What Investment Advisers Need to Know About the SEC Proposed Business Continuity and Transitions Plan Rule
The Securities and Exchange Commission (SEC) recently proposed Rule 206(4)-4, which would require investment advisors to enact business continuity plans (BCPs) and transition or succession plans. This rule would aid advisers in maintaining the continuity of services in the occurrence of a business disruption.
If you missed it, our recent webinar with featuring our Director of BCP Lisa Smith and speakers from Arthur Bell CPAs examines internal, external and transition-related risks to business continuity, mitigation strategy best practices and points highlighted by the SEC within the rule.
Rather watch a video? Scroll down and listen to the full webinar replay.
Potential Risks to Business Operations
The SEC stresses that investment advisers need to assess not only external threats, but also internal threats to accurately ascertain their own risk from a holistic standpoint. This evaluation is critical to identifying the risk impact to specific capabilities and operations, as well as, how they will affect the firm’s employees, clients and third parties. Advisers should take a proactive and organized approach to creating risk mitigation programs for employee activity, as well as, required systems (e.g. email and Internet). Risk mitigation programs should include documentation of processes, segregation of responsibilities, critical tools (think cross-training), etc.
There's a lot to learn about business continuity planning for investment managers. To help, you might want to watch our recent webinar highlighting the SEC's June 2016 business continuity guidance update. You can watch the full webinar replay here. The SEC not only highlights the importance of being able to access critical systems and applications during a disruption, but also the importance of effective communication.
It is vital to communicate with your employees about the procedures of your business continuity plan before, during and after an incident. By doing so, you set the wheels in motion by creating the guidelines for the firm’s recovery.
Effective communication should include, but not be limited to:
Accounting for employees;
Setting workload expectations; and
Providing employees with recovery status updates.
Let’s take a deeper look into those strategies.
Whether it is your summer interns heading back to school or a full-time employee moving on, an investment firm must have a detailed employee termination checklist for information technology (IT) that is diligently followed.
But what are the key items that must be on your employee termination checklist?
Here’s An Employee Termination Checklist Foundation:
Contact IT Department or IT Provider to terminate or change network or application logins
Ensure subscriptions are either cancelled or changed
Collect employee equipment such as laptops, monitors, mobile devices, etc.
Ensure employee has documented transition procedures
Reset user password and disabled account
Last month, the SEC issued a guidance update for registered advisers regarding how funds (and their service providers) plan for potential business disruptions. Eze Castle Integration’s Certified BCP Planners have reviewed the guidance and recently shared their thoughts on how hedge funds and private equity firms can meet the SEC’s growing expectations and standards with regard to business continuity practices.
Read on for five takeaways from the SEC’s business continuity guidance update or scroll down to watch our full, 30-minute webinar replay.
Include all All Key Components of Your Firm
When writing a BCP, firms undoubtedly remember to create plans for their physical office facilities and technology systems, but it is important that you don’t overlook other important components that drive the well-being of your firm. This includes data/colocation centers, employees, activities and dependencies on critical third parties. You could face an array of issues affecting one or more factors within your firm, so it is important to implement a business continuity plan that not only addresses potential risks but also outlines comprehensive protection methods.
A BCP is a Living Document
Internal participation is a fundamental driver for a successful BCP. From senior management executives to representatives from Human Resources and Compliance, internal business continuity contributors need to be informed of and up-to-date on policies and procedures. The BCP should also take into consideration the ideas, recommendations and changes brought forward from other departments within the firm.
Remember: A business continuity plan is dynamic, therefore changes and challenges faced need to be transparent with all parts of the company.
Today’s private equity funds are increasingly being compared to their hedge fund counterparts and, as a result, are also facing more scrutiny. When it comes to managing and mitigating risk, PE fund managers are wrestling with growing threats on the security front and beyond and mounting pressures from the likes of the SEC and other industry best practice standards.
Security and Business Threats for Private Equity
Security threats abound for financial services firms, and private equity firms are not immune. From the inside out, the risks to PE firms grow daily, with savvy and experienced hackers looking to target financial firms – and perhaps more concerning – untrained and unaware employees blindly putting their firm’s operational standing in danger.
Beyond cybersecurity, however, there are also business threats to consider. Non-security incidents – everything from minor, incidental business disruptions to large-scale, regional impact events – can also wreak havoc for private equity firms otherwise unprepared to resume business functions. Downtime may prove to be less concerning for a PE manager than his hedge fund counterpart, but that does little to calm uneasy clients and investors who expect operations to run smoothly at all times.
PE Firms Feeling the Regulatory Pressure
The above security and business threats pose a serious challenge for private equity firms today. But beyond managing those risks to satisfy a fund manager’s own inherent desire to protect his/her firm, private equity firms also face significant and growing pressure from external bodies to meet operational excellence standards that continue to develop and evolve.
As hedge funds, private equity firms and other financial services organizations work diligently to develop and maintain organizational business continuity plans, an item often lost in consideration is employee personal planning. While firms should focus on how their businesses will recover from a disaster scenario or disruption, it’s also helpful to be proactive in addressing how employees can recover from these scenarios if family members/friends are affected or if the employee himself is affected outside of working hours. Here are a few tips for employers:
Plans and resources are helpful in getting employees more organized, but for employers, finding time to develop and gather these materials can be difficult. It might be easier to have employees gather together and discuss emergency preparedness techniques and why they are important. Consider providing some resources such as binders or forms where employees can write down contact information of insurances, utility vendors, neighbors, etc. Encourage employees to research local/regional emergency preparedness information as well. Getting the conversation going and providing some resources or relevant websites can better ensure that planning activities happen prior to a disruption.
