Business Continuity Plans for Funds and Advisers James R. Burns Kimberly B. Saunders October 6, 2016

1

Agenda

I.

Business Continuity Planning and Cybersecurity Focus in the Asset Management Industry

II.

Business Continuity / Transition Planning Rule Proposal

III.

Industry Critiques of the Proposed Rule

IV.

Guidance Update on Business Continuity Planning for Registered Funds

V.

Recommendations

2

Business Continuity Planning and Cybersecurity Focus in the Asset Management Industry

3

Historical Context



Where We Were 



December 2003 – SEC adopts Rule 38a-1 under the Investment Company Act of 1940 (“1940 Act”) and states that it expects that policies and procedures should address (among other things) business continuity plans (BCPs) to the extent that they are relevant.

Rapidly Changing Landscape 

October 2012 – Hurricane Sandy  July 2015 – New York Stock Exchange Trading Outage  August 2015 – Net Asset Value Calculation Failure  March 2016 – SEC Chair Mary Jo White states that cybersecurity is now the “biggest risk facing the financial system.”

4

Assortment of Laws and Regulators in the U.S. 

Businesses must navigate a patchwork of state and federal laws and regulations.



This also means that a patchwork of regulators and self-regulatory organizations are focusing on privacy/cybersecurity practices including      



Securities and Exchange Commission (SEC) Financial Industry Regulatory Authority (FINRA) Commodity Futures Trading Commission (CFTC) National Futures Association (NFA) Department of Justice (DOJ) State Attorneys General

The SEC’s proposal regarding investment advisers’ business continuity and transition plans is the next phase of regulation that has been working its way around the asset management industry.

5

Examples of SEC Regulation



Regulation S-P: (Safeguards Rule) Requires advisers to adopt written policies and procedures that address safeguards for the protection of customer records and information and are reasonably designed to: 

Insure the security and confidentiality of customer records and information;  Protect against anticipated threats or hazards to the security or integrity of customer records and information; and  Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to a client.

6

Examples of SEC Regulation (continued)



Regulation S-ID: (Identity Theft Red Flag Rule) Requires advisers that maintain “covered accounts” to develop, implement, and administer a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with the opening of investor accounts and the administration of current accounts. 

Programs implemented to comply with Regulation S-ID must, among other requirements: 

Address training of employees to identify red flags  Ensure third-party service providers to covered accounts have their own reasonable red flags programs in place  Provide for an annual review

7

Examples of SEC Regulation (continued) 

Regulation SCI: Adopting release noted that SEC would evaluate whether to extend Regulation SCI to other market participants such as investment advisers 



“This [step-by-step] approach will enable the Commission to monitor and evaluate the implementation of Regulation SCI . . . such that it may consider, in the future, extending the types of requirements in Regulation SCI to additional categories of market participants, such as, security-based swap dealers, investment advisers, investment companies, transfer agents, and other key market participants.”

May require investment advisers to participate in market wide testing in the future 

Rule 1004 of Regulation SCI requires each SCI entity to “[d]esignate members or participants . . . and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such [business continuity and disaster recovery plans] . . .” 17 CFR 242.1004(b)

8

SEC Cybersecurity Initiatives 

Cybersecurity has evolved into a key area of focus for the SEC.    



  

June 2016: SEC proposes rule requiring advisers to adopt business continuity and transition plans and SEC staff releases related guidance on business continuity planning for registered funds. April 2016: SEC Enforcement Director, Andrew Ceresney, announces via an SEC webcast that additional cybersecurity-related enforcement actions will be “coming down the pike.” January 2016: Cybersecurity identified as a 2016 Examination Priority September 2015: SEC brings a first-of-its-kind, settled enforcement action against R.T. Jones Capital Equities Management, based on failure to adopt proper cyber security compliance policies and procedures September 2015: SEC OCIE publishes “risk alert” providing information on the areas of focus for OCIE’s second round of cybersecurity examinations April 2015: SEC Investment Management Staff publishes cybersecurity “guidance update” February 2015: SEC examination staff announces results of the 2014 examination sweep January 2015: Cybersecurity identified as a 2015 Examination Priority

