How to Create a Strong BCP for the New Normal
Your financial service firm likely already has a business continuity plan (BCP) in place, but are you absolutely certain it will survive an audit? Though regulations have mostly remained the same even during the COVID-19 pandemic, regulators have released advisories indicating that broker dealers must adapt existing strategy for inevitable changes. The SEC, FINRA and state agencies all have made clear they expect you to be able to fulfill the same requirements while implementing new procedures addressing the variations like remote work.
Coronavirus and the new normal have only accelerated the growth of the digital world, highlighting the impact of all the interconnected technology dispersed between personal and business spaces. Your firm must be able to keep up with and adapt to this evolution, before the shadow IT devices and hidden endpoints in your network lead to a compliance breach. Do not let complacency with past minimum requirements put your firm in danger – learn how to better measure your contemporary disaster risk and protect your clients’ data against all threats.
Read below to help you discover how to ensure your business continuity plan survives an audit:
The Right Data Backups Are the First Step to Business Continuity
Backing up your data is the first and one of the most important steps to having an effective BCP, but should not be as simple as just moving files to a separate drive. FINRA requires you to maintain both hard copy and electronic backups, as well as to be able ensure recovery of critical information. This means doing everything you can to safeguard those files from disasters, from moving them offsite to increasing the frequency data is backed up to ensuring your methods maintain the integrity of the data.
Managing Operational Risk for IT Assets
Business continuity planning for modern systems must include an assessment of the operational risk your firm’s IT assets face from any type of Significant Business Disruption (SBD). Everything from personal cyber hygiene to where your software is hosted will determine your network’s attack surface, which will in turn determine the potential impact on your processes. If you have device endpoints that are not protected, or data living somewhere where it cannot be recollected immediately during an incident, then this affects your recovery and ultimately your compliance.
Are Your Mission-critical Systems Protected from Threats?
The impact of the 2020 pandemic should force everyone to take a hard look at what is defined as a mission-critical system, with the final answer being anything that enables your firm to work*. Your business continuity plan should take account of where access to IT resources are paramount to keeping you productive (software, network, etc.), and identify the risk of those experiencing downtime. FINRA encourages (obligates in the case of MFA) members to look into solutions that help protect users from cyber threats that could take down your systems, including ransomware lockdowns.
*Mission critical system definition according to FINRA Rule 4370 (g)(1):
“Mission critical system” means any system that is necessary, depending on the nature of a member’s business, to ensure prompt and accurate processing of securities transactions, including, but not limited to, order taking, order entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts and the delivery of funds and securities.
Personal Data and Cybersecurity
Contemporary financial service regulations across the board state clearly your firm’s obligation to safeguard your clients’ personally identifiable information (PII). This encompasses all the data that makes up an individual’s profile, from relatively benign factors like their name to more sensitive items like bank account numbers. Increasingly stringent consumer privacy laws compel you to defend places where PII is stored, including your CRM, and you must take the right steps to ensure your software cybersecurity.
How Fast is Your Disaster Recovery?
It is not enough to have a disaster recovery solution – it must facilitate an efficient recovery time objective (RTO) for resuming operations and continuing service to clients while maintaining their data. This is not solely a matter of technology either, and many of your practices from backups to cybersecurity will significantly impact how quickly and seamlessly you are able to restore your system. You must develop your BCP around what needs to be brought back online first and within what time frame to prevent any loss of information in the interval.
How Do You Ensure Essential Employees Can Keep Working?
FINRA’s business continuity guidance requires you to be able to provide an alternative location if an incident prohibits work at your primary office. However, the COVID-19 social distancing restrictions illustrated a scenario where the most reasonable substitute was to allow employees to work from home. In the event of a similar occurrence, your plan should specify the steps and resources that will be devoted to enabling telecommuting, including cybersecurity measures for remote workers.
Understanding Cloud Security for Mission-Critical Software
With distributed workforces being mass-deployed for likely the first time in history, software and infrastructure delivered as a service (SaaS and IaaS) made a clear difference around the country. As the world migrates increasingly to digital consumption, understanding cloud security best practices must be a priority for your firm. FINRA has made clear that using web-based applications should come with additional review of your BCP for managing the contrast of hosted environments versus traditional requirements.
Building Electronic Audit Trails for Compliance Reporting
Compliance reporting can be greatly improved by technology when best practice is applied to building comprehensive, accurate and consistent audit trails. Modern software will allow you to consolidate your disparate data flows into a single source of truth and streamline decision-making with process automation features. Working with a solution partner (or IT provider knowledgeable of your applications) will also enable you to customize your system and build an integrated technology stack that processes information seamlessly.
Keeping Clients Connected to Their Money During an SBD
The business continuity rules by FINRA explicitly state that if your firm determines that operations cannot be resumed, your ultimate priority is to ensure client access to their funds and securities. This means at the least preserving the systems and data that keep your customers connected to their money in the event of emergency, as well as maintaining communication. Hosting your applications in a secure cloud environment provides a redundancy solution as your files will be protected by your provider in a separate backed up database.
Learn More About the Business Continuity Plan Essentials
Business continuity and disaster recovery for the financial services industry has taken on an even greater role in the wake of the continuous disruptions of 2020. Ensure your firm is prepared to fight unpredictable forces in 2021 and beyond by reading our guide to the four BCP Essentials.
Download SWK’s free ebook here to learn more about the 4 Business Continuity Essentials and how to make sure your firm’s BCP survives an audit.