Welcome back to SEC Cybersecurity Guidance: Business Continuity Planning. The first steps (found here in Part 1) are: List your Specific Needs, and Discuss and Document... and here, in Part 2, we talk, and plan, and test.
Disclaimer: we are STILL not lawyers. We are cybersecurity practitioners who work with a lot of registered investment advisors. We've read the SEC Cybersecurity Guidance top to bottom. We’re sharing what we’ve learned to help protect your business, but be sure to review your policies and documentation with a qualified compliance attorney.
After you’ve built your first draft, take the time to review it with anyone who might be impacted in the event of a significant business disruption. Include:
Once the review is complete, you will have a very easy time publishing it and training people (since everyone will already be familiar with the content). It is a great document to show your action and intent to meet the SEC Cybersecurity Guidance.
PRO TIP: Make sure a few copies of your business continuity plan are kept somewhere safe off-site. Having a plan sitting on your server won’t do you any good if you can’t access the office. Its always good to have a hard copy to show an SEC auditor.
Here’s a business continuity story with an unhappy ending. They met the SEC Cybersecurity Guidance, but not their own critical needs.
One of our clients had a solid business continuity plan. They also had a server room that needed to be up and running 24/7.
They were prepared for extended outages as the electrical grid in their area wasn’t super reliable. They were also at high risk for rolling brownouts and blackouts.
One of their most important business continuity measures -- a generator. They’d fire it up once a month, and thought that they could survive any disaster as long as they could get fuel deliveries.
However, they only tested the generator to make sure it started up. They never confirmed that it could actually handle the full load of their IT equipment.
Late one Friday (of course -- bad things always seem to happen on Fridays), the power went out. The generator kicked on, but almost immediately about half of their computers turned off. This became a very serious business disruption, and caused issues both internally and with the firm’s customers.
This could have been prevented if they took the time to PROPERLY test their business continuity plan.
Another of our clients is based in the northeast. Every year, they’re guaranteed to have at least one snowstorm. Their business continuity plan is simple -- everyone works from home. So each year, they pick the first major snowstorm and declare it to be their business continuity “test.” Everyone tests their connectivity, they discuss the test in their next staff meeting, and a memo is put in the compliance file for future reference.
They’ve figured out ways to test their business continuity plan with almost no added work required.
Some firms run business continuity tests annually. Others do it more frequently.
Some also use “tabletop exercises,” which are basically professional Dungeons & Dragons-style roleplaying to simulate a disaster. These are good exercises to perform once a year to at least logically test your plan if it’s not possible to simulate them.
PRO TIP: During your tests, make it a point to discuss whether anything that you will do will affect your business continuity as well as your cybersecurity. For example, will two-factor authentication continue to work properly during the disaster? Will it work just as well on the home computer as it does in the office? Should people bring their laptops home in the event of a predictable disaster (like a blizzard or hurricane)? And have they been trained on how to safely transport laptops?
Some firms have the time and expertise to build these plans in house. If you’re trying to build your own plan, we hope you’ve found this guide to be helpful.
If you don’t have the time to build your business continuity plan properly, or if you want to leverage the help of experts, we can help.