BUSINESS CONTINUITY PLAN
Exeter Financial, LLC (hereinafter referred to as “Exeter”), will utilize its access to technology, off-site record keeping and its key personnel to ensure that in the event of a loss, interruption of client service, if any, will be limited to the best of Exeter’s ability. This Memorandum presents our policies, procedures and obligations in the event of any of the following unforeseen events:
- Physical Losses (Emergency Dislocation of Office, Loss of Equipment, Loss of Communications);
- Business Operational Losses (Loss of Informational Resources, Loss of Substantial Third-Party Service Provider, Financial Loss);
- Loss due to Cyber-terrorism (Internet and Email Borne Viruses);
- Loss of Internet and Telephone Capabilities; or
- Loss of Key Personnel.
Policies and Procedures
1. Physical Losses
A. Emergency Dislocation of Office or Loss of Equipment
The first person who determines that an equipment loss or dislocation of the office has occurred shall be responsible for immediately contacting Steve Harrison, whose contact information can be found on the “contact list” attached to this Memorandum. If Mr. Harrison is not available, the first person to determine a loss shall immediately contact Dorra Tang. The individual who is initially contacted shall be the “officer in charge” until such time as Mr. Harrison becomes available. Each employee should maintain an updated contact list, which itself shall be the subject of update and distribution as necessary to all Exeter personnel. Dorra Tang shall be responsible for updating and compiling the firm’s emergency contact list.
Exeter has three primary concerns in the event that the offices are inaccessible (e.g., total loss of the building by fire, explosion, evacuation, flood, loss of power, etc.), equipment is lost (e.g., theft, failure of equipment or loss of equipment due to fire, flood, etc.) or communications suffer a disruption: (1) the records relating to firm clients; (2) the ability for the firm to continue to make and implement investment recommendations for its clients; and (3) the ability for firm clients to communicate with the firm.
- Backup procedures. All information stored on the Exeter computer shall be subject to daily backups. An outside company called MozyPro backs up all data files. The data that is saved in user directories on the company file server are backed up through the internet and is located offsite. All email is archived through SMARSH and backed up to a write once, read many (WORM) device with proper access for compliance and personnel. Alkeme IT shall be responsible for performing the various activities that comprise the overall backup process and for ensuring the success of the backup.
(ii) Restoration of Data. In the event that the backup must be used to restore the lost data, then Alkeme-IT or a designee shall be responsible for restoring the data onsite to the existing network file server. In the event of a complete loss, data restoration shall occur at a secondary location, RIA’s principal home office. Exeter personnel will be responsible for coordinating the account information with the most recently received confirmations and trade information from the account custodians for each client account to ensure that any changes in the client accounts since the time the backup was performed have been addressed and the system updated.
- Restoration Location. As discussed above, the secondary location from which firm personnel may restore the data and continue Exeter’s operations and client service shall be RIA’s principal home office.
Nonetheless, if files are lost, the regular and/or disaster recovery backups should afford an opportunity for Exeter to restore the majority of the information that comprises the lost materials.
- Client Service/Client Communication
The officer in charge shall make it a priority to contact all Exeter clients and inform them of the loss and that these disaster/contingency plans are in place. At this time, the officer in charge shall endeavor to provide each client with contact information so that they may contact a representative of Exeter should the need arise. Similarly, all account custodians shall be informed of the loss and, if necessary, each custodian should be informed of the restoration location from which the firm will repopulate the network with the backup data. The officer in charge shall also coordinate with the account custodians and third-party service providers (if any) to ensure that service from these parties is affected in the least possible manner.
To the extent that a total loss of communications results, including areas beyond the firm’s offices, with or without an equipment loss, personnel shall report to either the firm’s office or restoration location as designated by the officer in charge. The officer in charge shall then evaluate the situation and determine the best method to ensure client service and communication is restored in the most expeditious manner.
- Business Operational Loss
There are three types of business operational losses against which Exeter must protect itself and its clients: loss of informational resources, loss of one or more substantial third-party service providers, and financial loss. To protect against such losses, Exeter has made a policy of choosing vendors with adequate disaster protection and/or diversifying vendors for informational resources and other third-party service providers. In addition Exeter will, to the best of its abilities under the circumstances, monitor and account for all company finances so that any financial losses suffered by Exeter will not adversely affect firm clientele.
