SEC Updates its Focus on Business Continuity and Transition Plans

Ian G. DiBernardo, a Partner in Stroock’s Intellectual Property Practice Group, and a WSTA Ticker Publication Committee member since 2011

August 25, 2016

The Securities and Exchange Commission (the “SEC”) recently provided insight into its current thinking regarding business continuity and transition plans (“BCPs”) and the management of both internal and outsourced technology infrastructure.

Although the SEC’s recent releases are addressed to investment advisers and funds, they reflect the SEC’s continued recognition that the maintenance and protection of technology infrastructure, including planning for potential cyber-attacks, should be a primary area of focus for financial institutions in general.  Moreover, the SEC has identified certain “notable practices” that were distilled from recent industry outreach, which provide guidance on dealing with third party service providers in connection with BCPs—an industry-wide issue.

 

The Proposed Rule and Guidance Update

In a July 2016 release (the “Proposing Release”), the SEC proposed a new rule under the Investment Advisers Act of 1940, which would require registered investment advisers to adopt and implement BCPs.[1]  At the same time, the SEC’s Division of Investment Management issued a Guidance Update discussing certain elements of BCPs that registered investment companies (“funds”) should consider adopting under Rule 38a-1 under the Investment Company Act of 1940.[2]

Both the Proposing Release and the Guidance Update explicitly highlight the importance of technology infrastructure and managing vendors.  According to the Proposing Release, BCPs “shall include policies and procedures … that address … maintenance of critical operations and systems, and the protection, backup, and recovery of data.”[3]  The SEC’s Guidance Update similarly emphasizes the management of both internal and outsourced technology infrastructure and related services, noting the increasing use of third-party technologies and consideration of them as part of business continuity planning.[4]

As such, although directed at registered investment advisers and funds, the Proposing Release and Guidance Update help inform financial institutions generally as to the SEC’s view of best practices for BCPs.

As an initial point, the SEC’s elevation of its discussion of BCPs from guidance to a rule signals the high importance the SEC places on BCPs.  The Proposed Rule would require an adviser’s BCP to be based on the risks associated with the adviser’s operations and to include policies and procedures designed to minimize material disruptions of client services.[5]  Specific business disruption events that should be addressed by a BCP include natural disasters, acts of terrorism, cyber-attacks, equipment or system failures, or unexpected loss of a service provider or facilities.[6]

The Proposed Rule would require an adviser to review the adequacy and effectiveness of its BCP at least annually and to maintain related records.[7]  More specifically, the Proposed Rule would require that a BCP include a transition plan with the following specific components related to technology infrastructure:

  • Maintenance of critical operations and systems, and the protection, backup and recovery of data, including client records.
  • Pre-arranged alternative physical location(s) of the adviser’s office(s) and/or employees.
  • Procedures for ongoing communications with clients, employees, service providers, and regulators.
  • Identification and assessment of third party services critical to the operation of the adviser.
  • Policies and procedures intended to safeguard, transfer and/or distribute client assets during transition.
  • Policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account.
  • An assessment of the applicable law and contractual obligations governing the adviser and its clients.

The Guidance Update points to the existing obligations of funds (under Rule 38a-1) to have compliance policies and procedures, including procedures that address the risk of loss of business continuity.  It also discusses a number of measures the SEC staff believes funds should consider as part of evaluating their business continuity preparedness, especially with respect to critical service providers.  However, instead of stating specific obligations that funds have with respect to their BCPs, the Guidance Update cites to last year’s well-publicized third-party system malfunction at a service provider[8] as a recent event where they believed some funds could have been better prepared to manage a business disruption event.  The Guidance Update also highlights the findings of a recent outreach by the SEC staff to a number of funds and their advisers regarding BCPs generally.

Specifically, the Guidance Update highlights the following “notable practices” identified through its recent fund outreach:

  • Address the facilities, technology/systems, employees and activities conducted by the fund’s investment adviser and any affiliates, as well as dependencies on critical services provided by third-party service providers.
  • Involve a broad cross-section of employees from key functional areas in BCPs, typically including senior management, technology, information security, operations, human resources, communications, legal, compliance, and risk management.
  • Participation by the Chief Compliance Officer (“CCO”) in the fund’s third-party service provider oversight process.
  • Provide BCP presentations to the fund board of directors on an annual basis.
  • Some form of BCP testing occurring at least annually, with the results of that testing shared, as appropriate, in updates to fund boards.
  • Monitoring by the CCO and other pertinent staff of business continuity outages, including those incurred by critical third-party service providers, and reporting to the board as warranted.
  • Consider examining critical service providers’ backup processes, the robustness of the provider’s contingency plans, including reliance on other critical service providers, and how these providers intend to maintain operations during a significant business disruption.
  • Identify how best to monitor whether a critical service provider has experienced a significant disruption (g., a cybersecurity breach) that could impair the service provider’s ability to provide uninterrupted services, the potential effect that disruption may have your company’s operations, and the communication protocols and steps that may be necessary for your company to successfully navigate the disruption.
  • To better ensure continued operations and/or promptly resume operations during a significant business disruption, consider how the BCPs of critical service providers relate to each other. For example, funds should discuss with their service providers any redundancies and backup plans the service provider has in the event it experiences a significant business disruption.  Additionally, you should consider if they have backup procedures that address the steps that would need to be taken to successfully navigate through the service provider disruption.
  • Consider how a critical service provider disruption could impact your company’s operations and have a general plan for managing the response to potential disruptions under various scenarios, whether such disruptions occur with an affiliated or third-party service provider.