Alternate locations are not just for the workplace. Employees' family members and roommates should have established meeting spots if evacuating the residence is necessary. Two locations are recommended: one close to the residence and another perhaps slightly father away (e.g. down the street or at a neighbor’s house or apartment), in the event it’s not safe to be at/near the closer meeting site.
The below information is an excerpt from Eze Castle Integration’s 2016 webinar: The Evolution of Investor IT Due Diligence.
Investors have long been asking questions about firm operations and even technology. But with the way IT has evolved over the last 5-10 years, it’s no wonder investor inquiries have changed in both size and scope. Of course, in addition to technology evolution, we’ve also seen influences on the regulatory side, as the SEC continues to examine and evaluate firms’ security practices, which ties heavily into technology.
In looking back, it’s not unfair to say that 10 years ago, technology was what we’d call a “check the box” category. An investor due diligence questionnaire may have been one or two pages and focus mostly on firm investment history, performance, etc. On the IT side, it may have said “are you using an outsourced IT provider” or even “do you have a disaster recovery system” but beyond that, there was very little inquiry into the types of technologies being used at hedge funds as well as the protections in place to mitigate risk.
Of course, times have changed and now we see investor DDQ documents upwards of 5-10-20 pages in length and asking great levels of detail about technology, cybersecurity and operations. So let’s talk a little bit more about the influences for this due diligence evolution.
Categorized under: Hedge Fund Due Diligence Cloud Computing Security Disaster Recovery Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing
Whether you're shopping around for new outsourced providers/business partners or just reevaluating them, it’s always important to consider the vendor’s approach to continuity and how that could impact your business. If your firm has a comprehensive business continuity plan in place and you conduct regular BCP tests, you might think your responsibility ends there. However, if the service providers that you engage with do not also have proper disaster recovery systems and business continuity plans and test said plans regularly, they are exposing your firm to serious risk and may be the weakest link in your continuity or recovery.
To properly conduct review and discussion with vendors and business partners, firms should have a series of questions and discussion points ready. Four critical areas you may want to review include continuity program activities, disaster recovery system details, business continuity procedures, and communication practices.
Continuity Program Activities: This would include ensuring that the vendor or business partner regularly reviews and updates necessary plans and procedures. Do they conduct ongoing tests of their disaster recovery systems? They should also be testing and exercising their business continuity plan. Lastly, it’s also critical that they provide employees with necessary training on these plans, both at the outset of the plan implementation and at least annually.
Disaster Recovery Systems: During vendor discussions and evaluations, ensure your business partners are identifying the location or locations where data is backed up. They should also identify recovery time objectives (RTO) related to that data and compare that desire with the RTO outlined within the existing plan. This is important as it relates to recovery time, since it will outline at which point after a disaster you are expected to have access to critical systems and data. If RTOs are unclear, you run the risk of being unable to work or access data or information you need, potentially disrupting clients and even violating contracts or regulations.
Categorized under: Business Continuity Planning
The information below was originally derived from the expert panelists who spoke at a 2010 Eze Castle Integration event. Given how important this topic is we’ve updated the article to reflect today’s market.
The subject of hedge fund operational due diligence is one that has risen to the forefront for both hedge fund managers and investors in recent years. Prior to the economic downfall in 2008 and high-profile investment scandals made infamous by Bernard Madoff and others, hedge fund due diligence was viewed as an unnecessary assignment.
Historically, there has been a general lack of transparency within the hedge fund industry; larger funds, particularly, used to balk at investor inquiries. They figured there would never be a shortage of investors, so there wasn't a need to spend extra time satisfying their needs.
Due diligence, as a process, did not gain significant importance until recently. in the past, the responsibilities associated with it would often fall under the role of a CFO, CCO or other executive – someone who had very little time to devote specifically to due diligence. But as the industry has evolved over the last several years, so has the need and desire for operational due diligence.
So what exactly has changed?
Did you hear the story of the Central Bank of Bangladesh that lost $81 million to hackers? It happened in February 2016 and goes like this. The bank believes hackers executed a hack that allowed $81 million to be taken from the bank’s foreign exchange account at the Federal Reserve Bank of New York. It appears that the initial point of entry for the hackers was a spear-phishing email, potentially sent weeks before the fraud took place, which allowed the criminals time to remotely monitor and probe the bank’s networks without detection.
This is just the latest advanced threat facing financial organizations. Beyond cyber technology (which is essential), organizations need an internal culture of security, an ongoing, organization-wide commitment to defining and adhering to careful, thoughtful policies that reduce or eliminate “people vulnerabilities” through assessments, awareness, and education.
We recently published a Four Step Guide to Creating a Culture of Security. Here are some highlights – you can read the full paper HERE.
1. Create a Computer Incident Response Team
Your first step is to find the right people who can oversee your information-security policies and be part of a “Computer Incident Response Team.” Although IT professionals are responsible for overseeing and maintaining your computing infrastructure, you also need business users to play a central role in your security initiatives.
After all, they’re the ones who use these resources – and the ones who can represent the biggest vulnerabilities and risks. While the team’s responsibilities can vary, many CIRTs are active in several key areas:
Create a Plan
Create Training Programs
Respond to Incidents
Communicate with Peers/Industry Groups