On June 28, 2016, the Securities and Exchange Commission proposed Rule 206(4)-4 under the Investment Advisers Act of 1940 that would require each SEC-registered investment adviser to adopt, implement and annually review a written business continuity and transition plan to address risks related to potential significant disruptions in, or termination of, the adviser’s business.
The proposed rule illustrates the SEC’s continued focus on cybersecurity and systems issues following its adoption in 2014 of Regulation SCI, which requires stock and options exchanges, clearing agencies, other securities market participants and certain self-regulatory organizations to establish written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets.
Business Continuity Plans
Under the proposed rule, an investment adviser’s business continuity plan would be required to cover temporary and permanent business disruptions resulting from a number of factors including natural disasters, terrorism and cyber-attacks, other technology failures, disruptions at service providers and the departure of key personnel. It is worth noting that this proposal is the first time the SEC has imposed an explicit mandatory regulation on advisers related to cybersecurity. In its discussion of the proposed rule, the SEC noted that many advisers had already taken steps to address and mitigate the risks of business disruptions through comprehensive plans and other means. However, the SEC also found that a number of advisers have less robust planning that caused them to experience interruptions in business operations or to otherwise inconsistently maintain communications with clients and employees during periods of stress (such as during and immediately after Hurricane Sandy in 2012).
The proposed rule would require all advisers to adopt and maintain plans that are reasonably designed to address operational and other risks related to a significant disruption in the adviser’s operations. The proposed rule requires a business continuity plan to include policies and procedures designed to minimize material service disruptions and should cover: (i) maintenance of critical operations and systems as well as the protection, back-up and recovery of client data and other records; (ii) pre-arranged alternative physical locations for the adviser’s offices and its employees; (iii) plans for communicating with clients, employees, service providers and regulators; and (iv) identification and assessment of third-party services critical to the adviser’s operations.
The proposed rule also requires a plan of transition that accounts for the possible winding down of the investment adviser’s business or the transition of the business to another adviser (whether under normal or unusual market conditions). An adviser’s transition plan would be required to include: (i) policies and procedures intended to safeguard and facilitate the transfer or distribution of client assets during a transition; (ii) policies and procedures to facilitate the prompt generation of any client-specific information necessary to transition each client account; (iii) information regarding the corporate governance structure of the adviser; (iv) the identification of any material financial resources available to the adviser; and (v) an assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the transition.
Although many of the proposed rule’s elements will be relevant to private equity sponsors, it is intended to cover all registered investment advisers and therefore is written very broadly. While the SEC outlined provisions that must be addressed in each adviser’s plan, it also stressed that all plans should take into account the specifics of the adviser’s business and any unique risks the adviser and its clients may face. As such, if the rule is adopted, an adviser should pay particular attention to the unique risks of its business in preparing and reviewing its business continuity and transition plan.
The comment period runs through September 6, 2016.