- Loss due to Cyber-terrorism (Internet and Email Borne Viruses)
Exeter considers the protection of client information and related data to be of great importance. To that end, the firm has established guidelines that seek to ensure computer security. In an effort to combat any Web-based attack, Exeter has established a security plan that includes anti-virus software and a firewall program. In addition, a password login that is individual to each firm workstation is required in order to gain access to the firm’s network. These measures are intended to assist the firm with pursuing the identification of threats to client data located in the electronic arena. In the event, however unlikely, that an irregularity or threat within this area is identified, the procedures outlined in section (1)(A) regarding restoring from backup apply.
- Loss of Telephone and Internet Capabilities
Telephone and Internet communications may rely upon land-based telephone lines. In an effort to mitigate the damage resulting from a loss of communications, the firm employs a non-integrated communication platform wherein internet services are separate from the firm’s primary telephonic services. The firm has also employed cellular telephones for use in contacting clients as a contingency to the compromise of either service.
- Loss of Key Personnel
The firm recognizes that Steve Harrison and Peter Helms are “key” employees, for whose loss the firm must establish contingencies in an effort to prevent disruption to client service. Should Mr. Harrison become unable to fulfill his obligations to the firm and clients, Peter Helms shall serve as alternate. Dorra Tang will serve as an alternate to both Steve Harrison and Peter Helms.
POLICY REVIEW AND TESTING
The firm shall review and test the disaster/contingency plans found in this Memorandum annually to determine whether any modifications are necessary in light of any changes to the firm’s operations, structure, business or location. While compliance with the law and with the firm’s policies and procedures is each individual’s responsibility, interpretive questions may arise. Please direct any questions related to this Memorandum to Steve Harrison.
EXETER FINANCIAL LLC BUSINESS CONTINUITY PLAN SPECIFICS
1) Computer Back-ups:
- a) Exeter Financial is contracting with a company called MozyPro to provide backup of all data that is saved in user directories on the company file server. The data that is saved in user directories on the company file server. The data is backed up securely through the internet and is offsite. For email to be in compliance with SEC regulations, the email is archived via SMARSH and backed up to a WORM device with proper access for compliance and personnel.
- b) Alkeme IT is responsible for making sure the processes for backing up the company data are working.
- c) The file server is backed up on a daily basis.
- d) Information can be retrieved from the service to any computer that we specify.
2) Alarm System:
The office is equipped with an alarm system. The company that manages the system is Bonds Alarm (602) 433-1271.
3) Data Integrity:
- a) We use Sentinel One Corporate edition to provide a centrally automated virus protection program for all computers at Exeter Financial. This is monitored by Alkeme IT.
- b) We use a Cisco Meraki MX68W firewall router to block unwanted traffic at the network gateway. Phone and voice data is segregated via a Dell PowerConnect 2848 switch.
4) Password Login:
Each employee at Exeter Financial has a unique username and password that is required to be able to log onto computer resources belonging to Exeter Financial. New passwords are required every 90 days. Password complexity requirements are to contain 1 number, 1 special character and at least 8 characters in length. Additionally, Exeter has added dual layer authentication via Trusona’s password less integration. The Trusona app is synched to the desktop PC and authenticated via push notifications to mobile device that unlocks with a fingerprint, or access code.
- a) Exeter uses voice over IP technology to run its phone system via Cox Communications IP Centrex. The actual phone system resides off site and uses the internet as the method to make and receive phone calls. The phone system uses a different internet connection than the data connection used for internet and email access. Both connections are provided by the same vendor. There is no phone hardware switch at the business location.
- b) If the voice internet connection goes down, the phones will automatically roll to our cell phones. In the event phone/internet service is disrupted or lost, clients can contact any Exeter Financial employee via their cell phones.
6) Key Personnel:
- a) Steve Harrison and Peter Helms are considered key personnel within Exeter Financial.
- b) In the event of loss of key personnel due to death or disability, Dorra Tang will serve as alternate to Steve Harrison and Peter Helms.
7) Emergency Contact List:
- a) Should an employee encounter a loss or damage to company property and/or client information, Steve Harrison should be contacted.
- b) Dorra Tang is responsible for updating and compiling the Exeter Financial emergency contact list.
- c) Dorra Tang is responsible for creation and distribution of the Exeter Financial emergency contact list.
- d) Contact Persons Emergency List can be requested through Dorra Tang
8) Steve Harrison is the designated response person surrounding Exeter Financial policy and procedures.
9) Principal’s home office would be used as a secondary location to restore information and systems from back-up. The users data and email data is stored offsite and can be retrieved to a new location in the case of loss of office.