RIAs should be aware of revised standards governing business continuity and succession plans. IT Management Company RightSize Solutions offers this article to Advisor Advocate readers, outlining key areas that advisors and their technology service providers might address. (Find out more about RightSize Solutions in the Scottrade® Advisor Services Strategic Resource Center.)
Business Continuity: More Than Just a Good Business Practice These Days by Wes Stillman*
Regardless of the circumstance, registered investment advisors (RIAs) should be able to assure their clients that their system will run at all times. The North American Securities Administrators Association (NASAA) adopted its Model Rule 203(a)-1A or 2002 Rule 411(c)-1A, requiring state-registered RIAs to develop business continuity and succession plans detailing their plans to minimize service disruptions and client harm in the event of a disruption. The Securities Exchange Commission is also expected to pass a similar rule for larger RIAs.
To comply with these new regulations, advisors should work with their technology service providers to comply with these new standards and to protect their clients, focusing on these areas of concern:
1. Access. To ensure that services are not disrupted in the event of an emergency, you should document who will be authorized to have control and access to the firm’s systems. An emergency kit of files should be held offsite so the RIA can have complete access to them without the need of the master technology service provider (MTSP). Advisors will be assured to have access to their data, even in the event that a disruption involves the MTSP.
2. Information Readiness. Client and employee contact information, system and custodian access information, and the business continuity plan should be readily accessible in the event of an emergency. What constitutes mission-critical data varies amongst each RIA. However, it is important for the MTSP to consider client and employee contact details, the business continuity plan, access information for core systems, technology vendor information, and custodian and other trade-related information. The MTSP should be able to extract all of this information from the firm’s relevant applications and have it stored in an encrypted folder. The RIA’s plan should outline how the MTSP will provide instant, automatic access to all of this data and relevant platforms.
3. Communications. An information sharing and communications strategy with employees, vendors, regulators and other key constituents is crucial during a crisis. Custody, clearing, trade-execution, CRM and record-keeping platforms all need to be kept in the loop. Contacting other technology vendors so the RIA gains easy access to the platform is another area where the MTSP can assist.
4. Long-Term Operations. While immediate response is vital, RIAs need to be prepared for worst-case scenarios. In the case of a longstanding event, RIAs should have plans for data migration, cybersecurity issues, relocation and other technology-related matters. Understanding that outage scenarios can happen at any time, it is imperative that advisors work with their MTSP to have a plan in place for remote work arrangements. After Hurricane Sandy hit in 2012, RIAs in and around Hartford, Conn. and New York, N.Y. worked securely and without interruption at local fast food restaurants offering free Wi-Fi. While setting up shop at the nearest public Wi-Fi hotspot is not a long-term plan, it can be a stopgap solution for firms with their data securely stored and ready for retrieval.
As advisors strive to meet these new requirements, their best resource will be their technology providers. Relying on the experts will help create a stronger plan, and streamline the development process. Managed security service providers are trained and ready to help RIAs meet these regulations.