US Securities and Exchange Commission (SEC) Chair Mary Jo White admitted in an interview earlier this year that cybersecurity is the largest risk facing our financial system. SEC examiners discovered that while many firms and advisers were aware of this issue and were prepared for cyber-attacks and other general risks, many policies and procedures were not customized to cover specific risks to their individual operations. As such, plans to safeguard client data and continuity of services during a potential disruption were found to be inconsistent and often irrelevant.
In an effort to develop a more regulated and consistent client experience across all investment firms, the SEC recently announced their proposed new rule requiring all SEC-registered investment advisers adopt business continuity and transition plans that contain SEC-mandated components. According to the proposal, the policies and procedures would instruct advisers to:
- Adopt and implement written business continuity and transition plans which address operational and other risks related to a significant disruption in their operations;
- Review the adequacy and implementation of business continuity and transition plans at least annually; and
- Maintain copies of all versions of written business continuity and transition plans during the previous five year period following the compliance date.
Under this rule, it would be unlawful for an investment adviser to provide investment advice if he or she did not adopt and implement written business continuity and transition plans and test them at least once per year.
To help you better understand how this proposed rule would affect your business continuity program, below is a brief explanation of each of the above instructions.
Adopting Written Business Continuity and Transition Plans
While it is nearly impossible to regulate every single investment adviser’s unique operational situation, the proposed rule will address major areas that should be included in all written business continuity and transition plans, including:
- Maintenance of critical operations and systems and the protection, backup, and recovery of data, including client records;
- Pre-arranged alternate physical locations;
- Communications with clients, employees, service providers, and regulators;
- Identification and assessment of third-party services critical to the operation of the adviser; and
- Transition plan in the event the adviser needs to reduce or cease operations.
Annual Plan Review
Under the proposed rule, business continuity and transition plans should be reviewed regularly to verify products, services, operations, critical third-party service providers, structure, business activities, client types, location, and any regulatory requirements are still accurate and up to date. Additionally, if there was an event that activated a business continuity or transition plan, the review would ensure any lessons learned or changes as a result of the event are captured.
Maintaining copies of all plan versions for five years, along with records documenting plan reviews, not only provides access to accurate information during stressful periods; it will also simplify the SEC examination staff’s compliance evaluations.
Although the proposed rule is not yet effective, one thing is clear: financial institutions must strengthen their efforts to mitigate operational risks, especially cyber risks. Fortunately, we offer several professional services that can help you align your business continuity program with these anticipated requirements. For more information on these services, review the Preparis Professional Services Guide or contact your Customer Success representative. For more information on the proposed rule, including the economic impacts and possible alternatives to certain proposed elements, review the IA-4439 Adviser Business Continuity and Transition Plans proposed rule.