Paula Kennedy was lucky. A senior manager and a financial planner for executives at Deloitte & Touche at 2 World Financial Center–just across the street from the destroyed World Trade Center towers–she was scheduled on September 11 to work out of the company’s Parsippany, New Jersey, office. Kennedy had her laptop with her and thus all her relevant client data, but about 80% of the people in her group in lower Manhattan didn’t.
Fortunately, none of Deloitte’s World Financial Center employees was harmed in the attack, although windows were blown out. In the days following the tragedy the employees were relocated to other company offices in Manhattan, New Jersey, Long Island, and Connecticut.
“We lost considerable productivity while Deloitte searched for housing for us and started the process of renting computers,” Kennedy explains. “I would say that very little got done the first two weeks. We spent a lot of time calling clients, who were much more worried about us than about their records or their tax returns.”
With clearance from New York authorities, Deloitte & Touche was recently allowed to retrieve some equipment from its downtown offices including hard drives, laptops, and paper files. “We had to make lists of files we needed, and prioritize,” says Kennedy. “They would get what we asked for, within reason.” Because not all files could be carried out, some client data remains inaccessible. But since the company performs daily data backups, storing them off site, most client information was available to employees as soon as they were operative in their temporary office digs.
At present, Kennedy and 600 of her fellow employees are working out of four floors of the Marriott Marquis hotel in midtown Manhattan, where they expect to be for at least 60 days. Kennedy is ensconced in room 1840. “It’s like a dorm quad,” she says. The hotel removed beds from all the rooms and installed four tables in each. Deloitte techies jury-rigged a computer network which “sometimes even works,” Kennedy jokes. While it’s not easy functioning under these conditions, it’s no longer impossible. And this, along with the strange and slow process of getting back to a state they all once knew as “normal,” is something that Kennedy and her co-workers feel grateful for. The company plans to move back to 2 World Financial Center, but for the moment, no one is saying when that will happen.
That the entire nation was ill prepared for what occurred on September 11–not just New York financial district firms–has given rise to a reevaluation of methodologies in any number of business areas, the most relevant to advisors being those issues relating to data security and succession planning, be it temporary or permanent. Advisors admonish their clients to possess the mental fortitude necessary to withstand market histrionics that would threaten the sanctity of their asset allocation strategies, and be ready for any eventuality. But how ready are advisors?
Imagine. You survive a catastrophe in your home town involving terrorists, nut cases, or natural havoc in the form of earthquake, fire, or flood–but your office doesn’t. It no longer exists. Or, as in the case of the Deloitte & Touche employees in downtown Manhattan, the old office will not be usable for weeks or months.
Your Rolodex is toast, along with every personal and professional note, memo, photograph, or letter you had filed in manila folders for safekeeping. Your computers are kaput, your SEC files burned to ash, waterlogged, mangled, or covered with toxic asbestos waste, and your framed, professional degrees lie shattered on the floor. Your disaster plan might have included digitized documents, off-site backups, spare personal computers, and other contingencies required to raise your office from the dead. But wary of non-essential expenditures and lacking the resources of a large firm, you didn’t have one. As a result, you are left with nothing.
Mindful of Dostoevsky’s observation that “realists do not fear the results of their study,” what exactly have we learned from the once unimaginable World Trade Center tragedy–and our own projected worst-case scenarios–that might enable us to better plan and function should something unexpected happen again?
In terms of preparedness, Paul Baumbach, president of Mallard Asset Management Corp. in Newark, Delaware, likens advisors to the cobblers’ children who go shoeless. But many planners have something in place, however rudimentary. The goal now is to make that something a whole lot better.
“I try to practice what I preach about preparing for contingencies,” says Judith Martindale of Martindale Associates in San Luis Obispo, California, “but it’s a process.” Seeing what Martindale and Baumbach and others have done and are doing regarding the safeguarding of data and business succession planning may shed light on your own strengths and weaknesses in the same vital areas, or bring to mind others that may need attention.
Baumbach is fortunate in that he has two degrees in computer science, and in a prior career helped to develop a backup system for users of Unisys mainframes. “As a result, ‘embraced technology’ is an understatement for my firm,” he says. There are six computers for the firm’s two employees: two personal workstations, a file server (which includes the backup drive and scanner), a Net server (running Linux, with a firewall for a DSL line), a little-used laptop, and a conference room system. Baumbach uses an OnStream 30GB backup drive, with daily backups of data (not programs)–and each day he carries the backup tapes offsite.
He performs desktop upgrades every 12 to 18 months. It’s a process that helps remind him of the wide range of software he uses, and the need to maintain a system good enough to track it. He also recently purchased an Epson Perfection 1640SU scanner with automatic document feeder and PaperPort software. While he’s “dedicated” to using it for all new clients–part of an effort that will also reduce office paper–he intends to gradually capture existing client data, which he estimates will take a year or two.
The Bottom Line of Security
What’s all this protection cost? It’s hard to pinpoint an exact figure, since some equipment is used for multiple purposes. For example, Baumbach has a network enabling him to have a client presentation in the conference room while at the same time allowing the file server to hold all critical files and back them up daily. He offers these rough estimates: $2,500 for hardware, $300 for software, $750 for consulting expenses, and five minutes each day to swap tapes. The tapes, he notes, are fairly expensive ($300 or so per year) and should be replaced every few months. His protection costs–totaling some $3,850–could be lower than other small firms because he is capable of doing most of his own support work (for example, he built the file server himself with his son one weekend last month). But his actual costs are likely to be higher because, being a “technology addict,” he insists on implementing more than the minimum.
