As part of the OCIE Cybersecurity Initiative, #6 in the SEC cybersecurity guidance clearly states that business continuity planning is a priority.
Here’s what the SEC Cybersecurity Guidance says:
“Please provide a copy of the Firm’s written business continuity of operations plan that addresses mitigation of the effects of a cybersecurity incident and/or recovery from such an incident if one exists.”
What does this mean? What should your firm actually do in building a plan? And what are the best practices around solid business continuity planning?
Disclaimer: We are not lawyers. We are cybersecurity practitioners who work with a lot of registered investment advisors. We’re sharing what we’ve learned to help protect your business, but be sure to review your policies and documentation with a qualified compliance attorney.
What is Business Continuity? Is it different from Disaster Recovery?
Practically speaking, business continuity planning answers a very simple question. In the event of a disaster, how will you keep your business open?
While this seems like a simple question, the devil is in the details. The steps you take to stay open during a long-term power outage will likely be very different than the steps you’ll follow if all of your computers are affected by ransomware. We’ll help you through this later in the article, though.
The term “disaster recovery” is often confused with business continuity planning, and the difference isn’t always clear. Disaster recovery is usually more focused on the technical side of disasters. It covers things like backups and recovery, and how long you can afford to have your computer systems down before it causes a huge problem.
Beyond compliance with SEC cybersecurity guidelines, there’s a great reason to have a Continuity Plan — your employees. In any emergency, having a guideline to follow cuts panic and anxiety way down, and gives a clear pathway to action.
Meeting the SEC Cybersecurity Guidance about Business Continuity Planning
THE WRONG WAY:
Many firms we meet make the mistake of thinking that the “right template” is all they need to build a solid continuity plan.
They’ll Google “business continuity plan template,” download the top one, and start editing it, replacing their firm’s name with the template’s name.
This is a terrible idea. You end up with a plan that’s long, confusing, and impossible for your employees to follow.
This can also get you in trouble come audit time. Most of those business continuity plans are based on very large corporations. You probably won’t delete sections that don’t apply to your firm. This means that you’d be committing to actions and steps that you have no intention of actually implementing.
This is exactly what gets you in hot water come audit time. Following the SEC Cybersecurity Guidance is not about fluff and filler, its about PROOF. Proof that you are moving the Right Way towards safeguarding your business and your information.
THE RIGHT WAY: Four Simple Steps
Step 1: List your firm’s specific business continuity risks
Your firm has a UNIQUE list of real things that might shut down your business for extended periods of time.
As you’re building this list, consider the following:
- Power, Phone, and Internet reliability – do you suffer from intermittent outages? Do you only have one line going to the office? What would you do in the case of an extended outage, which could be increasingly likely due to Russian hackers?
- Geographical threats – is your office in an area with risk for earthquakes? Volcanoes? Floods?
- Weather – what extreme weather is likely to hit you? We have one client in southern CA that needs to be aware of extended heat waves, and the brownouts/blackouts that follow. We have other clients in the northeast who have to deal with hurricanes and blizzards.
- Technical Threats to your company – what if all of your computers were offline due to ransomware or a data breach? Or the main server at your office failed?
- Threats to your vendors – what if one of your key vendors was unavailable for an extended period of time? A few of our clients struggled when one of their cloud vendors experienced ransomware, which meant they couldn’t access their data for over a week.
PRO TIP — the site is a little clunky, but here’s a link to a fairly exhaustive “List of Threats.” Use this as a starting point with your team to start a discussion about the most likely threats you’ll face.
Step 2: Discuss and Document
Remember: these steps are all taking you towards fully meeting the SEC Cybersecurity Guidance, and more importantly, towards fully protecting your business’ resilience.
For each of the high risk situations you’ve identified, bring your team together and answer the following questions:
- How long? Are these temporary shutdowns? How temporary?
- Who needs to be notified on your team? Make sure you have up-to-date home phones and cell phone numbers for all of your staff members. Larger firms set up a “call tree,” which is basically a simple org chart with work, home, and mobile phone numbers.
- Who needs to be notified OUTSIDE of your team? List key vendors, partners, and clients who will need to be notified in the case of an extended disaster.
- Where should people work? What are the alternate work locations if the office isn’t available?
- Who can declare a disaster? Who are the key people who will decide when to actually implement the policy?
- Talk to your IT team about your plan. While you’re building a plan, it’s a great time to revisit your options for backing up your data (onsite and offsite), making sure you have enough batteries and generators to meet your needs, and making sure that your tech will be available in the event of a disaster.
- Have a plan for the press. It’s unlikely that your disaster will become something the media will pick up, but be clear about who is allowed to talk to the press if this becomes necessary.
- Call out unique requirements. Depending on the type of emergency, you might have specific steps you want your team to follow. For example, they might shelter in place if you think a live shooting is a risk in your area. Or they might work from home in the event of unsafe weather. Be explicit about these in your plan.
- Don’t compromise security or operations. For example, most firms require two people to approve a wire transfer. What if one of those two people aren’t available during an emergency? Have a backup in place.
As you’re discussing all of these scenarios, designate someone on your team to take notes. That person should then organize these conversations into a policy. If you don’t have the time or expertise in house, consider hiring a qualified expert (like us) to help you build your plan.
You can use templates for ideas on how to organize the document, or to check for things that you might have missed. But the content should be unique to your registered investment company.
But wait, there’s more…
You’re not done yet. You may have your plan documented, but there’s more to having good cybersecurity management.
The one thing you have to be honest about is your bandwidth. Do you actually have the time to handle this for your firm? If you do, then proceed to Pt.2.
If not, or if you suspect you won’t, then it is time to bring in a team who can…us – AdeliaRisk and our 21 Pillars Process.
In Part 2 of SEC Cybersecurity Guidance: Business Continuity Planning, we’ll teach about the right steps to take for Communicating, Planning and Testing your continuity plan.
Ready to Dive Deeper?
Learn more about our approach to delivering robust cybersecurity for registered investment advisers by downloading our whitepaper “How Successful RIAs Handle Cybersecurity.” In the paper, you’ll learn about our 21 Pillars of Cybersecurity — 21 things that all registered investment advisors need to have in place to keep client data safe and to comply with cybersecurity guidance.