The Securities and Exchange Commission (SEC) has frequently said that an investment adviser’s fiduciary duty requires an adviser to plan for unexpected disruptions in business. Consequently, advisers have developed business continuity plans as a “best practice” without necessarily being required to do so by rule. Recently, however, the SEC proposed a rule that would require all SEC-Registered investment advisers to adopt and implement written business continuity and transition plans and to review them no less often than once per year. The SEC also issued guidance for the baseline requirements that such plans should contain.
The proposed rule, if adopted, would require advisers to adopt procedures designed to address risks related any significant disruption in the firm’s operations. The plan must include plans for continuity after a natural disaster, act of terrorism, cyber-attack, equipment or system failure, or unexpected loss of service provider facilities or key personnel. In an area not ever previously addressed by the SEC, the most recent guidance also requires the firm to include plans relating to a transition in the adviser’s business for such reasons as the exiting of the adviser from the market or plans by the adviser to merge with or be acquired by another adviser.
The guidance also specifies that advisers should identify key personnel, address and specify hard copy and electronic backup copies of all important firm documents and address data disruption events, maintain an inventory of key documents by name, description and location, and maintain a prioritized list of critical firm functions and systems that are used for processing securities transactions, including trading, allocation, clearing, settlement and similar functions. If a firm uses third-party service providers to support those types of operations, there should be a plan in place to deal with disruption of or termination of that provider.
The plan should include identifying alternate physical locations from which the firm’s business may be operated in the event of natural disaster and, as part of that identification, to assess the availability of resources that would be necessary to continue the operations at such alternate location. The plan should also cover methods of notification of clients, employees, service providers, regulators, and others about business disruptions and how and what protocols will be used for continuing communications with those persons. The firm must also assess the business continuity and disaster recovery plans of critical third-party service providers and consider how those third-parties’ plans will affect the adviser or its operations.
All business continuity and transition plans must be maintained under the books and records rule for a period of five years and firms are required to maintain records documenting the annual review of such plans.
Parker MacIntyre, LLC provides legal and compliance services to investment advisers, broker dealers, registered representatives, hedge funds, and issuers of securities, among others. Our regulatory practice group assists financial service providers with complex issues that arise in the course of their business, including complying with federal and state laws and rules. Please visit our website for more information.