LAST UPDATED: June 1, 2023
1.1 Introduction
iCapital Network (“the company”) has created a Business Continuity (BC) program. The program consists of Business Continuity policy, plans and procedures as well as a dedicated employee, the Head of Business Resiliency and Physical Security, responsible for its management. The BC program is a part of a larger Incident Management program that addresses incident response and other adverse events from inception to recovery. Compliance related aspects of the program are overseen by a principal of the company as described within the company’s written statutory procedures.
Per FINRA Rule 4370(e), “Each member must disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope. At a minimum, such disclosure must be made in writing to customers at account opening, posted on the member’s Web site (if the member maintains a Web site), and mailed to customers upon request.”
The company maintains a master Business Continuity Plan (BCP) that addresses the business continuity plans and emergency contact information requirements listed in Rule 4370.
1.2 Program Objectives
The objective of the BC program is to define the appropriate course of action required to respond to business disruptions impacting critical business functions, regulatory and legal requirements, and the life and safety of personnel. The plan outlines the critical processes that need to be followed, individuals key to implementing the detailed processes and guidance on how to resume once the disruption is over or has been mitigated. In addition to outlining a response process, the program also allows for the execution of post-mortem activities once business has resumed. Post-mortem procedures must be implemented post- disruption and “lessons learned” are incorporated into future versions of the plan and program.
1.3 Assumptions
Given the nature of our business, the BCP is based on the following operating assumptions of the business:
- Both platform functionality and supporting business operations are 100% reliant on cloud infrastructure
- Connectivity to the cloud is key to all BCP planning. Without internet access, the business would not be able to perform its core functions and supporting operations
The company’s plan anticipates two kinds of significant business disruptions (SBDs), internal and external. Internal SBDs only impact the company’s ability to communicate and do business, such as a fire in our building. External SBDs impact the company and many other firms and companies in the industry ability to communicate and conduct transactional business. Examples include terrorist attacks, a city flood, pandemic or a wide-scale, regional disruption.
1.4 Program Priorities
BC program priorities help drive the order of operations during planning activities and incident response. These priorities can be simultaneously initiated but the work of effort should be applied towards the highest priority and transitioned as they are satisfied. Once a priority is satisfied and the work of effort shifts to other priorities, a residual effort should be applied to maintain the state of the satisfied priority. The program’s priorities are:
- Priority I: Protection of Human Life
- Priority II: Protection of Business Assets
- Priority III: Maintenance or Rapid Restoration of Critical Business Operations
- Priority IV: Assessment of Damages
- Priority V: Restoration of General Business Operations
1.5 Office Locations and Alternative Work Sites
The company is headquartered in New York City, NY and has several other offices located within the United States (Princeton, NJ; Greenwich, CT; Boston, MA; Birmingham, AL; and Boca Raton, FL). Both the headquarters and other offices are easily accessible to employees by both public and private transportation. In the event of a SBD that impacts one or more of the offices, employees based in the impacted offices will be instructed to work remotely at their residences. The company has implemented a mass communication service called Everbridge. Everbridge has the capability of reaching employees either by text, phone and/or email. In the event of a network outage, remote work from home notifications will be sent out through Everbridge.
All employees, on their hire date, are issued company owned and managed laptops (i.e., endpoints). Endpoint management and connectivity is managed centrally in the cloud (not at the New York City office). SBDs impacting the New York City office will not impact either New York City or other office-based employees’ connectivity to both company owned and managed Amazon Web Services (AWS) and Azure cloud resources while working from home. Employees are instructed to use their personal cell phones to contact other employees and teammates. Computer based audio calls are also possible through Microsoft Teams.
The company does not maintain custody of clients’ funds or securities. In the event of an internal or external SBD, company employees will have the ability to communicate with clients through multiple avenues, such as personal cell phone, company email, and Microsoft Teams. If phone service is available, our registered persons will be able to respond to client questions or inquiries and facilitate instructions on behalf of the client via cell phones. In addition, all our registered persons will have mobile phones to facilitate staying in contact with clients and issuers. If web access is available, our registered persons, using either personal computers or mobile phones, will contact their clients to answer client inquiries, provide instructions and effectuate transactions.
