As part of the OCIE Cybersecurity Initiative, #6 in the SEC cybersecurity guidance clearly states that business continuity planning is a priority.
“Please provide a copy of the Firm’s written business continuity of operations plan that addresses mitigation of the effects of a cybersecurity incident and/or recovery from such an incident if one exists.”
What does this mean? What should your firm actually do in building a plan? And what are the best practices around solid business continuity planning?
Disclaimer: We are not lawyers. We are cybersecurity practitioners who work with a lot of registered investment advisors. We’re sharing what we’ve learned to help protect your business, but be sure to review your policies and documentation with a qualified compliance attorney.
Practically speaking, business continuity planning answers a very simple question. In the event of a disaster, how will you keep your business open?
While this seems like a simple question, the devil is in the details. The steps you take to stay open during a long-term power outage will likely be very different than the steps you’ll follow if all of your computers are affected by ransomware. We’ll help you through this later in the article, though.
The term “disaster recovery” is often confused with business continuity planning, and the difference isn’t always clear. Disaster recovery is usually more focused on the technical side of disasters. It covers things like backups and recovery, and how long you can afford to have your computer systems down before it causes a huge problem.
Beyond compliance with SEC cybersecurity guidelines, there’s a great reason to have a Continuity Plan -- your employees. In any emergency, having a guideline to follow cuts panic and anxiety way down, and gives a clear pathway to action.
Many firms we meet make the mistake of thinking that the “right template” is all they need to build a solid continuity plan.
They’ll Google “business continuity plan template,” download the top one, and start editing it, replacing their firm’s name with the template’s name.
This is a terrible idea. You end up with a plan that’s long, confusing, and impossible for your employees to follow.
This can also get you in trouble come audit time. Most of those business continuity plans are based on very large corporations. You probably won’t delete sections that don’t apply to your firm. This means that you’d be committing to actions and steps that you have no intention of actually implementing.
This is exactly what gets you in hot water come audit time. Following the SEC Cybersecurity Guidance is not about fluff and filler, its about PROOF. Proof that you are moving the Right Way towards safeguarding your business and your information.
Your firm has a UNIQUE list of real things that might shut down your business for extended periods of time.
As you’re building this list, consider the following:
PRO TIP -- the site is a little clunky, but here’s a link to a fairly exhaustive “List of Threats.” Use this as a starting point with your team to start a discussion about the most likely threats you’ll face.
Remember: these steps are all taking you towards fully meeting the SEC Cybersecurity Guidance, and more importantly, towards fully protecting your business' resilience.
For each of the high risk situations you’ve identified, bring your team together and answer the following questions:
As you’re discussing all of these scenarios, designate someone on your team to take notes. That person should then organize these conversations into a policy. If you don’t have the time or expertise in house, consider hiring a qualified expert (like us) to help you build your plan.
You can use templates for ideas on how to organize the document, or to check for things that you might have missed. But the content should be unique to your registered investment company.
You're not done yet. You may have your plan documented, but there's more to having good cybersecurity management.
The one thing you have to be honest about is your bandwidth. Do you actually have the time to handle this for your firm? If you do, then proceed to Pt.2.
If not, or if you suspect you won't, then it is time to bring in a team who can...us - AdeliaRisk and our 21 Pillars Process.
In Part 2 of SEC Cybersecurity Guidance: Business Continuity Planning, we'll teach about the right steps to take for Communicating, Planning and Testing your continuity plan.
Learn more about our approach to delivering robust cybersecurity for registered investment advisers by downloading our whitepaper “How Successful RIAs Handle Cybersecurity.” In the paper, you’ll learn about our 21 Pillars of Cybersecurity -- 21 things that all registered investment advisors need to have in place to keep client data safe and to comply with cybersecurity guidance.