*This post was originally published by RIA in a Box on September 2, 2020.
As many registered investment adviser ("RIA") firms implement and revisit their work from home and remote work policies, it is more important than ever to make sure that your firm has the proper systems in place. Due to COVID-19, RIAs have been faced with new and ongoing compliance and operational challenges. In many cases, these challenges have created important regulatory and compliance questions and considerations that may have not been considered in the past. Some challenges include: (1) employee supervision; (2); cybersecurity; (3 )password management; and (4) Business Continuity Plans ("BCPs"). Here is a quick breakdown of what to think about in each of the four categories:
Employee Supervision
RIA firms have are required to supervise their personnel, including providing oversight of supervised persons’ investment and trading activities. A Firm’s supervisory and compliance program should include policies and procedures that are tailored to its specific business activities and operations and should be amended as necessary to reflect the Firm’s current business activities and operations.
The above begs the question, does your firm have the capability to continue to remotely supervise staff members who may not be physically located in the office? Is the firm utilizing a web-based compliance software solution to ensure that employees continue to complete required compliance tasks, submit advertising content for review, submit personal securities transactions, etc.? Unfortunately, firms without the proper systems in place will be particularly vulnerable to potential "bad actor" compliance issues.
As firms need to make significant changes to respond to the effects of COVID-19 on a firm's telework conducted from remote locations, and responding to operational and technological challenges it is important for firms to review and, where appropriate, modify their supervisory and compliance policies and procedures.
Cybersecurity
Working remote creates a new set of considerations around cybersecurity. With the switch to remote work, many RIA firms have seen a significant increase in attempted cyber criminal activity.
During turbulent times, firms are at an increased risk of cyber attacks and systems being compromised. In addition, the risk of cyber incidents with the use of remote offices and heightened anxiety among employees, in particular may make RIA firm employees more vulnerable to email phishing attacks. It is imperative for firms to remain vigilant in their surveillance against cyber attacks and take steps to reduce the risk. Employees not accustomed to remote work need to be trained on the proper cybersecurity best practices and precautions which include:
Password Management
Many RIA firms have physical hardware that may store sensitive information such as laptops, desktop computers, or storage drives. Advisory firms need to ensure that proper security protocols such as password protection are implemented on all of these devices and also follow other precautions such as ensuring all computers are locked when leaving the desk and properly shut down at the end of the day. In addition, any passwords to access such devices should not be written down or physically accessible.
Business Continuity Plans
During this time, RIA firms are being required to test their business continuity plans to see if they hold up a disruption lasting months on end. In dealing with a global pandemic, advisors need not only address how their advisory business is being disrupted but also by extension how their clients, personnel, and suppliers/vendors are being impacted.
Once you have a systems and plans in place, don't forget to test your BCP to look for holes in your RIA firm's system and processes.