On June 28th, the SEC announced that it is building upon its body of rules and expectations driven by concerns over cybersecurity and technology failures. The proposed Rule will require firms to “adopt and implement written business continuity and transition plans that include certain specific components, and to maintain relevant records of those plans, in order to facilitate robust business continuity and transition planning across all SEC-registered advisers.”[1]
The message is clear: It is time to overhaul BCP processes at your firm, roll in the concept of Transition Plans, and consider technology-based disruption. We expect that the formal adoption of this rule will be a no brainer, that it has to take place given existing rules-based requirements from FINRA, the CFTC and NFA, and that advisers would be well-served to begin to put these enhancements on the agenda.
You can expect that the SEC will ratchet up the examination routine with respect to BCP and Transition Plans, and that we will see the first enforcement cases, likely related to lack of process.
Perhaps more importantly, however, we see the twin operational concerns of IT Security and Disruption Planning as components of present and future investor due diligence. By putting in place solid plans in these two areas, you will satisfy future investor and business partner requests for validation.
Background
The SEC is formalizing well-understood expectations that investment advisers will have policies and procedures in place to address disruption and adding a new twist with respect to Transition Plans in order to “modernize and enhance regulatory safeguards for the asset management industry,” according to the SEC Chair, Mary Jo White.
“Business continuity and transition plans would assist advisers in preserving the continuity of advisory services in the event of business disruptions – whether temporary or permanent – such as a natural disaster, cyberattack, technology failures, the departure of key personnel, and similar events.”
By tying Business Continuity Management to cybersecurity and technology failures, the SEC is expanding upon recent rules and initiatives driven by IT Security issues, such as Regulation S-ID, Red Flags/Identity Theft, and the two Cybersecurity Sweep Initiatives.
The Commission has already referenced the weakness on the part of advisers to include planning for cyber attacks within Business Continuity Plans in the Cybersecurity Examination Sweep Summary of February 2015, citing that only 51% of advisers have considered contingencies under the subject:
Written business continuity plans often address the impact of cyber-attacks or intrusions.
In addition, we often mention to clients that the NIST Framework for Improving Critical Infrastructure Cybersecurity references disruption holistically as in the following subcategory:
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
The suggestion is evident that there is a building expectation for advisers to consider disruption and recovery capabilities with respect to cybersecurity incidents; that the subjects of disruption planning are all related.
Transition Planning Specifics
The SEC has waited 8 years, or the approximate time since the collapse of global markets in 2007-2008, to roll out the notion that you have to consider the unwinding or cease of operations in writing. This would be the simplified definition of a Transition Plan: what you intend to do in the event that the business must close down/unwind. There is no question that the SEC has discussed the monitoring of critical counterparties, which may be more appropriate given the failures of the financial crisis. The justifications for Transition Planning are contained within proposed Rule and tied to the failure of major financial institutions.[2]
Your Written Transition Plan, which can be part of the Business Continuity Plan, should include at a minimum:
- Policies and procedures for safeguarding the distribution of client assets during any transition (unwinding or the closing of the firm);
- Consideration of your firm’s governance structure and material financial resources;
- Consideration of client communications and generation of information for clients, including the assessment of laws and contractual obligations for specific types of clients such as pooled investment vehicles.
Business Continuity Specifics
We have found that many investment advisers have leaned on FINRA’s 10 minimum requirements contained in the Business Continuity Plan, which should leave a firm in good standing regarding specifics with some new additions. The proposed Rule references the following areas which you should test against your existing Plan:
- Consideration of your critical systems and the backup and recovery of firm and client data;
- Alternative physical locations for offices and employees;
- Third-party or vendor considerations (also heavily discussed in recent Cyber initiatives such as the 2015 Second Sweep);
- Communications with clients, vendors, regulators, and other stakeholders;
- Consideration for various specific disruptive scenarios including cyber attack and technology failures;
- Testing of the Plans must be considered and documented; Do not forget your Books and Records obligations for retaining written policies and the Annual Review Process, which are also mentioned in the proposed Rule.
The Good News and Our Suggestions
Most investment advisers have addressed Business Continuity in general terms as part of their fiduciary responsibility defined in the Investment Advisers Act of 1940 and under the 206(4)-7 “Compliance Program Rule” suggestion that advisers should consider BCP to the extent relevant at the firm. So, most firms have a Plan in place. In many cases, however, we observe a bare-minimum approach to Business Continuity including neglected plans that are not tested. Our suggestions for addressing Business Continuity and pending requirements of the eventual adopted Rule would be:
- Include Business Continuity Management in your Annual Review Process and take the time to consider including reference to cyber attack and technology failure in your Plan.
- Put the August 2013 OCIE Alert for Business Continuity (referenced below) on the table at your Information Security or corresponding Risk committee meeting. Note: the SEC referenced all weaknesses from the Alert within the proposed Rule with which you should be familiar.
- The SEC also discusses Risk Management process, Operational Risk understanding, and the connection to Business Continuity within the proposed Rule. Review your firm’s risk management process with respect to Business Continuity, Transition Planning, and IT Security incidents and disruption.
Finally, leverage existing practices to meet new requirements. Business Continuity Management is a risk-based process according to the SEC. You may be able to, depending on the scope and complexity of operations, efficiently combine Business Continuity and Incident Response/Recovery within your existing Plan.
We assist firms with Business Continuity/Disruption Plan revisions that take into account reasonable practices and cost effectiveness. Please contact us for further information and details regarding the SEC’s initiatives and expectations.
References:
Proposed Rule: “Adviser Business Continuity and Transition Plans”: https://www.sec.gov/rules/proposed/2016/ia-4439.pdf
Cybersecurity Examination Sweep Summary (February 2015):
https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf
OCIE Business Continuity Risk Alert (August 2013):
https://www.sec.gov/about/offices/ocie/business-continuity-plans-risk-alert.pd
[1] See the proposed Rule: “Adviser Business Continuity and Transition Plans”, page 11. https://www.sec.gov/rules/proposed/2016/ia-4439.pdf.
[2] See page 19 of the Proposed Rule.