Private Fund Managers: The Do’s and Don’ts of Working From Home
What was once a coveted work-life balance perk, working from home is now the new norm. Many private fund managers are juggling the implementation of their business continuity plans and portfolio crisis management along with homeschooling and online grocery delivery times. Some are even caring for family members who have fallen ill. Everyone is dealing with countless distractions and logistical difficulties. Many feel that a bridge has been crossed and working from home is likely to become a part of our new reality after the stay-at-home orders are lifted. Indeed, transitioning to a work-from-home environment has created new business and compliance risks for the private fund industry, and will continue to present risks as we adjust to this new era for the long haul. Please consider the following “Do’s” and “Don’ts” as your team settles into its new workspace now and for the foreseeable future:
Information Security
Do:
-
Heed the ongoing recommendations of the regulatory agencies, including the Securities and Exchange Commission, to make information security a focal point of your firm’s operations. Adopt a strong “tone at the top.” Stress the importance of information security to your team on a routine basis by sending email reminders that identify and address any shortcomings identified and hold parties accountable for failures.
-
Provide your team with the knowledge, training, tools, and protections that they need to safeguard your firm’s confidential information, including that of your fund investors. Provide updated trainings and remedial trainings as appropriate.
-
Provide and require the use of a virtual private network.
-
Install up-to-date anti-virus and security software and all updates.
-
Restrict access to firm data and systems, including ensuring appropriate encryption and security when transferring firm data.
-
Use only firm-approved systems for communication. For audio and video conferencing in particular, require thoughtful passwords and reserve the right to grant entry to, and to monitor, attendees.
-
Ensure that your team is familiar with your information security professionals and is provided with designated contacts and their contact information.
-
Request that your information security professionals periodically contact your team to assess their at-home setups to identify needs and deficiencies and discuss best practices.
Don’t:
-
Neglect your firm’s cybersecurity policies and procedures. Ensure that your team is provided with the most up-to-date versions. As with your BCP, the policies and procedures should be reviewed and updated continuously to address risks and shortcomings as they materialize.
-
Fail to impose standards for your team’s system passwords. These passwords should be complex and should be changed periodically.
-
Haphazardly select third-party platforms for your firm’s use—cyber scams, including phishing and social engineering, and cybercrimes are skyrocketing and certain of these technologies are vulnerable. Conduct thorough due diligence and contact third-party vendors directly to specifically inquire about security issues that they have experienced, particularly during the ongoing coronavirus (COVID-19) pandemic, and actions that they have taken to remediate these issues.
Document Retention
Do:
-
Keep track of all documents that you grabbed on your way out of the office and those that you have been printing at home.
-
Retain or dispose of all documents in a secure manner consistent with your firm’s document retention and destruction policies and procedures.
Don’t:
-
Leave the documents that you retain lying around. Even at home, you should properly organize and secure firm documents until you return to your office. In particular, store documents containing non-public information in a secure place. Yes, this means that you may need to lock away documents from others in your household, especially anyone who may have a potential conflict of interest to avoid the appearance of impropriety.
-
Assume that your team always knows which documents to retain. Encourage a conservative practice of over-retention, and foster a culture of “if you don’t know, ask!” Consider appointing a member of your compliance department as the “go-to” person for all document retention questions. Make sure that your team has the supplies they need at home to comply with your firm’s requirements. Amazon and other retailers have lots of options for small lock boxes and other solutions that can be delivered directly to their homes.
Insider Trading
Do:
-
Acknowledge and refresh your team on continued obligations under insider trading laws and the unique circumstances presented by COVID-19. The SEC’s Division of Enforcement released a statement emphasizing their current heightened focus on insider trading. Now is a great time for a Zoom insider trading training session!
-
Encourage your team to be vigilant about circumstances in which they learn potential non-public information. Foster a culture of compliance that rewards team members for asking questions before they act on potential non-public information.
-
Take precautionary measures to protect non-public information from others in your household, including:
-
Use a screen shield.
-
Lock your screen while away from your desk.
-
Lock away documents not in use.
-
Use headphones and, at the very least, avoid use of speaker phone and Zoom while others are around.
-
Close the door.
-
Work in different areas than others.
-
-
Be conscientious when using electronic messaging and emails. Stay professional at all times. Stress to your team that increased usage of electronic messaging and emails increases the script and casual conversations could be misinterpreted in hindsight.
-
Make a habit of the above going forward, whether working in the office or at home!
Don’t:
-
Be naïve to the logistical issues that may arise in working from home, especially if someone in your household is a corporate insider. Don’t take for granted family relations and friendships in terms of safeguarding against the appearance of impropriety.
-
Fail to equip your compliance team with the tools that they need to conduct ongoing monitoring. Engage with your compliance team to be sure that they have what they need to have a virtual “seat” on the trading floor. Consider investing in software to automate compliance tasks, such as personal trading approvals, and track reviews electronically. The role of compliance has become significantly more challenging in this environment, but is more important now than ever.
-
Discourage your compliance team from reporting transactions which seem suspicious.
Books and Records
Do:
-
Continue compiling and maintaining your firm’s books and records in accordance with Rule 204-2 under the Investment Advisers Act of 1940 (Books and Records Rule).
-
Ensure that the firm’s systems and any third-party platforms have the capability to back up all materials required under the Books and Records Rule.
-
Engage your third-party vendors and conduct ongoing due diligence of their platforms. Are they operating in accordance with their BCPs? Are they experiencing any issues, particularly with respect to retention?
Don’t:
-
Forget to review the Books and Records Rule and your books and records policy to confirm whether new methods of communication, such as Zoom conferencing, should be included in your books and records. The SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert in December 2018 acknowledging the numerous forms of electronic messaging available but noting that only platforms permitting retention in compliance with the Books and Records Rule are acceptable. Always remember: if you are recording, inform meeting participants at the beginning of the meeting.
-
Fail to stress the importance of complete and accurate books and records to your team. The OCIE previously cited violations of the Books and Records Rule as one of the five most frequent compliance issues in its examinations.
Business Continuity Plan (BCP)
Do:
-
Assess and document any issues that arise with your BCP. Maintain these as a “real-time” memorandum or breach log, including if, and how, any issues were resolved. If you don’t document it, it didn’t happen.
-
Contact key third-party vendors and portfolio funds regarding their BCPs and assess preparedness and any issues which they are experiencing or concerns that you may have.
-
Prepare for OCIE document requests for BCP breaches occurring during this crisis.
Don’t:
-
Fail to engage your team on a consistent basis regarding—most importantly—how they are doing. You also should discuss the BCP and its perceived effectiveness.
-
Forget, on the other side of this crisis, to assess whether your BCP was appropriately designed with an event like the COVID-19 pandemic in mind. This crisis is an opportunity to overhaul all perceived deficiencies in your BCP so that you will be better prepared going forward.