While Martindale, like Baumbach, lacks the true paperless office, she does scan all client retainer agreements for the SEC, and maintains the firm’s compliance manual in both hard copy and electronic form. Each client’s net worth and investment information can also be found in both hard copy and electronic form. “I’m still duplicating lots of material but am printing out less and less,” she says, adding that in the process she and her staff have grown “more competent and confident” with the computer. As for backup, it’s done on site twice a week. Twice a year (since her firm prepares taxes, this is performed in June and again at year end) all data is backed up. It is then taken and stored off site in Martindale’s own safe deposit box.
As for data protection costs, her firm uses three PCs and one laptop, which all serve various purposes. The scanner is the only piece she purchased “specifically for having the retainer agreements in the computer.” Her contingency equipment breaks down thusly: three PCs, $3,300; a router, $79; a Hewlett Packard scanner, $139; a Zip drive, $150; Quantum Snap Server, $499–for a grand total of $4,167.
Like most advisors, since September 11 Martindale has stepped up her efforts at safeguarding data and formulating contingency plans. “Just today we ordered more memory for all the computers,” she says. “I personally love to delete items but my office manager, I discovered today, has information hidden where I can’t get to it. My staff knows and takes care of me so I can take care of my clients. It’s a good system.”
One advisor who does lay claim to running a paperless office–which as a means of easily and effectively safeguarding client and office data is itself a giant step in the right direction–is Dennis Carpenter, president of International Wealth Management, an independent broker/dealer office located in Grapevine, Texas, that is affiliated with Prospera Financial Services.
Carpenter’s paperless office is made possible by LaserFiche Document Imaging (www.laserfiche.com), a division of California-based Compulink Management Center Inc., which manufactures document imaging and document management software products. The products, he says, are compliance friendly to most broker/dealers, registered investment advisors, and especially to the NASD and the SEC.
“Now when you visit clients in their home or office, you can scan their documents into your laptop and never have to physically take possession of clients’ valuable papers,” Carpenter explains. “Then, no matter where in the world you are, you can have immediate access to the documents.” In the meantime, he adds, “you donate your filing cabinets to your church, school, or favorite charity. Everybody wins.”
Like most prudent advisors, Carpenter is a stickler for data backups, LaserFiche or not. “Systems are becoming faster and faster,” he notes, “and you must religiously back up the files every day and then remove the backup copy from the physical premises to a secure offsite area; maybe a fireproof safe at home.” But he believes not enough is being done in terms of data destruction. He cites as incentives confidentiality concerns, the Gramm-Leach-Bliley Privacy Act, and a proliferation in the number of stolen identity cases.
“You better not be letting one piece of paper go out of your office with any legible client information on it,” he cautions. “If you do, it’s not a question of if you’ll be sued, it’s just a matter of when and for how much.” If you don’t have a paperless office, get a paper shredder fast, he advises.
When All Is Lost
What happens when a planner’s contingency plan doesn’t pan out (or one is lacking to begin with) and data loss is total? “I shudder to think,” says Baumbach, who offers the following advice: In the absence of compliance files–paper and computer–he would contact his clients posthaste, along with his state regulatory office, and explain the steps he would be taking to “reconstruct what I could.”
These steps might include asking clients to bring in their folders to their next meeting with him, whereupon he would photocopy everything. He would also try his hand at, for example, “forensics” in the form of “grabbing old copies of computer files off a machine used two years ago.” He would contact all his vendors (Advent is at the top of his list) to get what assistance he could for data warehoused outside his firm.
As an independent investment advisor, Baumbach doesn’t have a B/D; for client accounts he uses primarily TDWaterhouse, which does not offer him any disaster planning system assistance, he says.
If he lost just his unscanned paper files, he would be able to access the bulk of them in stored digital form as Word, Excel, Advent, and ProTracker documents and files. “This wouldn’t be catastrophic.” As for office reference material–manuals on programs such as ProTracker and Advent are used regularly, as is the most recent tax guide and a few of his core CFA books–not much that sees regular use is irreplaceable.
Planner Martindale reports that since she has an ongoing relationship with most of her clients, if her office data were destroyed she would have to get new signatures when she next saw them. “Although I don’t remember names well, once I can place a client, I can remember much of their net worth and investments,” she says. As for replacing office reference material, much of the information she uses, including that relating to taxes, resides online because of its time-sensitive nature.
Ready for What?
Y2K and its attendant forecasts of data doom and chaos undoubtedly ensured a level of readiness among many planners who otherwise wouldn’t have felt pressed enough to make the effort. But since Y2K itself proved such a dud, the long-term aspects of that readiness often fell by the wayside. This happened to Mark Beck, vice president of Financial Strategies in Brookfield, Wisconsin. Under his direction and prior to Y2K, the firm developed a total backup system. The plan to launch additional systems to ensure frequent onsite backups and periodic offsite backups, however, never really materialized; with so much else to do in running a firm, it just didn’t seem necessary. The September 11 disaster catapulted information systems and the safeguarding of data to the forefront in Beck’s three-person office, and thousands like it everywhere. “I have become increasingly aware of our vulnerabilities,” he says, “and am actively working on cementing the processes we began back in 1999.”