On June 28, the Securities and Exchange Commission proposed Rule 206(4)-4, which would formally require SEC-registered advisors to adopt written business continuity plans (BCPs). Currently, the Investment Advisers Act of 1940 does not explicitly require RIAs to adopt BCPs. Rule 206(4)-7 requires RIAs to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act. In a footnote to a release of Dec. 17, 2003, the SEC explained that advisors’ fiduciary duty includes protecting clients from “risk as a result of the advisor’s inability to provide advisory services after, for example, a natural disaster or, in the case of some smaller firms, the death of the owner or key personnel.”
The SEC’s Office of Compliance Inspections and Examinations reiterated the same concern in an August 2013 Risk Alert that advised that RIAs’ responsibilities to maintain books and records under Rule 204-2 include the requirement to maintain electronic storage media “so as to reasonably safeguard them from loss, alteration or destruction.”
Under proposed Rule 206(4)-4, it would be unlawful for an RIA to provide investment advice if it does not adopt a BCP and review it annually. A proposed amendment to Rule 204-2 would also require RIAs to make and keep copies of BCPs that are in effect or were in effect at any time during the last five years, as well as any records documenting the RIA’s annual review of its BCP.
1. General Requirements. Proposed Rule 206(4)-4 requires the BCP to address business continuity after a significant business disruption, and business transition in the event the RIA is unable to continue providing services to clients (e.g., natural disasters, acts of terrorism, cyberattacks, equipment or system failures, unexpected loss of a service provider, facilities or key personnel). It must also include plans for an RIA to sell its business, a portion of its business or merge with another advisor.
The BCP needs to address maintenance of critical operations and systems, and protection, backup and recovery of data, including client records. The BCP should identify and prioritize critical functions, operations and systems, and consider alternatives and redundancies to continue operations in the event of a significant business disruption.