In late August 2015, the financial software provider SunGard experienced an “unforeseen complication” during an operating system change. The complication led to the total breakdown of an accounting platform used by Bank of New York (BNY) Mellon, which, in turn, disrupted the operations of several large investment firms that rely on BNY Mellon for fund valuation services. The end result: According to Reuters, it was chaos that effectively threw “the U.S. funds industry into disarray.”
We’ll never know for sure whether that particular incident was the impetus for the SEC’s business continuity requirements proposed in June 2016, but it did—and still does—serve as a reminder of the reverberations that a single failure on the part of one company can have in today’s economy. It also underscores the importance of—really, the need for—fully formed business continuity plans for every industry.
SEC Business Continuity Requirements
The SEC’s proposed business continuity rule offers guidance specifically for registered investment advisers (RIAs). (Though, in our view, every company would benefit from implementing the minimal set of requirements outlined in the rule.) Our increasing reliance on technology has heightened the number of risks businesses face daily, including cyber attacks. Based on a survey conducted by MetricStream Research in July 2016, 66.2% of financial institutions had experienced a cyber attack within the previous 12 months.
According to the SEC rule, all RIAs must now formally write and adopt business continuity plans to address operational failures or disruptions. Plans must address the following five components, at a minimum:
Need guidance on creating and implementing a business recovery plan that meets SEC requirements? This guide outlines the must-have elements of every successful plan.
- A plan to maintain critical operations and systems; and a way to protect, back up, and recover your data.
- Prearranged alternate physical locations for your offices and your people.
- A crisis communication plan for communicating with your clients, employees, service providers, and regulators.
- A plan to identify and assess third-party services critical to your operation as an advisor.
- A plan of transition that accounts for the possible winding-down of your business, or the transition of that business to someone else if you cannot continue to provide services.
In the SEC’s view, such plans are part of an RIA’s fiduciary duty to its clients. A failure to plan for disruptions would be considered a breach of that duty, and—due to the proposed rule’s placement under Section 206 of the Investment Advisers Act—may even constitute fraud.
That said, the SEC has also acknowledged that the complexity of business continuity plans will vary substantially based on the complexities of each particular company. Meeting your responsibilities as outlined by the SEC will require designing a reasonable plan that addresses the realities of your business. You’ll also need to conduct annual reviews of the plan, perform ongoing testing, and document it all to be in full compliance of the proposed rule.
Need help creating an SEC-compliant business continuity plan?
BCMMetrics™ has everything you need to create a plan that meets the SEC’s business continuity requirements.
Our online tools walk you through the essential stages of creating a business continuity program, including identifying your company’s most critical departments, evaluating your program’s current level of compliance, and measuring and mitigating your company’s level of risk. All of our tools are easy to use, secure, and let you self-assess your program internally without the help of outside consultants. Plus, these tools measure your program against the industry’s current best practices and standards to ensure that your plan is always up to date—and stays that way.
Want to see the BCMMetrics™ suite in action? Schedule a demo today.