OCIE and COVID: Protecting Your Business While Advising from Home

COVID-19 has impacted pretty much every role out there, including that of Registered Investment Advisors (RIA). The Securities Exchange Commission (SEC) and the Office of Compliance Inspections and Examinations (OCIE) continue to provide guidance to address the challenges faced, but it may take firms a while to adapt.

Here at itSynergy, we wanted to look at three key areas where remote advising may be most impacted and offer actionable tech-centric steps for your organization.

Protection of Investor Assets

Investment firms have always had the responsibility of protecting their investors’ assets, and that need has increased as RIAs are now working from home rather than their safeguarded office environment.  This shift may require modifying typical operating practices in how you do things like collect and process investor checks, transfer requests and manage personally identifiable information.

From a tech perspective, it’s important to verify the authenticity of the communication. Emails are all too easy to spoof these days, and there is no replacement for face-to-face meetings.

RIAs should be more robust in developing policies and procedures to ensure the security of those assets, focusing on overcoming the limitations of working remotely. Be aware that, while having policies and procedures in place is the first step, OCIE examiners will want to make sure you’re actually following them, rather than just having them on paper.

How you operated in the office may not translate to a remote workplace, so make sure you’re adapting and adding in technology to modify your home office. For example, in the pre-COVID days, a trader would verify a request with the manager of a customer’s account to make sure the request was legitimate. Now you can’t walk down the hall in your office to do so, therefore you need an effective way to manage and verify that request. There are technology solutions that can assist.

Action Steps

• Review your policies and identify for how you will adjust them and change practices to meet today’s remote work challenges.
• Ensure your team adheres to your new policies. The OCIE auditor wants to see that you have written policies AND that you are following them and doing exactly what you said you would do.
• Find technologies that will assist in securing and protecting investor assets.

Business Continuity

With so many compliance policies and procedures in this industry, we’re seeing a lot of frustration in trying to adhere to those policies in a remote work environment. From a client perspective, there may be concern about whether the RIA can continue full, secure operation and management of their investments. Creating assurance of business continuity is of the utmost importance, especially when it comes to:

• Availability and protection of personal information currently stored in paper files. A tech discussion around scanners, centralized storage, security and access is needed.
• Physical security – is your office no longer occupied? It’s important to think about security and access control. This can include setting up cameras and sensors to remotely monitor your space.
• Remote technology monitoring – when you are not in your office, how do you know when error messages are going off on a server and other technology assets? A solid MSP will look beyond Windows-based tools to create system-level approaches to ensure that all of your office-based technology is working well.

Action Steps

• Consider modifying policies to fit your remote work situation.
• Look for technology tools that ensure compliance as a stopgap. itSynergy’s (MSP) services for RIAs can help, including collaboration-building strategies such as shifting from on-premise servers to SharePoint.®

Protection of Sensitive Information

This topic represents a huge tech area RIAs need to consider. Three key points come to mind:

1. Over the past six months, we have seen a variety of strategies deployed to enable remote workforces. Some companies provide employees with a company laptop. Some send entire work desktops home. Others have directed staff to utilize a home (personal) computer and connect it to a VPN that connects it to your desktop computer at the office. Frankly, this option punches a big hole in your security wall. As an MSP, we may not be able to deploy all the necessary tools to properly monitor a personally owned computer and ensure the vast amounts of sensitive data RIAs access and share is safe.

• Regardless of the devices your employees will use to work, they all need to be encrypted. Whether it is office devices sent home or personal devices, a good MSP will ensure that best-in-class encryption is in place on all devices.

• Now more than ever you must be constantly educating your team about cybersecurity. We strongly recommend regular simulated phishing testing and training. We have seen a spike in “bad” emails about COVID and our guards seem to be down. Please ensure you are providing reminders about the elevated threat levels.

Action Steps

• Encrypt all devices – no matter where they are physically located right now.
• Schedule routine cyber awareness training and testing.

How itSynergy Can Help

The good news is that as many concerns and issues as there are during this pandemic, technology can go a long way to remedying many of them. Technology tools can overcome obstacles presented in security and business continuity.

We can also help with the physical security of your tech assets, such as servers and switches, when the office is not being used.

itSynergy can review existing documentation to see if any tech documentation needs to be updated now that your team is working remotely. And, when it comes to modifying and adhering to updated policies, there may be tech-based methods that can aid in verifying compliance, i.e. new reports or metrics.

itSynergy can help your RIAs keep running on full steam with an updated technology strategy. Contact us to set up a compliance tech assessment and learn more about investor asset protection today!