1.6 Data Backup and Recovery (Hard Copy and Electronic)
The company does not maintain or utilize physical, on-premises servers and storage devices. All company electronic files are stored in the Microsoft Office 365 (Azure) cloud file service and Amazon Web Services (AWS).
The company maintains the following client document types, all of which will be available to investors online through the secure, password protected iCapital Platform, hosted on AWS:
- Private Placement Questionnaires, due diligence files, Offering Memoranda, and compliance related items
- Client Personally Identifiable Information
- Broker Dealer business formation documents
- Broker Dealer compliance related documents
- Broker Dealer financial related documents
- Network and Incident Management Policies
The company backs up its electronic records stored on the Microsoft Office 365 (Azure) cloud service within its tenant, globally. All data maintained by the iCapital Platform is maintained in an AWS US East region facility. This data is backed up to an alternate physical location in the AWS US West region on a real-time basis. Cross Region database replication is accomplished at the transaction level. The application does not commit changes to both places – the primary database in US-East replicates to US-West which provides near-zero RPO. In addition to the replication, full database snapshots are taken nightly and stored in both US-East and US-West regions. Unstructured data (i.e., documents) is stored in AWS S3 buckets are also replicated between AWS US-East and AWS US-West sites on a real-time basis, similar to the database replication.
By adopting a 100% Cloud-based solution for the storage and maintenance of the company’s electronic records, loss of this data is minimized. The network infrastructure that hosts our production software application serves as the foundation for all client and staff access to our software and the underlying data.
The Company has chosen well-established vendors to partner with in the delivery of our core application software and data. Our primary partners are:
- Amazon Web Services – Application hosting and secure document storage
- DocuSign / Adobesign – Digital Signature and secure document storage
- Microsoft Azure – Internal document hosting, active directory services and document storage
Microsoft Office 365 (Azure) operates with a Recovery Point Objective (RPO) design target of zero, meaning all stored data is synchronized across multiple, physically distinct, data centers 3 times. Further, the Microsoft Office 365 cloud service Recovery Time Objective (RTO) is designed to achieve instant failover; 99.9% highly available Microsoft Office 365 Cloud PC user sessions as defined in the Windows 365 SLA; Disk storage with data object resiliency of 119s; Automated in-zone disaster recovery for compute. The business has defined an acceptable 10-minute RTO of a zero-minute RPO for recovery.
In the event of an external SBD that results in the loss of data stored within the iCapital Platform, recovery is possible from our read replica database, at AWS Region: US East – Virginia, where near-real time writes from production are made. In the event of an external SBD that renders the AWS Region: US East – Virginia hosting the iCapital Platform inaccessible, we will restore platform services in an alternate region, AWS Region: US West – Oregon, using data restored from our alternate site backup if replica promotion fails or has been corrupted at AWS Region: US East – Virginia. The business has defined an acceptable two-hour RTO of a zero-minute RPO for recovery.
1.7 Operational, Financial and Credit Risks
The company assesses its capital, ability to fund operations, and financing activities monthly with the Chief Financial Officer (CFO). This enables the company to quickly rectify any potential exposures in connection with an SBD (FINRA Rule 4370(g)(2)).
In the event of an SBD, the company will immediately identify what means will permit it to communicate with clients, employees, critical business constituents, critical banks, insurance carriers and regulators. Although the effects of an SBD will determine the means of alternative communication, the communications options employed will include direct telephone communication, voice mail, secure e-mail, the platform’s secure website, and fax. In addition, the company will retrieve key activity records through the cross-region backups.
The company will determine the value and liquidity of its assets to evaluate the ability to continue to fund our operations and remain in capital compliance. The company will contact our critical banks and investors to apprise them of financial status. If it is determined that the company may not be able to meet its obligations to fund operations, the company will request additional financing from its bank, investors, and other credit sources to fulfill its obligations to our clients. If the company cannot remedy a capital deficiency, it will file appropriate notices with regulators and immediately take appropriate steps.