9

NFA Regulation



Information Systems Security Programs: (Interpretive Notice 9070, effective March 2010) Requires that all NFA member firms, including commodity pool operators and commodity trading advisors, adopt and enforce written policies and procedures to secure customer data and access to their electronic systems 

The information systems security program must include: (i) a security and risk analysis; (ii) a description of the firm’s safeguards against identified system threats and vulnerabilities; (iii) a process for evaluating the nature of a security event, understanding its potential impact, and taking measures to contain and mitigate the breach; and (iv) a description of the firm’s ongoing education and training related to the program for all appropriate personnel.

10

Business Continuity / Transition Planning Rule Proposal

11

Business Continuity / Transition Planning Rule Proposal



In late June 2016, the SEC proposed a new rule, Rule 206(4)-4, under the Investment Advisers Act of 1940, to address potential ramifications of a temporary or permanent interruption of a registered adviser’s ability to provide advisory services.



As proposed, the rule would require an adviser to: 

Adopt and implement plans to ensure business continuity after a significant business disruption and business transition in the event the adviser is unable to continue providing advisory services;  Conduct an annual review of those plans; and  Comply with corresponding recordkeeping requirements. 

< https://www.sec.gov/rules/proposed/2016/ia-4439.pdf >

12

Business Continuity / Transition Planning Rule Proposal



In proposing this rule, the SEC suggests that the efforts some advisers have undertaken under the existing Rule 206(4)-7 are not sufficient.



The proposal emphasizes: 

An adviser is expected “to prevent, detect and respond to cyber attacks”



Cybersecurity incidents may result in compliance and operational risks for an adviser



Data protection, backup, and recovery plans should address both hard copy and electronic backup and focus on risks related to cyber-attacks

13

Potential Fraud Liability



Notably, the SEC indicates in the proposing release that a violation of the rule, as proposed, would constitute an act of fraud. 

“[I]t would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken steps to protect clients’ interests from being placed at risk as a result of the adviser’s inability (whether temporary or permanent) to provide those services.”

14

Content of Plans 



While an adviser’s business continuity and transition plan should be tailored to the risks associated with the adviser’s operations, including the nature and complexity of its business, it must address: 

Maintenance of critical operations and systems and the protection, backup, and recovery of data



Pre-arranged alternate physical locations for the adviser’s offices and/or employees



Communications with clients, employees, service providers, and regulators



Identification and assessment of third-party services critical to the adviser’s operations



Plan of transition accounting for the possible winding-down or transition of the adviser’s business

Recordkeeping Requirement -- If adopted as proposed, the rule would require advisers to make and keep all business continuity plans that are currently in effect or were in effect during the prior five years. 15

Liability for Third-Party Service Providers



Under the Proposed Rule, an adviser should review and assess how critical service providers plan to maintain continuity and whether those plans include alternatives to allow it to continue during a significant business disruption. If the service provider does not have a plan to provide for alternatives, the adviser should consider whether other service providers or internal functions should serve as a backup if needed. 

The SEC considers as critical third-party service providers those that provide services related to: portfolio management; custody of client assets; trade executions and related processing and pricing; client servicing; recordkeeping; and financial and regulatory reporting.

16

Industry Critiques of the Proposed Rule

17

Industry Critiques: Fraud Liability



The asset management industry has expressed concerns about the SEC’s proposal to expand the definition of “fraudulent and deceptive” activity, potentially making an adviser liable for fraud in connection with events that inherently are beyond an adviser’s reasonable control. 



Fraud has historically been understood to denote intentional acts, and by adopting the proposed rule under Section 206(4), the SEC would be attaching a concept of deceit or manipulation to circumstances that lack such motives.

As proposed, investment advisers (and the funds they advise) could suffer irreparable reputational harm from a fraud charge based on a reasonably designed business continuity plan that was yet unable to respond fully to an unforeseeable event. 

