The SEC takes the position that an adviser’s fiduciary obligation to its clients includes the obligation to its clients’ interests from being placed at risk as a result of the adviser’s inability to provide advisory services after a disaster, death of a key personnel or other interruption of business. Recordkeeping Rule 204-2(g)(3) (“the Rule”) requires advisers that maintain records in electronic formats to establish and maintain procedures to safeguard the records from destruction or loss.
The Business Continuity Plan (“the Plan”) for Gainy, Inc. (referred to herein as “Gainy.” and/or “Firm”) addresses the elements set forth in the Rule. The Rule requires that a Firm’s business continuity plan, at a minimum, address 10 critical elements, those are:
1. Data back-up and recovery;
2. All mission critical systems;
3. Financial and operational assessments;
4. Alternate communications between customers and the Firm;
5. Alternate communications between the Firm and its employees;
6. Alternate physical location of employees;
7. Critical business constituents, banks, and counter-party impact;
8. Regulatory reporting;
9. Communications with regulators; and
10. How the Firm will assure customers’ prompt access to their funds and securities in the event that the Firm determines that it is unable to continue its business.
The policy of the Firm is to respond to a Significant Business Disruption (“SBD”) by safeguarding employees’ lives and Firm property, making a financial and operational assessment, quickly recovering and resuming operations, protecting all of the Firm’s books and records, and to the extent practicable, allowing customers to transact business as soon as possible following a SBD. In the event that the Firm determines that it is unable to continue its business, the Firm will take steps to assure customers prompt access to their investments. Borys Dus, CEO is responsible for effecting this Business Continuity plan in the event of an emergency or natural disaster.
SIGNIFICANT BUSINESS DISRUPTIONS (‘SBD’)
The Plan anticipates two kinds of SBDs, internal and external. Internal SBDs affect only the ability of the Firm to communicate and do business, such as a fire in its building. External SBDs prevent the operation of the securities markets or a number of Firms. External SBDs would include such things as a terrorist attack, a pandemic, a city flood, or a wide-scale, regional disruption. The response of the Firm to an external SBD relies more heavily on other organizations and systems.
APPROVAL AND EXECUTION AUTHORITY
Members of the Disaster Recovery Team review the Business Continuity plan at least annually, updating the information set forth in the plan to accommodate changes in the Firm’s business model, operations, and/or key personnel, among other things. Each year, the Disaster Recovery Team may conduct other tests to evaluate the efficacy of the business continuity plan. The results of these tests are recorded, reviewed, and maintained by the Disaster Recovery Team, and any findings associated with the assessment are submitted to the CEO/CCO for review.
PLAN LOCATION AND ACCESS
Gainy will maintain copies of the Plan and the periodic reviews, and the changes that have been made to it. The Firm will make such records available for inspection by the SEC and/or various state regulators.
UPDATES AND ANNUAL REVIEW
Gainy will update the Plan whenever there is a material change in the operations, structure, business or location of the Firm or its affiliates. In addition, Gainy’s Disaster Recovery Team will review this Plan periodically to modify it for any changes in the operations, structure, business or location of the Firm or its affiliates. Gainy’s Disaster Recovery Team tests and reviews Gainy’s Business Continuity Plan at least annually.
Executive Management is aware of the potentially devastating financial, organizational, and political consequences of the failure of one or more mission-critical information systems. The two emergency contact persons for the Firm are: Boris Dus CHIEF EXECUTIVE OFFICER Office Phone: (650) 636-6395Email: [email protected]
Mike Stukalo CHIEF COMPLIANCE OFFICER Email: [email protected]
Gainy, Inc.. is registered as an investment adviser with the US Securities and Exchange Commission and notice filed in the appropriate states. Services include investment analysis, allocation of investments, security selection, subscription services, and ongoing monitoring of portfolios.
Gainy, Inc.. has one main address: 75 Broadway, Suite 202 San Francisco, California 94111. However, all of Gainy’s employees work remotely.
CUSTOMERS’ ACCESS TO FUNDS AND SECURITIES
Gainy, Inc.. does not maintain physical possession of customers’ funds and securities. Both customer funds and securities are maintained by a qualified custodian. In the event of an internal or external SBD, if customers of Gainy, Inc. are unable to access the Firm, either via internet, phone or mobile app, customers will be able to contact the custodian directly for instructions on how they may obtain prompt access to funds and securities, subject, however, to any limitations set forth previously by the custodian.
DATA BACK-UP AND RECOVERY
Gainy, Inc.. maintains its electronic books and records on AWS RDS cloud storage. Mikhail Astashkevich, the Lead Backend Engineer, is responsible for the maintenance of these books and records.
BACK UP PROCEDURES
Gainy, Inc. books and records are automatically backed up daily, and the backup copies are stored on AWS RDS cloud servers. The backup copies of the databases are stored for one week before being overwritten by new backup copies.
MISSION CRITICAL SYSTEMS
The cloud-based databases are critical for the functionality of the advisory business. Although we make daily backups, a corrupted database can lead to a significant downtime while the data is being restored. Any interruptions in the functionality of the AWS cloud business may potentially adversely affect the functionality of Gainy, Inc. software and applications.
The Firm will maintain a list of all equipment, hardware and software, used by the Firm. The list shall provide identifying information for the item, including the serial number, the manufacturer and registration number as applicable.
If the Company’s computer system is deemed unusable for any reason, the Firm will procure another system at that time. Time constraints for the purchase, delivery and installation of a computer system will depend on a number of outside factors such as the retailer, delivery services, and the consultant hired to install the system, but its is expected that the Firm will only be without a computer for a maximum of two business days.
