The SEC’s Division of Investment Management published regulatory guidance on June 28, 2016, highlighting the need for registered investment company complexes to review their business continuity plans to ensure they are sufficiently robust to mitigate potential exposures and disruptions and consider the backup processes and redundancies of critical service providers. On the same day, the Commission proposed rules that would require registered investment advisers to adopt and implement business continuity and transition plans reasonably designed to address risks related to an adviser’s ability to operate in the event of a significant disruption.
Business continuity plans for registered investment companies
The Commission initially addressed fund business continuity plans (BCPs) when it adopted Rule 38a-1 under the Investment Company Act of 1940 (Rule 38a-1), which requires funds to adopt and implement formal compliance programs. Rule 38a-1, the Staff guidance says, also requires oversight of the BCPs of critical service providers to a fund complex.
The guidance draws heavily on Staff observations of fund operations made during examinations of fund complexes and their advisers. The guidance focuses on how fund complexes should consider whether the backup processes and redundancies of critical service providers are sufficient to maintain continuity of fund operations during a significant business disruption.
The thrust of the guidance is that fund complexes should observe, monitor and evaluate the ability of critical service providers to weather disruptions caused by cyber security breaches or operational failures, including procedures for coordinating communications among various constituencies, including fund investors.
Among other things, fund complexes should consider how to monitor business interruption incidents that could hinder the ability of a service provider to provide uninterrupted services to the fund. Moreover, the guidance suggests that fund complexes should understand how the BCPs of various services providers are interconnected so that they are better prepared to deal with operational crises. In the Staff’s view, fund complexes should consider and be prepared to address “what if” scenarios.
The guidance states that fund boards should discuss with the fund’s adviser and other critical service providers the steps being taken to mitigate the risks associated with potential business disruptions. Consistent with Rule 38a-1, board oversight should consider the robustness of a fund complex’s BCP, including the fund complex’s plans for dealing with disruptions affecting critical service providers.
BCPs for investment advisers
The SEC proposed a new rule which would require SEC-registered investment advisers “to adopt and implement written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations.”
The basis of the rule is the fiduciary responsibility of investment advisers to take steps to protect clients if the adviser is not able to provide advisory services. The inability to provide services can arise from operational difficulties resulting from, among other things, natural disasters, acts of terrorism, cyber attacks, technological failures or even the departure of key personnel.
The proposed rule also would require investment advisers to address transition planning. Transitions can result from an adviser exiting the advisory business (voluntarily or involuntarily) or a decision by a fund board to terminate an investment advisory contract.
Specifically, the proposed rule would require investment advisers to adopt and implement a written business continuity and transition plan and to review the plan at least annually. As proposed, a plan must address business continuity after significant disruption of operations and business transitions as described above. The plans must address, among other things:
(i) maintenance of critical operations and systems and the protection, backup and recovery of data;
(ii) pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees;
(iii) communications with clients, employees, service providers and regulators;
(iv) identification and assessment of third-party services critical to the operation of the adviser; and
(v) transitions, including the possible winding down of the adviser’s business, or the transition of the adviser’s business to others in the event the adviser is unable to continue providing advisory services.
The SEC asked for public comment as to, among other things, whether the proposed rule is necessary in the first place or whether the issues can be addressed through regulatory guidance similar to the guidance it published for registered investment companies.
The guidance and the proposed rules should come as no surprise to those who follow the progression of regulations following efforts by the Financial Stability Oversight Counsel (FSOC) to portray investment advisers as creators of systemic risk to the global financial system. These actions are part of the SEC’s efforts to get ahead of FSOC’s attempts to regulate investment advisers and funds. While the Staff’s observations on BCPs for registered investment companies take the form of guidance, it is not a coincidence that they dovetail with the Commission’s proposed rules to require registered investment advisers to adopt and implement BCPs. The guidance and the proposed rules, if adopted, add yet another subtle level of scope and complexity to responsibilities of fund directors and registered investment advisers.