This danger is heightened by the fact that it is difficult to know if a business continuity plan is sufficient until it is tested by an actual service disruption.

18

Industry Critiques: Fraud Liability (continued)



The industry may only learn what will be considered sufficient or will induce fraud liability as the SEC staff brings enforcement actions and delivers deficiency letters during OCIE examinations.



The industry’s recommendations for addressing this concern have included: 

Supplement Rule 206(4)-7 (the “Compliance Program Rule”) with additional guidance about business continuity planning rather than adopting a new rule.



Adopt the rule under Section 204, expanding an adviser’s recordkeeping requirements.



Remove the “fraudulent” liability for business continuity practices.



Create a new level of accountability more directly for third-party service provider functions.

19

Industry Critiques: Other Concerns 

Sufficiently Regulated 



The SEC and its staff have already released guidance about their expectations and best practices regarding business continuity.

Prescriptiveness and Inflexibility 

Evolving Technological Environment 





Advisers cannot guarantee that the advanced technology they use to improve client services will minimize the risks of cyberattacks and glitches.

Nature of Adviser’s Business 

Firm-wide plans may be unworkable for some advisers.



Contingency planning is not necessarily best contained in a single “plan.” A holistic approach with multiple steps and compliance policies may be more successful.

Safety of Proprietary Information 

Business continuity planning may contain inherently confidential information and by publicizing details of an adviser’s contingency plan, the SEC may be giving potential hackers beneficial information.

20

Industry Critiques: Other Concerns (continued)



Understated Economic Effects 

The SEC estimates that the costs for updating policies and procedures, maintaining the plan, maintaining and upgrading systems, and conducting an annual review of the program would be $7,500 to $375,000 per adviser.



In light of the business continuity plans maintained by banks, costs may actually be much higher. 

Media reports estimate that a single initial living will may cost over $25-30 million, and the industry believes the real figures may be multiples of that amount.

21

SEC Staff Guidance on Business Continuity Planning for Registered Funds

22

IM Guidance Update



Impetus for Guidance Update: 

A number of recent events affecting complexes and service providers 



Emphasis on a systems malfunction in August 2015 at a key service provider that prevented it from calculating accurate net asset value for hundreds of mutual funds and ETFs

Resulting survey by the SEC’s Office of Compliance Inspections and Examinations and Division of Investment Management of practices among fund complexes and their advisers regarding business continuity planning

23

IM Guidance Update





The Guidance Update issued by the staff of the SEC’s Division of Investment Management highlights a number of measures the staff believes funds should consider as they evaluate the robustness of their planning to mitigate business continuity risks. 

The Guidance Update notes that Rule 38a-1 under the 1940 Act requires that funds’ or their advisers’ policies and procedures address certain issues, including business continuity plans.



A curious footnote 

“[T]o the extent…relevant”



“Funds’ or their advisers’ policies and procedures should address the issues … identified for investment advisers”



Authority established through guidance.

< https://www.sec.gov/investment/im-guidance-2016-04.pdf > 24

Mitigating Exposure



Compliance policies and procedures should be established to address business continuity planning and potential disruptions in services (whether provided internally at the fund complex or externally by a critical third-party service provider).



Fund complexes may want to consider the day-to-day operational reliance on their service providers and the existence of back-up service on multiple providers.

25

Due Diligence of Service Providers 

Service providers represent a potential vulnerability for fund complexes



Initial and annual due diligence of service providers’ operations and assessments of BCPs



Critical service providers, under Rule 38a-1, include: 

Each investment adviser



Principal underwriter



Administrator



Transfer Agent



Custodian(s)



Pricing agent

26

Best Practices for BCPs



The Guidance Update states that business continuity planning should: 

Cover the facilities, technology/systems, employees, and activities of the fund’s investment adviser and any affiliated entities;



Address dependencies on critical services provided by other third-party service providers;



Involve a broad cross-section of employees from key functional areas;



Require at least annual testing, with the results to be shared in updates to the fund board; and



Require that operational outages, including those incurred by the fund complex or a critical third-party service provider, be monitored by the CCO and other pertinent staff and reported to the fund board, as appropriate.

