Navigating Business Continuity Plans Post COVID-19: Five Issues Independent Directors Need to Consider
We're excited to feature our guest blogger, Peg McLaughlin, who brings to the table a regulatory and governance perspective which is additive to the deep dive we provide on the compliance side. Peg has vast experience advising independent board members, working inside the asset manager, and previously serving as a regulator. In her post, Peg highlights five things independent board directors should consider for business continuity during unprecedented times.
COVID-19 has created unprecedented business interruptions for which no organization could have fully anticipated or prepared. Reliance on the existing technology infrastructure for global financial markets makes the asset management industry particularly vulnerable to the evolving challenges presented by this pandemic. In this chaotic environment, mutual fund investors need to be confident that independent directors are diligently protecting their interests and ensuring adviser accountability. Independent directors need to be asking the right questions of advisers regarding the impact of COVID- 19 on their ability to service their funds. These discussions should begin with a thoughtful examination of the adviser’s Business Continuity Plan (“BCP”) including a reassessment of risks through the lens of the new post-COVID reality. In particular, independent directors need to actively address these key areas with their advisers:
- Updates to pre-COVID Risk Assessment and BCPs: Most BCP’s were written with a temporary setback in mind (natural disasters, problems with a physical location or a crash of a server). It is safe to say that few businesses had fully considered the effects of a long-term workforce displacement or the strain on technological resources. Operational interruptions and third party provider responses to a pandemic were likely not considered. While there are many areas of disruption that should be considered, directors should look at the BCP’s performance generally before delving more into specific areas of concern.
- Ask for a full evaluation of the adviser’s pre-COVID BCP
- Engage in frank, high-level discussions of what worked, what did not, lessons learned and consequences
- Inquire as to the feasibility of an updated risk assessment and short term revised BCP vs. a long term, more permanent solution
- Cybersecurity Issues and Technology Constraints: A large number of employees working remotely has strained the technological resources of many advisers. While many investment managers have migrated to cloud based computing, some still maintain servers to host their technological assets. Servers may have experienced downtimes and other issues when capacity was stretched by remote workers. Employees may be using home devices not previously authorized for use and now accessed through unsecured networks. Advisers may also have adopted new collaborative technology platforms such as Zoom, Slack, Webex and Microsoft Teams. Boards need to be discussing the risks inherent in all of these scenarios with the adviser.
- Discuss with the adviser whether a switch to cloud based computing should be considered
- Ask what controls have been put in place to move people to secured networks on authorized devices
- Review reports of any data loss or phishing attacks
- Inquire as to whether software updates and patches have been impacted
- Receive updates from the adviser on its ongoing testing strategy (including theuse of regular penetration testing, a Security Information and Event Management (“SIEM”) system for tracking traffic and potential outside intrusion attempts and regular reviews of social media and instant messaging accounts)
- Third Party Service Provider Performance: Advisers will need to assess the performance of their third party service providers. Custodians, valuation services, trading partners, administrators and distribution channels should be contacted regarding their performance during this time.
- Ask about service level agreements with these vendors and whether they have been reviewed in light of the pandemic
- Inquire as to the extent third party vendors have tested their internal controls and whether their results have been made available to the adviser
- Assess remediation efforts by these providers in areas of documented weaknesses
- Discuss contingency plans for replacing vendors in the event of service disruptions or unacceptable performance
- Regulatory Disclosure Obligations: COVID-19 forced many advisers to adopt new communication platforms, often without the luxury of being vetted beforehand. However, the widespread temporary use of these platforms does not negate the regulatory requirements for data retention or disclosure.
- Discuss the adviser’s methodology for capturing data from various new platforms and the steps taken to protect it from loss
- Ask how required data is identified and preserved in an acceptable format for regulators
- Inquire how disclosures regarding valuation, business disruption and liquidity are being protected within adviser’s technology and adequately presented to regulators when necessary
- Consult fund and adviser CCOs to assess the how compliance policies and procedures have been impacted by the BCP and the actions taken to meet their regulatory obligations
- Logistical realities of onsite returns: It is unclear as to when, or if, advisers will fully return employees to their physical office spaces. Logistical realities and the economic impact of workplace displacement should be discussed.
- Inquire as to the adviser’s short and long term intentions for a return to office spaces, as well as their plans for keeping employees safe should they return
- Understand the human capital impact of the long term physical displacement of employees
- Address protection of technology assets inside current office spaces and how these assets may be impacted by any reduction in existing physical office locations
Independent directors will have many issues to consider in the coming months. BCP performance and reassessment should be at the top of their list. Impacts to physical, technological, third-party and human capital resources should be continually reviewed and evaluated with their advisers. Now, more than ever, directors should be working closely with advisers to protect investor interests during this uncertain time.
Peg McLaughlin is an accomplished financial services executive who has a deep and extensive background in legal, compliance and operations which originated from her early days with the Securities and Exchange Commission as well as the Department of Justice. Most recently she served as a founding member, General Counsel and Chief Compliance Officer of a $4B registered investment adviser focusing on credit strategies. Prior to that she was a senior leader supporting the Oakmark Funds and specialized in designing a governance framework for their independent board of directors. She may be contacted here: Peg McLaughlin.