The Securities and Exchange Commission (“SEC”) recently proposed Rule 206(4)-41 under the Investment Advisers Act of 1940 (“Advisers Act”), which would require registered investment advisers (“firms” or “Advisors”) to adopt business continuity and transition plans. Further, in the Proposed Rule, the SEC stated that investment advisers are fiduciaries who owe their clients a duty of care and a duty of loyalty. Thus, as part of these duties, firms are required to implement policies and procedures to protect client interests from being placed at risk as a result of an adviser’s inability to provide advisory services. At the same time, the SEC’s Division of Investment Management released a Guidance Update on business continuity and transition plans for registered investment companies (“funds”).2 The Proposed Rule and Guidance Update further evidence the SEC’s general focus on comprehensive information security plans, and the Commission’s particular interest in firm’s and fund’s preparedness in the event of a significant business disruption.3
The Proposed Rule
In the Proposed Rule, the SEC stressed its belief that “it would be fraudulent and deceptive for a firm to hold itself out as providing advisory services unless it has taken steps to protect clients’ interests from being placed at risk as a result of the firm’s inability (whether temporary or permanent) to provide those services.” As such, the Proposed Rule would require that the firm’s plan be “reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations.” In particular, the policies and procedures in the firm’s plan must address the following issues and topics:
- Maintenance of critical operations and systems, and the protection, backup, and recovery of data, including client records;
- Pre-arranged alternate physical location(s) of the Adviser’s office(s) and/or employees;
- Communications with clients, employees, service providers, and regulators;
- Identification and assessment of third-party services critical to the operation of the Adviser; and
- Plan of transition in the event the Adviser is winding down or is unable to continue providing advisory services.
Despite identifying these specific components, the SEC again emphasized that there is no one-size-fits-all strategy to addressing business continuity planning, and each firm will need to customize its approach by looking to its individual operations and associated risks.
It is important for Advisors to implement measures to protect client interests from being placed at risk as a result of a business disruption or transition of the firm’s business. Firms should evaluate their operations and associated risks in order to tailor their business continuity plans accordingly.
Should you require additional information regarding the recent Proposed Rule or information security programs generally, please contact Cheri L. Hoff at (212) 508-6175 or Glen Kopp at (212) 508-6123.
1 The full text of the Proposed Rule is available here.
2 The full text of the Guidance Update is available here.
3 The SEC’s Office of Compliance Inspections and Examinations has also conducted an examination of firms after Hurricane Sandy to assess the adequacy of the firms’ business continuity plans. The resulting Risk Alert is available here.