COVID-19 has forced a new, global reality upon us. The breadth has yet to be fully comprehended. One of the new realities is the significant increase in the number of employees working from home as many firms are heeding the advice of the CDC and White House. In some cases, local and state governments are mandating this. While there are numerous legal issues that employers need to address, our focus here is on investment advisers and their obligations, primarily under the Advisers Act.
With the possibility that employees will be dispersed and working remotely for many months, now is a good time to review your business continuity plan and ensure your firm-specific risks are being addressed. For example, does your current business continuity plan provide for employees working from home? If yes, does it address the number of employees and the specific tasks being performed at home? Does it consider the broader impact on operational, compliance and reporting logistics? What, if any, disclosure duty does an investment adviser have related to employees working from home? Are there additional material risks that have not been considered and perhaps should be disclosed? Should any of the home offices be deemed additional offices that should be listed on Schedule D of ADV Part 1A1
Investment advisers are required to adopt policies and procedures reasonably designed to prevent violations of the Advisers Act by the adviser or any of its supervised persons. Rule 206(4)-7 does not offer a comprehensive list of specific elements that advisers must include in their policies and procedures. Instead, the Commission makes it clear that each adviser should first identify conflicts and other compliance factors creating risk exposure for the firm and its clients in light of the firm’s particular operations, and then design policies and procedures that address those risks. The Commission has the benefit of hindsight, and we anticipate that advisers’ preparedness for this crisis and their business continuity plans will be reviewed by the Commission at some point.
Investment adviser policies and procedures should consider the type of risks that exist considering the specific activities that supervised persons are performing while working at home. There is often an increased risk that the confidentiality that an investment adviser owes to its clients, investors, employees and others regarding its investment strategies, investment positions, financial position, investor and employee identity, client information and other confidential information could be compromised. What type of information is accessed and how is it being accessed including electronic files? In order to ensure that the adviser’s books, records and confidential information are not compromised, advisers should adopt adequate policies and procedures to govern this arrangement. Such policies and procedures should focus on the separateness of the adviser’s business from the supervised person’s other home activities to protect confidential information. Where training has not been conducted recently, a refresher also may be appropriate.
Cyber criminals are opportunistic and realize that the number of people accessing sensitive information remotely will increase during this time and will be looking for “soft spots” where security corners have been cut. There are some basic procedures advisers can take. Ensure two-step authentication is turned on and that employees are only accessing electronic information via VPNs. We also advise against sharing computers at home, which may be difficult with so many children also at home.
Last, while it is easy to say that the same standards as the office apply to an employee’s home, it just may not be practical. Certainly, advisers need to ensure they have solid control over how employees are accessing and safeguarding electronic files. Now would be an excellent time to review the SEC’s recent Risk Alerts concerning electronic data.2
Overall advisers’ standards should include paper documents, electronic files and, in many cases, verbal conversations or voicemails that might be heard by others. The standards should include not only physical and cyber safeguards, and the disposal of such information, but also communications standards and expectations for notification in the event of a suspected breach.
I’d like to finish on a personal note. I know the current situation is very difficult and understand that our health and that of our loved ones is so much more important than worrying about a compliance program. I also understand that each of us has our own coping skills and for some, being able to focus on work for a little while can help. For others, it will be something else. Last week my 11-year-old son asked if he could help when he saw me making chimichurri in the food processor. I know it helped him watching the parsley, cilantro, garlic and shallots being pulverized. But watching his smile made my day brighter. We’re now setting up a charades evening via Skype with cousins on the other coast. Please find whatever it is, and we will all get through this. Finally, if you get the chance, please say thank you to those on the front lines, whether it is health care workers or the folks at the grocery store.
1. The SEC updated their ADV FAQs on March 16 stating that “as long as … employees are temporarily teleworking as part of the firm’s business continuity plan due to [COVID-19], staff would not recommend enforcement action if the firm does not update either Item 1.F of Part 1A or Section 1.F of Schedule D in order to list the temporary teleworking
addresses. See https://www.sec.gov/divisions/investment/iard/iardfaq.shtml#item1f
2. https://www.sec.gov/ocie/announcement/risk-alert-network-storage
https://www.sec.gov/ocie/announcement/ocie-risk-alert-regulation-s-p