FINANCIAL AND OPERATIONAL ASSESSMENTS
Operational Risk: In the event of a SBD, the Firm will immediately identify what means will permit the Firm to communicate with its customers, employees, critical vendors and regulators. Although the effects of a SBD will determine the means of alternative communication, the options will generally include email and feedback forms in Gainy iPhone application.If a client needs immediate access to his/her account and for any reason cannot contact the Firm, the client may contact the custodian directly.
Other methods of client contact:
Feedback form in Gainy iPhone App
Financial Credit Risk: In the event of a SBD, Gainy will determine if the business interruption causes the company to interrupt its operations to the point that the alternative measures cannot be implemented, and if so, the Firm’s customers will be referred to the Custodian.
ALTERNATE COMMUNICATIONS BETWEEN CUSTOMERS AND THE FIRM
See Operational Risk
ALTERNATE COMMUNICATIONS BETWEEN THE FIRM AND ITS EMPLOYEES
See Operational Risk
ALTERNATE PHYSICAL LOCATION OF EMPLOYEES
All Gainy’s employees currently work remotely.
CRITICAL BUSINESS CONSTITUENTS, BANKS, AND COUNTER-PARTY IMPACT
The Firm will contact its critical business constituents (businesses which have an ongoing commercial relationship in support of the Firm’s operating activities, such as vendors providing us critical services and issuers/product sponsors) and determined the extent to which it can continue its business relationship in light of an internal or external SBD. The Firm will quickly establish alternative arrangements if a business constituent can no longer provide the needed goods or services when required. See appendix A for a current list of critical vendors.
The Firm is subject to regulation by the SEC and various state securities regulators. The Firm files reports with its regulators electronically. In the event of an SBD, the Firm will check with the SEC and other regulators to determine which means of filing are still available to the Firm and use the means closest in speed and form (written or oral) to previous filing methods.
If it cannot contact its regulators, the Firm will continue to file required reports using the communication means available.In addition to any action taken by the Firm with respect to disruption of its business processes which relate to the ability of Gainy, Inc. to deliver financial services to its customers, Gainy, Inc.. will promptly notify the appropriate regulators of any such problems
In the event the CCO of Gainy, Inc. is no longer able to serve in this position, the advisory accounts will be overseen by the CEO until such time as the CCO can be replaced. In the event the CEO of Gainy, Inc. is no longer able to serve in this position, the investment board appoints an interim CEO. Gainy, Inc. will inform the current clients of the change in the investment oversight within a week following a CCO replacement or the appointment of an interim CEO.
IT Disaster Recovery Plan
The purpose of this Disaster Recovery Policy is to ensure the continuity and recovery of Gainy, Inc.’s Critical Information Systems in the event of an emergency or disaster.
2. Scope and Applicability
This policy applies to all Gainy Information Systems and Information Resources. All Users are responsible for adhering to this policy.
Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.
1. Business Continuity: an ongoing process to ensure that necessary steps are taken to identify the impact of potential losses and maintain viable recovery strategies, recovery plans, and continuity of services.
2.Confidential Data: Data that requires restrictions on access and disclosure, including the protection of personal privacy and proprietary information.
3. Contractor: A person or company that undertakes a contract to provide materials or labor to provide a service.
4. Critical Information Systems: Inter-related components of Information Resources working together where the loss of confidentiality, integrity, availability, or privacy could be expected to have a severe or catastrophic adverse effect on organization operations, organization assets, or individuals.
4. Disaster Recovery: The ability to restore the Gainy's critical systems and return the entity to an acceptable operating condition following a catastrophic event, by activating a disaster recovery plan. Disaster Recovery is a subset of business continuity planning
5. Disaster Recovery Plan (DRP): A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.
6. File: A collection of Information logically grouped into a single entity and referenced by a unique name, such as file name.
7. Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numeric, graphic, cartographic, narrative, or audiovisual.
8. Information Resource: Anything that is intended to generate, store, or transmit Information.
9. Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by Gainy directly or by a third party under a contract with Gainy which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and Gainy’s network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.
10. Users: A client of Gainy or employee including third party vendors, Contractors, consultants, volunteers and other individuals who may have a need to access, use or control Gainy Data.
Disaster Recovery Plan
1. A Disaster Recovery Plan must be developed and implemented for centralized Information Technology Resources to ensure sufficient response and remediation of critical IT functions in the event of an unscheduled interruption.
2. At a minimum the plan should identify and protect against risks to Critical Information Systems and Confidential Data and provide for contingencies to restore Information and Information Resources in the event of a disaster, and include:
1. Resource Contact List
2. Succession plan
3. Restoration Priority List
4. Description of current back-up and restoration procedures
5. Description of the back-up storage location(s) and services
6. Equipment replacement plan
7. Communications plan
3. The Disaster Recovery Plan must be updated and tested annually or when new Critical Information Systems are installed, if technically feasible.
5. Backup and Restore
1. Critical Information Systems shall be periodically backed up and copies maintained at reasonably distant locations not prone to similar catastrophic events.
2. Backup and restore requirements for Critical Information Systems shall be defined to include:
1. Data and Files to be backed up
2. Recovery Time Objective (RTO) – the length of time by which the system must be returned to an acceptable level of service
3. Recovery Point Objective (RPO) – the point in time to which processing has to be returned
4. Retention period for backup media
3. All back-up media containing Confidential Data must be encrypted.
Exceptions to this policy should be submitted to the Chief Compliance Officer for review and approval. If an exception is requested a compensating control should be documented and approved.
Gainy, Inc. employees who violate this Policy may be subject to disciplinary action, up to and including termination of employment.