Often, the security of physical offices and equipment is overlooked as part of a registered investment adviser ("RIA") firm's business continuity plan ("BCP"). While investment advisory firms are increasingly adopting cloud-based software applications which have successfully enabled employees to work from remote locations, physical equipment and offices have become a security vulnerability while offices sit vacant. Business continuity plans should be designed specifically for each firm, however, there are common considerations related to physical asset protection that firms should take into account when designing BCP plans especially as it relates to extended work from home scenarios which may be required during a pandemic.
Office Space Design
Putting pandemic business continuity plan considerations aside, RIA firms should first consider designing an office layout to help minimize physical asset loss suffered during a fire or other type of natural disaster. When crafting a BCP, investment advisers should reference building design and floor plans in order locate all electrical, plumbing, mechanical, and safety equipment. While all files should be properly archived and backed up digitally, firms may also want to consider only placing physical servers or file cabinets in areas with proper safety and fire suppressant equipment to minimize potential damage during a fire or other natural disaster. In addition, if the office space is prone to potential flooding at the ground level, there may be considerations around storing files in elevated storage units, etc. However, all of these safety precautions need to be balanced against potential security concerns such as the need to secure client files in multiple locations across the office.
Physical office security should always be a top priority even during normal business times. When possible, RIA firms should restrict access to only employees and authorized third party vendors that have been properly vetted and have executed a non-disclosure agreement ("NDA") to help safeguard sensitive client information. In addition to any general building security protocols in place such as on-site security personnel or key card access, firms may also want to consider additional security or video monitoring systems to protect their specific office suite as well.
Unfortunately, investment advisory firms need to be aware that during a pandemic or other type of extended work from home scenario, burglaries and break ins pose a significant risk. There is also increased risk of a fire or other accident given that the building is likely not being monitored per usual. A basic video monitoring or security system can prove invaluable to be able to continue to remotely monitor the office. Firms will also need to consider how to properly collect and secure mail sent to the office which may contain sensitive information.
Many RIA firms have physical hardware in offices that may store sensitive information such as laptops, desktop computers, servers, or storage drives. Advisory firms need to ensure that proper security protocols such as password protection are implemented on all of these devices and also follow other precautions such as ensuring all computers are locked when leaving the desk and properly shut down before leaving the office. In addition, any passwords to access such devices should not be written down or physically accessible in the office. By taking such precautions, RIA firms can reduce the risk of an authorized vendor (e.g. office cleaning service) or unauthorized bad actor who gains access to the office from accessing sensitive information via an unsecured physical device. Furthermore, should a physical device be stolen during a break-in, proper security protocols such as the ability to remotely wipe a device may greatly reduce the risk of exposing sensitive information.
Physical Information Protection
RIA firms should ensure all file cabinets in an office are properly secured with physical locks. In general, policies and procedures need to be established and training conducted to make sure staff members do not inadvertently expose sensitive information. For example, notebooks, sticky notes, or any other items that may contain sensitive information should never be left unsecured during the day, overnight, or during an extended absence from the office on desks, conference tables, or other shared spaces. In addition, office white boards should be erased before leaving the office.
Testing and Updating
Even the best designed business continuity plans and compliance policies procedures need to be regularly tested and revised to respond to new and previously unanticipated scenarios. For example, this is the time for RIA firms to ensure they have implemented a robust business continuity plan that is tailored to the COVID-19 pandemic and potential future pandemics. RIA in a Box clients have access to a business continuity plan section which specifically addresses pandemics, epidemics, and outbreaks categorized as following:
- General business operations including client communication considerations
- Remote operations
- Personnel including alternative forms of client meetings
All RIA firms can also access the free RIA in a Box vendor due diligence platform to help review and document critical vendor relationships during this challenging time. Firms can sign up for free here.
RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.