On June 28, 2016, the Securities and Exchange Commission (the SEC) proposed Rule 206(4)-4 under the Investment Advisers Act of 1940 that would require each SEC-registered investment adviser to adopt, implement and annually review a written business continuity and transition plan to address risks related to potential significant disruptions in, or termination of, the adviser’s business. The SEC noted in its release that as part of their fiduciary duty, advisers are obligated to take steps to protect client interests from being placed at risk as a result of the adviser’s inability to provide advisory services. The proposed rule illustrates the SEC’s continued focus on cybersecurity and systems issues following its adoption in 2014 of Regulation SCI, which requires stock and options exchanges, clearing agencies, other securities market participants and certain self-regulatory organizations to establish written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets.
Business Continuity Plans
Under the proposed rule, an investment adviser’s business continuity plan would be required to cover temporary and permanent business disruptions resulting from a number of factors including natural disasters, terrorism and cyber-attacks, other technology failures, disruptions at service providers and the departure of key personnel. It is worth noting that this proposal is the first time the SEC has imposed an explicit mandatory regulation on advisers related to cybersecurity. In its discussion of the proposed rule, the SEC noted that many advisers had already taken steps to address and mitigate the risks of business disruptions through comprehensive plans and other means. However, the SEC also found that a number of advisers have less robust planning that caused them to experience interruptions in business operations or to otherwise inconsistently maintain communications with clients and employees during periods of stress (such as during and immediately after Hurricane Sandy in 2012).
Although the SEC attributed some of the differences in industry practice related to business continuity to the variation in size and complexity of investment advisers, the proposed rule would require all advisers to adopt and maintain plans that are reasonably designed to address operational and other risks related to a significant disruption in the adviser’s operations. The proposed rule requires a business continuity plan to include policies and procedures designed to minimize material service disruptions and should cover: (i) maintenance of critical operations and systems as well as the protection, back-up and recovery of client data and other records; (ii) pre-arranged alternative physical locations for the adviser’s offices and its employees; (iii) plans for communicating with clients, employees, service providers and regulators; and (iv) identification and assessment of third-party services critical to the adviser’s operations.
The proposed rule also requires a plan of transition that accounts for the possible winding down of the investment adviser’s business or the transition of the business to another adviser (whether under normal or unusual market conditions). An adviser’s transition plan would be required to include: (i) policies and procedures intended to safeguard and facilitate the transfer or distribution of client assets during a transition; (ii) policies and procedures to facilitate the prompt generation of any client-specific information necessary to transition each client account; (iii) information regarding the corporate governance structure of the adviser; (iv) the identification of any material financial resources available to the adviser; and (v) an assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the transition.
Annual Review and Recordkeeping
The proposed rule would require an adviser to annually review the adequacy of its business continuity and transition plan and the effectiveness of its implementation. The SEC stated that the review generally should consider any changes to the adviser’s products, services, operations, critical third-party service providers, structure, business activities, client types, location, and any regulatory changes that might suggest a need to revise the plan. The proposed rule and other rule amendments would also require that advisers maintain any records documenting the review process and keep any such documentation as well as copies of all plans currently in effect or that were in effect for five years.
Although many of the proposed rule’s elements will be relevant to private equity sponsors, it is intended to cover all registered investment advisers and therefore is written very broadly. While the SEC outlined provisions that must be addressed in each adviser’s plan, it also stressed that all plans should take into account the specifics of the adviser’s business and any unique risks the adviser and its clients may face. As such, if the rule is adopted, an adviser should pay particular attention to the unique risks of its business in preparing and reviewing its business continuity and transition plan.
The comment period for the proposed rule runs through September 6, 2016, and we will update our clients on any developments as the rulemaking process progresses. Below for your information is a link to the SEC’s release discussing the proposed rule.