That old saying — hope for the best, plan for the worst? Advisers soon might not have a choice, at least about the planning part.

The SEC on Tuesday proposed a new rule that would require RIAs to adopt formal plans for how their firm would respond to a major disturbance, such as a natural disaster or the retirement or death of principal.

"While an adviser may not always be able to prevent significant disruptions to its operations, advance planning and preparation can help mitigate the effects of such disruptions and in some cases, minimize the likelihood of their occurrence, which is an objective of this rule," SEC Chair Mary Jo White said in a statement.

The commission will next begin collecting comments on the proposed rule.

The SEC had been signaling that it would advance the business continuity proposal for advisers in short order, part of a broader regulatory initiative to tighten oversight over the asset management sector.

(Bloomberg News)
(Bloomberg News)


So while not unexpected, the rule nonetheless raised alarm for some in the industry who worried whether it would impose a new compliance burden with excessively specific and potentially duplicative or contradictory planning requirements, according to Karen Barr, president and CEO of the Investment Adviser Association.

"Folks have been concerned as to whether this proposal would be overly prescriptive and not consistent with their current business continuity plans, and we're going to review the proposal in that context," Barr says in an interview.

She points out that business continuity planning is not a novel concept for the advisory industry, which is already governed by the SEC's compliance program rule, which the commission adopted in 2003.

Among many other provisions, that rule set out the requirement for advisers to maintain a business continuity plan, but did not go into the level of detail that the new proposal does, and did not address transition planning.

In the intervening years, the commission has noted advisers' increasing reliance on IT systems, increasing the potential risk from a cybersecurity breach, as well as events like Superstorm Sandy, which wreaked havoc on many firms on the East Coast in the fall of 2012.


The new rule would call for advisers to develop policies and procedures that touch on several distinct areas, including the maintenance of systems and data protection, alternate operating sites if the business needed to relocate, plans for communicating with clients and a review of third-party vendors the firm works with.

"Depending on what an adviser has in place, they may already address a number of these specific components that are listed in this proposed rule," Barr says. "We're going to take a good look at each component to make sure
they are reasonable and flexible on this."