Salvatore Faia JD CPA CFE President CEO Vigilant

Salvatore Faia, JD, CPA, CFE, President & CEO Vigilant Compliance, LLC 1

Business Continuity Overview I. Business Continuity Plan Requirement for Advisers II. Joint Review of Business Continuity and Disaster Recovery Planning of Firms & NEP Risk Alert a. ) Observations and Notable Practices b. ) Weakness Noted and Possible Future Considerations III. Key Takeaway 2

Business Continuity Plan Requirement for Advisers ØSEC Adopting Release Nos. IA-2204 § Effective Date: February 5, 2004 § “We [SEC] expect that an adviser’s policies and procedures, at a minimum, should address the following issues to the extent that they are relevant to that adviser…. Business Continuity Plans. ” ØFootnote to Business Continuity Plans § “We [SEC] believe that an adviser's fiduciary obligation to its clients includes the obligation to take steps to protect the clients' interests from being placed at risk as a result of the adviser's inability to provide advisory services after, for example, a natural disaster or, in the case of some smaller firms, the death of the owner or key personnel. The clients of an adviser that is engaged in the active management of their assets would ordinarily be placed at risk if the adviser ceased operations. ” 3

Joint Review of BC and DR Planning of Firms & NEP Risk Alert Ø Joint Review of the Business Continuity and Disaster Recovery Planning of Firms § Date Published: August 16, 2013 § Following Hurricane Sandy, the SEC, FINRA, and CFTC jointly reviewed the business continuity and disaster recovery(“BCP”) planning of firms. § Firms with significant market presence were contacted and as a result, the SEC, FINRA, and CFTC compiled best practices and lessons learned. ØRisk Alert: SEC Examinations of Business Continuity Plans of Certain Advisers Following Operational Disruptions caused by Weather-Related Events Last Year § Date Published: August 27, 2013 § The SEC’s National Examination Program (“NEP”) reviewed the BCPs of approximately 40 Advisers in impacted areas to assess their compliance with applicable laws, rules, and regulations relating to BCP plans. § The Alert contains the NEP staff’s observations and lessons learned from the BCP Review. 4

Joint Review of BC and DR Planning of Firms & NEP Risk Alert 1. Widespread Disruption Considerations a) General Observations and Notable Practices i. iii. iv. v. vi. Advisers generally adopted and maintained written BCPs. Advisers generally distributed their BCPs internally, some required signed certifications. Some BCPs addressed critical systems and were tailored to fit operations. Some BCPs considered continued facility and systems operations with remote access by employees. Some Advisers required all business units to identify contingency scenarios & derive solutions. Some Advisers formed special committees. b) Weakness Noted and Possible Future Considerations i. BCPs did not adequately address & anticipate widespread events (e. g. , PMs unable to work from home or other remote locations). ii. BCPs should address and anticipate widespread events, including possible interruptions in key business operations and loss of key personnel for extended periods. iii. Remote access is an important component of business continuity planning. 2. Alternative Locations Considerations a) General Observations and Notable Practices i. iii. iv. Advisers generally switched to back-up sites or systems in advance. Some had back-up facilities on power grid separate from primary facility. Some maintained critical business functions in multiple locations. More often employee homes, branch offices, data centers, or hotels were used. 5

Joint Review of BC and DR Planning of Firms & NEP Risk Alert b) Weakness Noted and Possible Future Considerations i. iii. iv. v. Some did not have geographically diverse locations, even when diversification would be appropriate. Loss of internet connectivity was an issue for many advisers reviewed. Advisers should evaluate how to operate during electrical failure & loss of utilities (e. g. , cable, phone). Establish back-up site inland if business located on coast. Advisers should consider back-up sites farther away from main office. 3. Vendor Relationship Considerations a) General Observations and Notable Practices i. Some Advisers required third party service providers to test their BCP Annually. b) Weakness Noted and Possible Future Considerations i. Did not evaluate the BCPs of their service providers (e. g. , did not acquire or critically review service provider SSAE 16 reports and BCPs). ii. Did not keep an updated contact list of vendors. iii. Advisers should review IT infrastructure and geographical location of service providers. iv. Advisers should evaluate how to operate in the event of disrupted operations at service providers. 4. Telecommunications Services and Technology Considerations a) General Observations and Notable Practices i. Advisers generally implemented technology that allows employees to work remotely (e. g, VPN) ii. Maintained current portfolio data at multiple service providers. 6

Joint Review of BC and DR Planning of Firms & NEP Risk Alert iii. Established & tested server internet connection via wireless cards. iv. Elevated electronic equipment in ground level facilities. b) Weakness Noted and Possible Future Considerations i. Did not engage service providers to ensure back-up servers functioned correctly. Rather, relied solely on self-maintenance, which led to more interruptions in key business operations. ii. Should consider having alternate telecommunication service providers, including internet. iii. Should consider the use of “cloud computing. ” 5. Communications Plans Considerations a) General Observations and Notable Practices i. Generally communicated with employees before, during and after storm. ii. Some regularly communicated status of operations with clients via: a. b. c. d. Recorded Messages; Website Status Updates; Third Party Vendors; and Answering Services. b) Weakness Noted and Possible Future Considerations i. Inadequate planning on how to contact & deploy employees during crisis. ii. Inconsistently maintained communication with clients & employees. iii. Should consider implementing communication plan for employees, clients, & vendors. 7

Joint Review of BC and DR Planning of Firms & NEP Risk Alert 6. Regulatory and Compliance Considerations a) General Observations and Notable Practices i. Some BCPs contain processes for completing regulatory and compliance tasks. b) Weakness Noted and Possible Future Considerations i. Should update BCPS to include new regulatory requirements. ii. Should consider time-sensitive regulatory requirements, a crisis event can occur at any time. a. For example, the month end financial process. 7. Review and Testing Considerations a. General Observations and Notable Practices i. Generally tested BCP prior to storm. ii. Some developed comprehensive plans tested periodically, typically annually. iii. Some tested generators frequently (e. g. , weekly). b. Weakness Noted and Possible Future Considerations i. Inadequately tested BCPs; applied limited scenario testing assumptions or none of all critical operations/systems. ii. Should consider conducting full BCP test at least annually. iii. Consider conducting annual or more frequent BCP Training. iv. Consider incorporating stress tests into BCPs. 8

Key Takeaway “Advisers should review their continuity plans in light of the staff’s observations and consider revising their plans if they see ways to make them better. ” 9

Salvatore Faia, JD, CPA, CFE President Vigilant Compliance, LLC Brandywine Two 5 Christy Drive, Suite 208 Chadds Ford, PA 19317 Office: (610)- 558 - 1750 Cell: (610)- 757 - 7273 • Philadelphia • New York • Boston • Stamford • London 10