 

Lessons for Negotiating Technology Vendor Contracts

The Proposing Release and the Guidance Update reflect the SEC’s continued recognition that maintenance and protection of technology infrastructure, including potential cyber-attacks, is a primary area of risk.  Indeed, the weaknesses the SEC observed in advisers’ BCPs with respect to telecommunications and technology were a stated impetus for the Proposed Rule.

Although the Proposing Release and the Guidance Update focus on the key components of BCPs, financial institutions should not lose sight of the fact that the effectiveness of their BCPs with respect to technology infrastructure may, in certain respects, depend on their contractual relationships with existing and future technology vendors.  Indeed, many of the observations of the SEC examination staff reflected in the Proposing Release have direct relevance to vendor contracts and serve as reminders of the types of provisions financial institutions should consider including in such contracts.

At a most basic level, vendors must be active participants in the financial institutions’ BCPs.  From a contractual standpoint, this may start with an obligation for a vendor of a critical system or operation to have its own BCP and test it annually.  The SEC has also signaled the need for collaboration among financial institutions and their technology vendors, noting the importance of engaging service providers to ensure backup servers work properly, “the need to understand the business continuity and disaster recovery protocols of critical [. . .] service providers,” and the need for continuing diligence in this regard.[9]  Addressing these points may translate into contract provisions providing for transparency regarding the vendors’ BCPs and disaster recovery systems, as well as related obligations, including minimum requirements, physical location, annual testing and reporting, and notification of material changes.

Of course, vendors might also be contractually obligated to participate in the annual review of a financial institution’s own BCP.  In light of the SEC examination staff’s finding regarding inadequate testing of BCPs, the existence of a BCP that is appropriate on its face may provide little protection if implemented poorly with vendors following an actual business interruption.

Similarly, an otherwise thorough BCP may provide little protection if delayed in its implementation (e.g., due to a vendor’s failing to either adequately monitor its systems or provide notification of issues).  As discussed above, the Proposed Rule will require an adviser’s BCP to include a communication plan, and the communication plan may reflect both monitoring and notification of disruptions.  Although contractual remedies may be limited, parameters regarding such monitoring and notifications may be incorporated into the vendor contract.

As another example, the Proposing Release and the Guidance Update note the importance of considering the interrelationship of vendors in creating a BCP and enhancing preparedness.  Also important is the interrelationship of third-party vendor systems and a company’s internal, proprietary systems.  Mapping such interrelationship – the physical telecommunications interconnections and logical data inputs and outputs among them – can be important to the creation of a BCP.  Once the normal interrelationships have been mapped, potential deviations necessitated by interruptions can be considered and addressed in vendor contracts.  The contracts might include pre-negotiated statements of work for the provision of backup services by, for example: providing for alternate data formats or forms of data transfer used by the vendor; the provision of additional services as replacement for impaired third-party or financial institution-provided services; or other potential work-arounds.

In short, the SEC’s recent releases may signal an appropriate time for financial institutions – not just advisers and funds – to take inventory of their existing vendor contracts and revisit requirements for future ones.  Some of the takeaways from the SEC Proposing Release and the Guidance Update may not be new.  They may, however, help to inform financial institutions as they review their own BCPs and those of their third-party vendors and service providers, and provide additional insight into the SEC’s future evaluation of BCPs and the management of technology vendors and other third-party service providers.

[1]       Adviser Business Continuity and Transition Plans, 81 FR 43530 (July 5, 2016) (proposing new Rule 206(4)-4) (the “Proposing Release”).

[2]      SEC Investment Management Guidance Update No. 2016-04, Business Continuity Planning for Registered Investment Companies (June 2016), available at https://www.sec.gov/investment/im-guidance-2016-04.pdf (the “Guidance Update”).

[3]      Proposing Release at 43545.

[4]      Guidance Update at 1.

[5]       Proposed Rule 206(4)-4(b)(2).

[6]      Although the Proposed Rule and Guidance Update deal with non-technical aspects of BCPs, such as stressed market conditions and a sale of business, this article focuses on technical and related vendor issues.

[7]       Proposed Rule 206(4)-4(a)(2).

[8]      In August 2015, The Bank of New York Mellon experienced a malfunction in one of its third-party systems provided by SunGard Data Systems Inc., and was unable to, among other things, deliver timely system-generated net asset values (“NAVs”) for certain clients for several days.  This malfunction resulted in the affected funds having to price their shares using stale or manually calculated NAVs.

[9]       Proposing Release at 43534; Guidance Update at 3.

 

_______________________________________________

By Ian G. DiBernardo, a Partner in Stroock’s Intellectual Property Practice Group, and a WSTA Ticker Publication Committee member since 2011; Robert E. Plaze and Nicole M. Runyan, Partners in Stroock’s Investment Management Practice Group, and Lior J. Ohayon, a Partner in Stroock’s Private Funds Practice Group.

 

For More Information:

Ian G. DiBernardo
212.806.5867
idibernardo@stroock.com
Robert E. Plaze
202.739.2860
rplaze@stroock.com
Nicole M. Runyan
212.806.6443
nrunyan@stroock.com
Lior J. Ohayon
212.806.6469
lohayon@stroock.com

NY 76292397v9

Advertisement

Follow Us:

Sitemap | Privacy | Copyright © © 2017, WSTA®, All Rights Reserved.