Disaster preparedness is not just for thousand year flood events like Hurricane Harvey. It’s more likely that more common disaster events - a water leak, fire, office break-in or a ransomware attack - could disrupt and even cripple your business.

Whether they are considered entirely natural disasters or maybe the results of human action, hurricanes, floods and fires have focused attention on how businesses can prepare for the worst and put recovery plans into action. Wealth managers cannot afford to ignore these threats, any more than they can ignore the disruption and costs of cyber-security attacks. 

This publication recently spoke to Thomas Phelps, chief information officer and vice president of corporate strategy at Laserfiche, a California-based firm producing software for enterprise content management, business process automation, and analytics. Laserfiche develops solutions for capture, workflow, forms, e-signatures and case management, among other services. Phelps is part of the executive team that launched Laserfiche Cloud in 2015. Previously, he was the national entertainment and media champion for cybersecurity at PwC. He was part of a five-person startup team that launched the Internet Products Software Division at Motorola. 

(More on Phelps below.)

Although this year has seen a number of natural or allegedly Man-made disasters/events, are there specific reasons why disaster preparedness is something you think needs to be particularly addressed? 

Disaster preparedness is not just for thousand year flood events like Hurricane Harvey. It’s more likely that more common disaster events - a water leak, fire, office break-in or a ransomware attack - could disrupt and even cripple your business. 

We had one client in New Jersey who went on vacation to Disney World. When he got back home, he found that his basement office was flooded. A water line to his fridge had busted and flooded 100 bankers’ boxes and 15 four drawer filing cabinets with water.
 
Have you seen evidence of problems of lack of preparation that have caused you concern? 

In Los Angeles, we recently experienced Santa Ana winds that created wind gusts up to 70 miles per hour. This is just below a Category 1 hurricane. In December 2011, the Santa Ana winds knocked out power to more than 340,000 people including my home near Pasadena. Strong winds felled trees, knocked over power lines and forced the evacuation of businesses and residents from their homes. 

Many firms have not prepared for these types of events. What if all your vital records for your business are stored in filing cabinets in your office, and you can’t access it during a disaster event? I’ve seen businesses prepare business continuity plans, but store them on hard drives that failed or wasn’t backed up properly.  

Should disaster preparedness be part of a more general risk management approach to managing business anyway? 

Savvy firms include risk management in their business decisions. These organizations define their risk tolerance in order to make the right investments for disaster preparedness. 

Any thoughts on risk management more generally and how the insights of insurance, for example, apply here?

Organizations should conduct a risk assessment as part of their business continuity management activities. A risk assessment should identify threats and vulnerabilities, likelihood of risk occurrence and the potential impact. This should be coupled with a business impact analysis that identifies critical business processes, recovery time objectives, recovery point objectives and other areas. 

Firms may have several strategies to respond to identified risks. This includes accepting the risk, avoiding the activity that creates risk, mitigating risk by implementing appropriate controls or transferring risks. Buying insurance is one method to share a risk and transfer some of the impact to another organization. 

Cyber-security has put a focus on Man-made threats to business continuity - how is this issue encouraging people to think a bit more about these issues? For example, the attacks may have encouraged people to realize that financial privacy and other forms of privacy are more serious than perhaps they had realized before. Any thoughts on this?

A cyber-attack could not only disrupt your business, but also impact the survival of your business. In addition to federal regulations, almost all 50 states and US territories have breach notification requirements that involve significant compliance costs as well as exposure to civil lawsuits. 

Criminals are going after wealth firms because they contain a treasure trove of personal and financial information for high net-worth individuals. Executives are juicy targets for phishing attacks to perpetrate wire fraud because they run their own businesses or have approval authority for wire payments. 

You need to look at your cyber insurance coverage and make sure you’re insured against losses and the costs of responding to a breach. Costs could quickly exceed several hundred thousand dollars, if not millions, to hire third parties to defend against an attack, perform forensics, notify customers of a breach or provide credit monitoring services.

Financial firms are typically in large cities, some often near coasts (NYC, Hong Kong, London, Amsterdam) or, in the case of Silicon Valley, in a region prone to quakes (or, to take another example, Japan). How much, realistically, can financial firms take certain risks into account?

Financial firms should plan for the risk that their building, critical staff, systems and third parties are not available in a disaster event. Firms should plan for the disaster - whether it’s a fire, flood, earthquake, chemical spill or cyber-attack - to impact their business at the worst possible moment. 

How important is education about risk and what is being done and what do you think needs to be done in this area?

Education about risk management is so critical that ISACA, a global IT audit, control and security organization, prepares and certifies professionals in this domain. The Certified in Risk and Information Systems Control (CRISC) certification is rapidly becoming one of the fastest growing certifications obtained by risk management professionals.

Emergency planning: what sort of steps should business owners, employees/other consider and have discussed? For example, even simple steps such as ensuring certain people are given specific tasks (first aiders, fire officers, etc) and ensuring there is a convenient and easy-to-find list of people's cellphone numbers, etc?

Business owners should develop plans to recover from disaster events and continue operations as quickly as possible. When the power goes out, this is the worst time to think about trying to access your vital records that have never been scanned in or are stored only on servers onsite. Vital records include customer lists, vendor contacts, contracts, business license, bank account information, tax information and more.

To mitigate this risk, many companies are building resilience into their systems and moving them into the cloud. They are also storing their vital records in a cloud-based document management system.

Firms should conduct a business impact analysis to identify critical business functions, recovery time objectives, recovery point objectives, vital records and other areas. They should develop recovery strategies and create business continuity plans, disaster recovery plans and crisis communications plans. 
  
Should firms recruitment policy reflect a need to hire people who have skills and aptitudes in these areas?

Firms can hire security and compliance staff or contractors who have business continuity and disaster recovery planning experience. For example, individuals with a Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM)—certifications offered by ISACA—are tested on business continuity areas.

What innovations and developments in the insurance space are there that should be mentioned? Are there particular causes of concern in terms of lack of coverage/products?

Firms should check for coverage gaps in their insurance. Businesses may be surprised to find that they do not have flood insurance as private insurers often do not include this coverage. If businesses are covered by federal flood insurance, be prepared that it may cover a fraction of the losses. Often, there is no coverage for having the doors closed for a period of time and incurring revenue loss. 

You should also look at your business insurance to see whether it covers cybersecurity and what specific areas. 

More on Thomas Phelps

Phelps has co-authored/contributed to five books, including Risks of Customer Relationship Management - a joint publication by PwC and ISACA - and Telecommunications Cost Management, published by CRC Press. He is a Past-President of ISACA Los Angeles and is on the International 50th Anniversary Advisory Panel. He is on the Executive Board for UCLA IS Associates and serves as the Co-President of Ascend Los Angeles. 

He also chairs Certified in Risk and Information Systems Control (CRISC) certification for ISACA Los Angeles, and has instructed the Certified Information Systems Auditor (CISA) Review Course for over 10 years. Among other roles, Phelps guest lectures at USC and CSU-Long Beach on security, data analytics and marketing.