As many registered investment adviser ("RIA") firms implement and revisit their work from home and remote work policies, it is more important than ever to make sure that your firm has the proper systems in place. Due to COVID-19, RIAs have been faced with new and ongoing compliance and operational challenges. In many cases, these challenges have created important regulatory and compliance questions and considerations that may have not been considered in the past. Some challenges include: (1) employee supervision; (2); cybersecurity; (3 )password management; and (4) Business Continuity Plans ("BCPs"). Here is a quick breakdown of what to think about in each of the four categories:
RIA firms have are required to supervise their personnel, including providing oversight of supervised persons’ investment and trading activities. A Firm’s supervisory and compliance program should include policies and procedures that are tailored to its specific business activities and operations and should be amended as necessary to reflect the Firm’s current business activities and operations.
The above begs the question, does your firm have the capability to continue to remotely supervise staff members who may not be physically located in the office? Is the firm utilizing a web-based compliance software solution to ensure that employees continue to complete required compliance tasks, submit advertising content for review, submit personal securities transactions, etc.? Unfortunately, firms without the proper systems in place will be particularly vulnerable to potential "bad actor" compliance issues.
As firms need to make significant changes to respond to the effects of COVID-19 on a firm's telework conducted from remote locations, and responding to operational and technological challenges it is important for firms to review and, where appropriate, modify their supervisory and compliance policies and procedures.
Working remote creates a new set of considerations around cybersecurity. With the switch to remote work, many RIA firms have seen a significant increase in attempted cyber criminal activity.
During turbulent times, firms are at an increased risk of cyber attacks and systems being compromised. In addition, the risk of cyber incidents with the use of remote offices and heightened anxiety among employees, in particular may make RIA firm employees more vulnerable to email phishing attacks. It is imperative for firms to remain vigilant in their surveillance against cyber attacks and take steps to reduce the risk. Employees not accustomed to remote work need to be trained on the proper cybersecurity best practices and precautions which include:
- Secure Internet Connections: Staff should be instructed to only access the internet from secure WiFi connections or via a virtual private network ("VPN"). Employees should avoid accessing public WiFi networks which are vulnerable to exploitation of sensitive information via a man-in-the-middle attack when a malicious actor is able to intercept information being transferred via an insecure internet connection.
- Tracking Employee Devices Used to Conduct Business While Working Remotely: It is more than ever important for advisory firms to ensure that they have a full device inventory of all systems that staff members are utilizing while working from home. If staff members are utilizing their own devices to conduct work, there may be a number of new information security issues for RIA firms to consider. Policies and procedures will likely need to be updated to address these potential challenges. In particular, employees should not store any sensitive, non-public information on non-company devices without the proper security protections.
- Increase in Phishing Email Attacks and Wire Fraud Scams: Employees should be extra cautious as it relates to targeted email phishing or fraudulent wire requests which may be more difficult to identify and avoid as employees are not protected by company firewalls or the ability to easily verify authenticity. It is imperative for firms to remain vigilant in their surveillance against cyber attacks and take steps to reduce the risk. Employees not accustomed to remote work need to be trained on the proper cybersecurity best practices and precautions.
Many RIA firms have physical hardware that may store sensitive information such as laptops, desktop computers, or storage drives. Advisory firms need to ensure that proper security protocols such as password protection are implemented on all of these devices and also follow other precautions such as ensuring all computers are locked when leaving the desk and properly shut down at the end of the day. In addition, any passwords to access such devices should not be written down or physically accessible.
Business Continuity Plans
During this time, RIA firms are being required to test their business continuity plans to see if they hold up a disruption lasting months on end. In dealing with a global pandemic, advisors need not only address how their advisory business is being disrupted but also by extension how their clients, personnel, and suppliers/vendors are being impacted.
Once you have a systems and plans in place, don't forget to test your BCP to look for holes in your RIA firm's system and processes.