By Ash Bhatnagar, CFP®
Disaster recovery is an important compliance regulation that is little understood by many advisers, and yet having a solid disaster recovery plan with reliable data backup can make or break your business.
Statistically, 40 percent of businesses never re-open after a disaster, and 60 percent of businesses confronted by a major disaster close within two years.1 Additionally, 77 percent of businesses that test their internal backups regularly find they are unable to fully recover their data.2 With these types of statistics, disaster recovery is a business-critical issue that needs competent solutions.
Many advisers face challenges with disaster recovery, including knowledge, time, cost and resources. In large firms, the chief compliance officer normally assigns the critical task of disaster recovery to the technology department. In small firms, the adviser usually depends on a local technology company to create and install a plan.
Today, there are many solutions available to help you meet your disaster recovery needs, and you do not need to be a tech genius to have a good disaster recovery system.
A good disaster recovery system is synonymous with reliable data backup. Backup solutions can be categorized into four main types:
- Tape or CD drive
- Network drive
- Network area storage
- Third-party backup solutions
Unless you have a very good internal tech person, CD or tape drives are not a good option, because recovering data from a CD or tape may take hours, and you'll need to know how to recover the data.
Using a Network Drive
A one terabyte (TB) network drive can be purchased for less than $120 from Office Depot, Staples or other office supply retailers. This is more memory than most advisers will need for a long time. While the features on these drives have improved tremendously, and the external network drive solution works, I have seen advisers lose a lot of data, mainly because they did not have a good backup process in place.
So how do you create a backup system with a network drive? The backup process can be easily automated. If you purchase two drives, place one in your office and one in your home that will act as a remote backup drive.
Use software like GoodSync.com to backup your information to your home. GoodSync offers an intuitive interface to setup your backup process. It's a simple, automated solution that costs less than $300.
The risk to a solution like this is that if any of the drives fail, you will need to run to the store fast, and you may need some tech knowledge to make the process work again. To mitigate this risk, you may want to purchase a third drive as an in-office backup. This way you have onsite and offsite backup that is completely automated for less than $500. Also, these drives are fairly small, so lock them in a secure place like a closed to limit access.
Alternative to Using a Server
Although the external hard dive solution works, some advisers opt to purchase a server. However, if you do not need a server, do not get one. How do you know if you need a server? Unfortunately, you will need some tech help to figure it out, but use some of the options here to perform your due diligence on the vendors.
There are many solutions in the marketplace that allow you to opt out of a server. Remember, you will be responsible for managing the server or spending a lot of labor dollars having it managed. So, what is an alternative?
Consider network area storage (NAS) that is specifically made for small business home offices (SOHO). This solution is similar to the network drive solution, but much more sophisticated, easy to install and built as a one-box solution.
NAS systems are built as an external hard drive that automatically backs up internally. NAS systems normally come with two to four drives that are constantly backing each other up. If one drive fails, the system will send you a message, and you can replace it yourself. There's no need to hire a tech person. Once replaced, the system will automatically start backing up again.
Many of these systems also have an auto sync feature. You can place another unit at your home or remote location and the two units will sync with each other continuously.
Lastly, you can setup the NAS so you can access your files from the Internet. You may need a little help with the sync and Internet features, but once they're set up, they work very well.
While Netgear is a leader in NAS systems, the cost can be high. An alternative could be Synology, which offers a lot of the same features at a fraction of the cost. Do your own research online using the search words "SOHO" and "NAS," and you'll find several product reviews. Whatever you choose, avoid "RAID zero," which refers to the level of RAID (redundant array of independent disks), and level zero means there is absolutely no backup. To understand more about RAID, go to www.wikipedia.org or www.riaico.com.
Using Third-party Backups
Another solution that is good for most advisers is third-party backups. Although these backup vendors have many claims, it is imperative that a procedure be in place to test these solutions on a monthly basis. I have spoken to many firms that used very reputable third-party backup services only to find out that the backups had not worked for months. Of course, they only found out after they lost their data and tried to recover it from the vendor.
To backup a single PC, you can use a service like Carbonite, which charges a single fee for unlimited space. To backup your server, a leader is Mozy, but they charge by the space you use. One trick I have found is that if you have a small business server, you can use Carbonite, because the server software is built on Vista. Carbonite cannot tell the difference between PC Vista and Server Vista versions. This oversight by Carbonite could save you a lot of money.
If you are backing up your PC using Carbonite, I would suggest getting the largest internal hard drive you can. You can go up to 1.5 TB now, and Carbonite will charge the same fee no matter the size of the drive.
You should test the backup every month as a part of your overall compliance review process, especially with external backup vendors. The test can be something as simple as recovering a file from the backup source. Do not wait until something goes wrong to learn how to recover your data; practice it a few times.
Every adviser's needs are different, so whichever solution you choose, discuss all your options with your tech vendor first.
Notes of Caution
The one, very fatal comment I have been hearing lately is, "Most of my stuff is Web based and managed by my vendor." Although it is true that the vendor is Web based, the vendor is a technology provider and does not fall under SEC requirements. It is the adviser's responsibility to ensure that the vendor has an acceptable disaster recovery and Regulation S-P plan in place. You should have the vendor's plan for disaster recovery and client privacy policy on file, and you should review it annually.
Also, after recently listening to some regulators, it is clear that they are reviewing Hurricane Katrina as the model for disaster. I've realized that although advisers affected by Katrina had backup, they had no method to recover or run their software. Their computers were under water. In researching this, I discovered that this is a gap for one-office advisory practices. I'm now working on a product that not only backs up the data, but takes a mirror image of the software. This way, an adviser can access data and run his or her software from any Internet connection. Contact me via e-mail if you'd like to get involved in the beta testing.
Backing Up Telephone Systems
Very few advisers think about their telephone systems when they develop a disaster recovery program. Remember, you have the client's most sensitive information, and the last thing clients should fear is how to get in touch with you. Here are some scenarios to think about:
- If the phone system is installed in the basement of a building, what will happen to the phone system during a flood or a water pipe break?
- If the power goes out, do you have battery backup?
- Can you forward calls from a remote location?
- If the phone system stops working, what happens to the calls?
Do not get caught in a situation where clients call your office and get a busy signal or hear a strange voice in the voicemail system. Just imagine the shock to your clients!
One solution is to purchase a backup voicemail box on your main number from your telephone carrier. If, for some reason, your phone system does not pickup, the carrier's mailbox will. Then, as a compliance officer, you should test the backup voicemail box at least semi-annually.
Ash Bhatnagar, CFP®, is president of RIA Independence Co., a provider of turnkey integrated products and solutions to independent RIAs and consultant for firms in the areas of technology infrastructure review, compliance review and vendor review. Contact him at ash@riaico.com.
Endnotes
1 Disaster Recovery Decision Making for Small Business, Darrell Zahorsky
2 Storage Magazine
