Registered investment advisers would be required to adopt and implement written business continuity and transition plans under a new rule proposed by the Securities and Exchange Commission.
These would assist advisers in preserving the continuity of advisory services in the event of business disruptions, temporary or permanent, the SEC says. Among the disruptions detailed in the proposal include natural disasters, cyber-attacks, technology failures, and the departure of key personnel.
The rule would require an adviser’s plan to be based upon the particular risks associated with its operations, including policies and procedures addressing: maintenance of systems and protection of data; pre-arranged alternative physical locations; communication plans; reviews of third-party service providers; and transition plans if the adviser is winding down or unable to continue providing advisory services. Advisers would be allowed to customize plans based upon the complexity of their business operations and the risks attendant to their particular business models and activities.
The proposed rule and rule amendments also would require advisers to review the adequacy and effectiveness of their plans at least annually and to retain certain related records.
“While an adviser may not always be able to prevent significant disruptions to its operations, advance planning and preparation can help mitigate the effects of such disruptions and in some cases, minimize the likelihood of their occurrence, which is an objective of this rule,” SEC Chair Mary Jo White said in a statement.
The proposal will be published on the SEC’s website and in the Federal Register, triggering a 60-day comment process.
The SEC’s Division of Investment Management also issued related guidance addressing business continuity planning (BCP) for registered investment companies.
“In recent history, significant business disruptions have impacted the financial services industry and, as a result, business continuity and disaster recovery practices have appropriately taken on more importance in the industry and have been subject to increased focus by regulators,” the guidance says.
The document details recent outreach to fund complexes and their advisers regarding business continuity planning. Notable and common practices included:
Plans typically cover the facilities, technology/systems, employees, and activities conducted by the adviser and any affiliated entities, as well as dependencies on critical services provided by other third-party service providers.
A broad cross-section of employees from key functional areas are involved in BCP programs at the fund complex typically including, but not limited to, senior management (including officers of the fund), technology, information security, operations, human resources, communications, legal, compliance, and risk management to assist in efforts to ensure continuity and resiliency when events occur.
The Chief Compliance Officer and/or the CCO of other entities in the fund complex typically participate in the fund complex’s third-party service provider oversight process as conducted by key personnel.
Service provider oversight programs generally incorporate both initial and ongoing due diligence processes, including review of applicable business continuity and disaster recovery plans for critical providers.
The fund complex typically seeks a combination of information to conduct its oversight, including, but not limited to, service provider presentations, on-site visits, questionnaires, certifications, independent control reports, and summaries of programs and testing.
Although practices vary, BCP presentations are typically provided to fund boards of directors, with CCO participation, on an annual basis and are given by the adviser and/or other critical service providers.Presentations may be provided separately, as part of periodic presentations related to contractual arrangements, including the CCO’s annual update to the board.
For many fund complexes, some form of BCP testing for their plan occurs at least annually, and the results of the fund complex’s tests may be shared in updates to fund boards.
Business continuity outages, including those incurred by the fund complex or a critical third-party service provider, are monitored by the CCO and other pertinent staff and reported to the fund board as warranted.
The Division supplemented these observations with its own suggestions for fund complexes. They should consider examining critical service providers’ backup processes and redundancies, the robustness of the provider’s contingency plans, including reliance on other critical service providers, and how these providers intend to maintain operations during a significant business disruption.
It is also important to understand how a BCP addresses the risk that a critical service provider could suffer a significant business disruption and how the provider and the fund complex might respond under certain scenarios.
There should be consideration of how to best monitor whether a critical service provider has experienced a significant disruption (such as a cyber-security breach or other continuity event) that could impair its ability to provide uninterrupted services, the potential impacts such events may have on fund operations and investors, and the communication protocols and steps that may be necessary.
These protocols might include: policies and procedures for internal communications (involving senior management, legal, compliance, risk management, technology, information security, operations, human resources, and communications staff); external communications plans that address ongoing discussions with the affected service provider, intermediaries, investors, regulators, and the press; and timely communications that report progress and next steps, including updates to websites or portals that facilitate accessibility and the broad dissemination of information.