The Securities and Exchange Committee (SEC) staff published Guidance Update 2016-04, concerning business continuity plans regarding companies within a “fund complex.” By “fund complex” the staff means an affiliated group of registered investment companies, which includes mutual funds or registered insurance company separate accounts – together with their affiliated key service providers.

Fund complexes may face business disruption risks from myriad sources, including cyberattacks, technology failures, departure of key personnel, and natural disasters. SEC rules specifically require registered investment companies and certain of their key service providers to adopt and implement written compliance policies and procedures reasonably designed to prevent securities laws violations. Moreover, according to the Guidance Update, the SEC staff believes that:

[f]und complexes should consider how to mitigate exposures through compliance policies and procedures that address business continuity planning and potential disruptions in services (whether provided internally at the fund complex or externally by a critical third-party service provider) that could affect a fund’s ability to continue operations, such as processing shareholder transactions.

The Guidance Update emphasizes, however, that fund complexes’ compliance policies and procedures and business continuity plans should be tailored to the particular nature and scope of the complex’s operations. The Guidance Update therefore generally does not specify measures that fund complexes must adopt to ameliorate exposure to business disruptions. It does, however, set forth a large number of such measures that the staff believes fund complexes should consider, particularly as relevant to any critical services for which a registered investment company expects to rely on a service provider unaffiliated with the fund complex.

The SEC released the Guidance Update on the same day it proposed a new rule specifically requiring registered investment advisers to implement business continuity plans that incorporate certain features, including performing reviews of certain service providers on which such advisers may rely. Although that rule is not yet final, the Guidance Update is operative now.