27

Important Considerations while Evaluating a BCP



Whether back-up processes and contingency plans exist



The ability to monitor incidents and implement communication plans



How critical service providers work together



The various types and causes of disruptions



Plans to mitigate these risks

28

Implications for Directors 



As part of a fund’s board of directors’ oversight function, including the hiring and continued retention of critical service providers, the board should discuss with the adviser and other critical service providers: 

The steps being taken to mitigate the risks associated with business disruptions; and



The thoroughness of their business continuity planning.

In addition, a fund’s board should: 

Include the fund’s CCO and/or the CCO of other entities in the fund complex in the service provider oversight process;



Receive an annual overview and update on plans from the adviser and/or other critical service providers, with CCO participation – possibly as part of the 15(c) process; and



Receive updates on testing and reports of outages as warranted.

29

Recommendations

30

Developing a Business Continuity Plan: Policies and Procedures 

The SEC is concerned about risks that may affect an adviser’s or fund complex’s ability to continue operations and provide services to clients and investors, and an adviser’s ability to transition the management of accounts.



Business Continuity Plans should address these operational risks and other risks related to disruptions in the adviser’s or fund complex’s operations.

31

Practical Tips for Fund Directors 



Assess your own familiarity with business continuity risks facing the funds. The SEC staff recommends that you focus on key service providers and those events that could interfere with the ability of the fund to process shareholder transactions. For example, consider:     

Natural disasters Cyber attacks Technological failures Key personnel at the adviser Vulnerabilities at service provider level 

Dependence on specific providers  Access by providers to key fund or investor information  are the protective measures at those providers sufficiently monitored/assessed? 

Regulatory risks 

Fulfilling 38a-1 obligations  Sufficient and accurate disclosures

32

Practical Tips for Fund Directors Consider posing questions to the adviser(s) you oversee: 

Request an annual update on BCP policies and procedures.    



How has the adviser responded to any relevant regulatory developments? Was the board informed of any BCP events and the adviser’s response? What testing was conducted and what were the results? What training has been provided?

How will the adviser respond to:    

A natural disaster A cyber attack Unexpected departure of key fund personnel Service disruption at a key service provider



Receive an annual update on due diligence of service providers’ BCPs and any contingency plans to respond to a service provider failure.  What does the adviser see as the largest vulnerability for business continuity? How is this being addressed?  What are the industry best practices and how does the funds’ approach differ?  Does the adviser have ready access to industry experts to help prepare for and manage incident responses?

33

Practical Tips for Fund Directors 

If the funds suffer a service interruption (or an event occurs that threatened to, but did not actually, disrupt services), evaluate the adviser’s or other service provider’s response.



In doing so, you may consider: 

How was the service interruption discovered?  What was the impact on the funds? On investors? 

Were central operations (e.g., shareholder transactions and investment decisionmaking) compromised?



Was the interruption/or threat caused by internal or external sources?  Who was notified (the board, investors, regulators, etc.) and when?  What steps were taken (or are planned) to prevent a recurrence or mitigate losses? 

Focus will largely be on primary adviser/sponsor, but ask about other critical service providers.

34

Practical Tips for the Adviser 





Consider the kinds of risks that could interrupt business operations 

Unforeseen Loss of a Market or Service Provider



Natural Disasters



Homeland Security Threats



System Failures and Technology Malfunctions



Loss of Key Personnel



Cybersecurity

Think about how these risks can be managed 

Develop Short- and Long-Term Plans



Identify Critical Service Providers and Evaluate their Business Continuity Plans

Consider administrative matters 

Documentation and Accessibility



Employee Training



Alternate Physical Locations for Offices and/or Employees



Testing and Maintenance (Annual Review)



Updates to the Plan



Communication with Clients, Employees, Service Providers, and Regulators

35

Questions?

36