Business Continuity Plans

About our Contributors
ICS Group is a regulatory compliance consulting firm specializing in providing compliance support to the financial services and insurance industries. We help our clients comply with regulatory requirements and industry standards. Our clients include: registered investment advisers, private equity funds, hedge funds, mutual funds, broker-dealers, insurance companies and state pension plans. Our team of highly experienced compliance professionals know from first-hand experience what regulators are looking for, the industry standards that apply, and how to develop and implement cost-effective business-oriented solutions.

Although business continuity plans (“BCPs”) have been an SEC expectation, on June 28, 2016 the Securities and Exchange Commission (“SEC”) proposed a rule that would require all SEC registered investment advisers to adopt and implement a business continuity and transition plan.

The rule would not only require SEC registered investment advisers to adopt and implement a BCP, but it would also require that the plan be reasonably designed to address operational risks according to each firm’s unique needs. If a firm’s BCP is not reasonably designed to address operational risks, the SEC has stated that it would be “fraudulent and deceptive” for an adviser to provide advisory services.

In the aftermath of Hurricane Sandy, the financial industry was broadly impacted because of the duration and location of the storm and the SEC investigators determined that while many registered investment advisers had a business continuity plan, many of them were inadequate to address operational risks related to significant disruptions to the adviser’s operations.

Advisory firms will have some flexibility in deciding what is included in their BCP based on the nature of each particular adviser’s business; however, the following components will be required of each advisory firm’s BCP:

  1. Transitions Plan. – A transition plan must account for the possible winding down of the adviser’s business or the transition of the adviser’s business to others in the event the adviser is unable to continue providing services. Examples include:
    1. A merger with another adviser.
    2. A sale of the adviser or substantially all of the assets and liabilities of the adviser.
    3. The inability to provide services temporarily or permanently due to:
      1. a natural disaster
      2. acts of terrorism
      3. cyberattacks
      4. equipment or system failure
      5. material financial distress or
      6. unexpected loss of a service provider.
  2. Data Protection, Back-up and Recovery. – A plan for data protection, back-up and recovery must address how data will be protected and restored in the event that any of the aforementioned events occur. Specifically, it must address:
    1. Inventory of key documents (e.g., organizational documents, contracts, policies and procedures), including a description of the documents and the location of the documents.
    2. Provide for both a hard copy and electronic backup, as appropriate.
  3. Contingency Plans with Respect to Key Personnel.
    1. Short-term arrangements, such as which specific individuals will take over the role in the key personnel’s absence.
    2. Long-term arrangements regarding how an adviser will replace key personnel.
  4. Pre-arranged Alternate Physical Location(s).
    1. Have arrangements been made for an alternative facility for the office(s) and/or employees?
  5. Methods, systems, back-up systems and protocols for communications with clients, employees, service providers, and regulators. For example:
    1. How are employees informed of significant business disruptions? How will employees communicate during such a disruption and contingency arrangements? Who will be responsible for taking on other responsibilities in the event of loss of key personnel?
    2. How will clients be informed of and updated about a significant business disruption that materially impacts ongoing client service (e.g., periodic updates to websites and customer services lines)? When applicable, how will clients be contacted and advised if account access is impacted during such disruption?
      1. What is the process by which the adviser would have prompt access to client records that include the name and relevant contact and account information for each client?
  6. Identification and Assessment of Third-party Services Critical to the Operation of the Adviser.
    1. Identify critical service providers (e.g. those providing services related to portfolio management, custody of client assets, trade and execution and related processing, pricing, client servicing and/or recordkeeping and financial and regulatory reporting) and review and assess how these service providers plan to maintain business continuity when faced with significant business disruptions, and consider how this planning will affect the adviser’s operations.

With a trend towards requiring BCPs of businesses in the financial industry, this most recent proposal by the SEC requiring all registered investment advisers to have a BCP, is expected to be finalized without much change.

For more information on the requirements of the proposed rule or help with creating or enhancing your firm’s BCP to meet these new requirements, contact ICSGroup today. As always, we are here to help.