption, and (ii) business transitions, if investment advisers are unable to provide continuing investment advisory services to clients. The newly mandated policies and procedures would be required to address the following items:

  • the maintenance of critical operations and systems, and the protection, backup, and recovery of data;
  • pre-arranged alternate physical locations for advisers' offices and/or employees;
  • communications with clients, employees, service providers and regulators;
  • the identification and assessment of third-party services that are critical to the operation of the advisers; and
  • plans of transition that account for the possible winding down of advisers' businesses or the transition of those businesses to others in the event that the advisers are unable to provide continuing advisory services.

The SEC emphasized the plans' potential benefits: "exposure to compliance and operational risks that may be caused by cybersecurity incidents can be mitigated by addressing such risks in the context of business continuity planning."

In conjunction with the proposed rule, the SEC Division of Investment Management issued guidance for fund complexes in which it urged them to consider (i) the robustness of their business continuity plans and the risks associated with their third-party service providers, and (ii) their service providers' interrelationships to one another and how the fund complexes would respond to significant business disruptions that could affect their internal operations.

Commentary

If approved, the SEC's proposed rule would convert an industry best practice for investment advisers – the implementation of a business continuity plan ("BCP") – into a requirement. In the tradition of BCP rules that have been mandated by FINRA for broker-dealers and by the CFTC for swap dealers, the proposed rule would require all SEC-registered investment advisers to implement business continuity and transition plans that are customized to the risks associated with their specific business operations. This means that individual plans will need to be risk-based because a single "one-size-fits-all" plan will be insufficient. Clearly, the SEC is concerned about investment advisers' ability to service clients in the wake of data loss or facility destruction resulting from natural or man-made disasters. The proposed rules, coupled with the SEC's parallel guidance to investment companies, show that regulators intend to focus on business continuity and transition plans going forward. Investment advisers, including their compliance officers and risk managers, should make the implementation of such plans a top priority. That same level of priority should be afforded the ongoing due diligence and compliance obligations that will follow the plans' implementation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.