1.8 Mission Critical Systems
The company’s “mission critical systems” are those systems that are necessary to ensure prompt and accurate processing of securities transactions, including, but not limited to, order taking, order entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts and the delivery of funds and securities.
The company’s primary responsibility is to establish and maintain the business relationships with its clients and have sole responsibility for mission critical functions of maintaining client communication and enabling the clients to effectuate transactions when necessary. The mission critical systems of the company’s issuers are the maintenance of client accounts, access to client accounts, and the delivery of funds when applicable.
The company’s issuer clients maintain their own business continuity plans and have the capacity to execute those plans. Once a private placement via a private access fund is completed, the company will provide administration services for the private access fund in conjunction with third-party service providers. These services will include administration of capital calls and distributions and preparation of K-1 forms. The company outsources the processing of capital calls and distributions to Gen II Fund Services, State Street, Bank of New York and FD Admin, well-established fund administration firms. The company also uses leading global accounting firms, KPMG, Deloitte, PWC and EY, to prepare K-1s for investors in the various access funds.
Order Taking (Investments into Private Placement Offerings): Currently, the company receives “orders” via telephone, e-mail, online through our secure website, and/or in person visits with clients. During an internal or external SBD, the company will continue to assist investors through any of these methods that are available and reliable, and as communications permits, we will inform our investors of the available options to complete the process of investing in our private placement transactions. Clients will be informed of alternatives via telephone, e-mail, and our website, as applicable. The company does not have any order entry or order execution requirements, as well as does not utilize the services of a clearing firm.
1.9 Alternate Communications
Clients: The company communicates with its clients through the secured website, telephone, e-mail, and/or in person visits at the investor client’s location, the fund issuer client’s location, or at a company office. In the event of an SBD, the company will assess which means of communication are still available and utilize the means closest in speed and form (written or oral) to the means that were previously used to communicate with the clients.
Employees: The company communicates with our employees via the Microsoft Teams, e- mail, telephone, and in person. In the event of an SBD, the company will assess which means of communication are still available and utilize the means closest in speed and form (written or oral) to the means that we have previously used to communicate with our employees. Outside of normal communication, the company will use the Everbridge mass communication system. Everbridge has been integrated into the company’s Human Resources Information System (HRIS) to ensure employee contact information is continually refreshed and updated.
Regulators: The company is a member of FINRA and the SEC. The company communicates with the regulators through telephone, e-mail, fax, U.S. mail, overnight mail and in person. In the event of an SBD, the company will assess which means of communication are still available and use the means closest in speed and form (written or oral) to the means that have been used in the past.
Counterparties: The company monitors, on a quarterly basis, its relationships with business constituents, banks, key third-party vendors, and potential counterparties. The monitoring will enable the company to evaluate the strategic importance of each party and to identify any changes that may be necessary to decrease the impact of an SBD.
Business Constituents: The company has assessed its critical business constituents (i.e., vendors providing critical services) and determined the extent to which it can continue conducting business considering the impact of an internal or external SBD. The company will quickly establish alternative arrangements if a business constituent can no longer provide the needed services critical to the operations of the company.
1.10 Administration
The company’s BC program calls for the creation of the Incident Response Team (IRT). All members of the Incident Response Team are made aware of their responsibilities under the policy. In addition, all IRT members must make reasonable efforts to ensure that their direct reports and other employees based in the office are familiar with this plan. The Head of Business Resiliency and Physical Security is responsible for ensuring that all members of the Incident Response Team receive training at least annually.
Established procedures of the program are tested at least once per year (one successful test) by members of the Incident Response Team. The company will update the plan whenever there is a material change to its operations, structure, business, or locations. If there are no major changes in its operations, structure, business, or locations, the BC plan will be reviewed annually.
iCapital will provide in writing a Business Continuity Plan disclosure statement to clients via our website, as well as on an annual basis. The company will also furnish the disclosure statement to clients upon request. The disclosure statement is available on the company website.