As many registered investment adviser ("RIA") firms consider and revisit their work from home and remote work policies, it is more important than ever to make sure that your firms has the proper systems and business continuity plan ("BCP") in place. Cloud-based software provides the ability to continue running a business in the event of an emergency by allowing access to critical company systems from any location. While we often think about most emergencies as only a day or two, often we don’t consider catastrophic interruptions that may last months. It is important to make sure your BCP addresses those situations. Some considerations when reviewing your BCP should include: (1) communication strategy; (2) regulatory considerations; (3) tech stack; and (4) cybersecurity. Here is a quick breakdown of what to think about in each of the four categories.
Be sure to communicate to clients how the firm may be conducting business if the office is not accessible. Whether working from home or from the office, communication should be seamless.
- If deploying web-based video conferencing technology for the first time with clients, be sure to proactively offer training now to ease client concerns and make future video conferences with clients more seamless.
- Make sure to inform clients if there is now a faster way to access employees in times of urgency.
- Communicate to clients if physical mail will not be regularly checked and alternative methods for securely sending information to the firm
Regulatory ConsiderationsBe sure to consider and map out all critical processes the firm will need to perform in the coming weeks and months (e.g. quarterly client billing, portfolio rebalancing, quarterly client meetings, Form ADV renewal filing, creation of the new Form CRS, etc.). Make sure your firm is equipped to adjust to a remote workforce around the potential issues. Some additional considerations include:
- Supervision: Does the firm have the capability to continue to remotely supervise staff members who may not be physically located in the office? Is the firm utilizing a web-based compliance software solution to ensure that employees continue to complete required compliance tasks, submit advertising content for review, submit personal securities transactions, etc.? Unfortunately, firms without the proper systems in place will be particularly vulnerable to potential "bad actor" compliance issues.
- Archiving: Will all forms of potential client communication be properly archived? If adopting new technologies or systems to communicate with clients, make sure that the systems can be properly archived as required. For example, if employees will be using mobile phones to communicate with client and as such may now be texting with clients, is there a system in place to properly capture that communication for review and archiving?
Does your existing tech stack provide the ability for employees to work remotely? Consider immediately adopting web based internal communications and collaborative workflow software to help with productivity during an extended remote work scenario for employees. Some top solutions to consider include:
- Video Conferencing: Zoom
- Internal Communications: Slack
- Compliance Software for Supervision: MyRIACompliance
- Password Management: LastPass
- Phone Systems: Ensure that all phone systems are accessible / transferable for employees working remotely. For example, many voice over internet protocol ("VOIP") solutions now offer web-based phones that all employees to use their laptop / work from home device as a phone
During turbulent times, firms are at an increased risk of cyber attacks and systems being compromised. In addition, the risk of cyber incidents with the use of remote offices and heightened anxiety among employees, in particular may make RIA firm employees more vulnerable to email phishing attacks. It is imperative for firms to remain vigilant in their surveillance against cyber attacks and take steps to reduce the risk. Employees not accustomed to remote work need to be trained on the proper cybersecurity best practices and precautions which include:
- Only access the internet from secure WiFi connections or via a virtual private network ("VPN"). Employees should avoid accessing public WiFi networks which are vulnerable to exploitation of sensitive information.
- Employees should not store any sensitive, non-public information on non-company devices without the proper security protections.
- Employees should be extra cautious as it relates to targeted email phishing or fraudulent wire requests which may be more difficult to identify and avoid as employees are not protected by company firewalls or the ability to easily verify authenticity.
Once you have a systems and plans in place, don't forget to test your BCP to look for holes in your RIA firm's system and processes.
RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.