Be Honest – Were You Really Prepared For a Massive Business Disruption? COVID-19, the SEC and Finanical Professionals

By: Robert “Bob” Boeche, II, Partner

The outbreak of the COVID-19 pandemic, subsequent closures of businesses and mandated “quarantine” laws have had dramatic effects that permeate nearly every facet of our lives. With the markets wildly fluctuating, and advisers being deemed an “essential” service, most advisers are juggling responsibilities to their clients with trying to keep themselves, their families, and their employees safe and healthy. This pandemic happened so fast that virtually everyone has been forced to deviate from normal, established procedures and conduct more of their business remotely, away from their primary office. At this point, be honest – were you really prepared for the overnight, world-wide, massive business disruption we’re experiencing?

The COVID-19 outbreak is not the first time a widespread event has caused massive closures of advisory firms, and it certainly won’t be the last. In fact, it was Hurricane Sandy – which ravaged the northeastern coast back in 2012, that caused the SEC’s National Examination Program (“NEP”) to review the business continuity and disaster recovery plans (“BCPs”) of advisers in the impacted areas to assess their compliance with applicable laws, rules, and regulations relating to BCP plans. The results re-emphasized the importance of bespoke BCPs tailored and specific to allow advisory firms to continue operating when experiencing a significant business disruption (“SBD”). However, regulators also expect advisory firms to have other “forward-looking” policies – such as succession plans, cyber-security and incident response plans and other insurance policies (as may be needed) in place to ensure fiduciary obligations to clients continue should unforeseen events occur. I address these below.

A. Business Continuity and Disaster Recovery Plans
The SEC has long taken the position that BCPs are a required book and record of advisory firms “because an adviser’s fiduciary obligation to its clients includes taking steps to protect the clients’ interests from risks resulting from the adviser’s inability to provide advisory services after, for example, a natural disaster.” A firm’s BCP should be customized and tailored to firm operations and ensure advisers are “able to perform critical business operations and maintain consistent communications with clients and employees” during a SBD. Some items to be considered while drafting and/or implementing a BCP include, but are not limited to: (i) identifying core operations; (ii) identifying key personnel (more on this below in succession planning); (iii) vetting and performing due diligence on key service providers to understand how such parties will respond to SBDs and incorporate policies accordingly; (iv) locating a secondary, or multiple offsite physical locations to perform advisory activities; (v) implement technology that allows for retention, recreation and easy access to necessary documents; (vi) regularly testing as to the efficacy of a BCP; and (vii) regularly and routinely training firm personnel as to processes outlined in the BCP.

B. Succession Plans
The question is often asked, “I already have a BCP, isn’t that the same thing as a succession plan?” While the two are related and may at times overlap, they are separate and distinct. While BCPs focus on how the business itself will continue to operate during a SBD, succession planning is the process of determining how your firm will continue operations when a “succession event” occurs to key personnel (e.g., the death, disability or retirement of a founder or a monetization event). To put it another way, BCPs focus on the business itself, while succession plans focus on the people within the business.
While a succession plan is not yet a required book and record of advisory firms registered with the SEC, several states have followed the North American Securities Administrators Association’s (“NASAA’s”) model rule that requires investment advisers to adopt a “Business Continuity and Succession Plan” for their RIA practice. Paramount to any succession plan is: (i) ensuring that the business operations continues unabated; and (ii) that a business owner is properly compensated for the fruits of their efforts in the event of a “succession event.” Some specific items to include within a succession plan could include performing due diligence, establishing a valuation for the firm, instructions as to transferring assets (if required), financing options, and/or determining whether additional notice filings/registrations are required.

C. Cyber-Security and Incident Response Plans
Having effective policies in place protecting client data is important at any time, but takes on even greater importance during a SBD. Working remotely – away from firm equipment and protections, can leave advisers and firms at increased risk of a cyber-breach. The SEC has continually stressed the importance of cyber-protections over the past decade. Several regulations have been implemented, as well as the creation of a Cyber Unit within the SEC’s Enforcement Division tasked with targeting cyber-related misconduct. Having a strong cyber-security policy in place coupled with an incident response plan is an expected practice of advisory firms. While there is no “SEC rulebook” that explicitly states what must be included in such plans, the SEC has provided a bevy of materials – including sample examination items and a webpage dedicated to such matters to assist firms. A well-developed cyber-policy should seek to identify what needs to be protected, develop safeguards surrounding such information (including how to detect potential or actual breaches), and contain actionable steps that are to be followed should a breach occur. Any firm who has yet to implement such policies should take immediate actions to do so.

D. Insurance Policies
Not to be forgotten amidst this discussion is to protect your clients by protecting your firm from potential claims. Having proper insurance in place (such as Errors and Omissions Insurance, Directors and Officers Insurance, etc.) can go a long way in providing security to the firm should issues arise during a SBD. For example, with advisers operating remotely, and communication between employees and/or with key service providers potentially slowed, there exists a greater likelihood that mistakes may be made that could expose the firm to liability. This may be compounded by wild swings in the market, or client reactions to unexpected losses in market value. Much like the other items discussed above, insurance should be reviewed and customized based upon firm activities. Some of the items to consider in this regard include: (i) reviewing firm operations to identify where risks exist; (ii) evaluate the amount of insurance coverage necessary based upon the size of the firm and present risks; (iii) determining whether additional policies/riders need be obtained; and (iv) determining whether the firm is subject to any applicable bonding requirements (i.e., as may be promulgated by state regulators, ERISA regulations, etc.).

Our firm can help you review, draft or implement any of these items. We do it all and Shustak Reynolds & Partners is here to help. We focus our practice on securities and financial services law and complex business and financial disputes. We represent many broker-dealers, registered representatives, investment advisors, investors and businesses. Please contact us by visiting our website at https://www.shufirm.com/contact/ or by calling (619) 696-9500.

1See https://www.sec.gov/about/offices/ocie/business-continuity-plans-risk-alert.pdf
2Id.
3Id.
4In 2016, the SEC issued a proposed new Rule 206(4)-4 to the Advisers Act of 1940 which would make it unlawful to provide advisory services to clients unless a registered adviser has both a business continuity and succession plan in place.
5Also known as the “Model Rule on Business Continuity and Succession Planning” issued in 2015.
6See https://www.sec.gov/spotlight/cybersecurity