Cybersecurity Considerations in the COVID-19 Era
The COVID-19 Coronavirus has created unexpected and unique challenges for financial industry participants. Employee illness, unpredictable financial markets and client fears are just a few of the new issues that have had an impact on investment advisors, broker-dealers and their personnel. Many companies in our industry have reacted quickly to implement business continuity plans and have restored operations in the “new normal” style. With shelter-in-place orders in effect across the country, financial professionals are increasingly required to work remotely full-time. That step, designed to prevent the transmission of COVID-19, brings a familiar issue back to the forefront for regulated firms: cybersecurity.
Remote work arrangements may be advisable, but also inadvertently raise the likelihood of cyber-incidents, data loss and other malicious activity, and the corresponding regulatory issues, financial damage and liability exposure. Financial industry participants should be mindful of the heightened risks and some of the practical steps to mitigate those risks.
In this month’s Legal Risk Management Tip, we will discuss the current environment as it relates to cybersecurity and provide risk management tips that may be useful to assess and improve cyber-protections at financial industry firms.
Increased Electronic Vulnerability, Cybercrime Spikes
The current unprecedented level of electronic traffic generated by new the work-from-home model creates certain increased exposure for investment advisers and broker-dealers to data breaches and other cybercrime. As employees are ushered away from the protections of a company’s traditional (hopefully robust) cybersecurity measures toward their home networks, online activity, including the transmission of any sensitive client and firm information, is more susceptible to phishing, viruses, malware, and other security breaches.
Most employee’s home networks are less secure than that of a financial firm’s office. Coupled with the increase in transmission of information over those networks, bad actors have been quick to try and exploit these new vulnerabilities. The FBI reports a 300% increase in cyberattacks since the start of the COVID-19 pandemic. In addition, phishing attempts were reportedly up 600% in March compared to February.
The rise in videoconferencing has been a particular focus of online attacks. The so-called “Zoombombing,” where an unauthorized person or group of people joins a videoconference and harasses the attendees, has become increasingly prevalent over the last month. While these attacks have mostly ranged from pranks to discriminatory and intolerant verbal assaults, any underlying weakness in the technology is ripe for more serious privacy and data breaches, especially in the event that client or other sensitive information is disseminated in video meetings.
Business meetings are not the only day-to-day operations being disrupted by these cyberattacks. Wire transfers are particularly susceptible to fraud during this time. In particular, the FBI has warned about a rise in Business Email Compromise scams, where the fraudster impersonates a company the victim normally conducts business with and then induces payment to a new account. In addition, a firm’s processes relating to the verification of a client’s identity in order to proceed with a request to transfer client funds are more important than ever before.
Risk Management Tips to Strengthen Your Cybersecurity
In light of the new COVID-19 business environment, which will remain for some period of time, investment advisers and broker-dealers should be revisiting and reviewing the effectiveness of their efforts to maintain a safe electronic environment and operations. Some suggested steps are below, and basic precautions can go a long way in protecting against cyberattack.
- Review cybersecurity policies and procedures to make sure they continue to be relevant in the COVID-19 environment and make necessary updates;
- Ensure a detailed understanding of your firm’s cybersecurity controls including, among other things: (1) password managers and steps for resetting passwords after lockouts; (2) multi-factor authentications; (3) time-out settings; (4) vendor and service provider inventories, access, and security; (5) client portal security; (6) data encryption processes; and, (7) red flag steps to ensure adequacy;
- Establish protocols for telecommuting and the use of personal devices for business purposes;
- Revisit your Business Continuity Plan (“BCP”) to ensure it is properly crafted and implemented. In particular, if necessary, examine whether the BCP should address long-term, nearly exclusive telework, VPN usage and performance and/or WiFi outages;
- Train personnel, including employees and independent contractors, regarding cybersecurity protections, including: (1) cybersecurity threats and identity-theft red flags; (2) protection controls in place, including encryption protocols and strong passwords; (3) device management policies; and (5) cyber-incident response procedures;
- Review and test your Incident Response Plan to confirm it remains up-to-date and appropriately designed to identify, contain, eradicate, and remediate any cybersecurity incidents that could affect your business.
For more information on these and other considerations relating to cybersecurity and COVID-19, please contact us at firstname.lastname@example.org or at (619) 298-2880. We are here to support you.
Authors: Robert D. Conca, Esq., Partner, and Conor M. Dale, Attorney, Jacko Law Group, PC (“JLG”). JLG works extensively with investment advisers, broker-dealers, investment companies, private equity and hedge funds, banks and corporate clients on securities and corporate counsel matters. For more information, please visit https://www.jackolg.com/.
The information contained in this article may contain information that is confidential and/or protected by the attorney-client privilege and attorney work product doctrine. This email is not intended for transmission to, or receipt by, any unauthorized persons. Inadvertent disclosure of the contents of this article to unintended recipients is not intended to and does not constitute a waiver of attorney-client privilege or attorney work product protections.
The Risk Management Tip is published solely based off the interests and relationship between the clients and friends of the Jacko Law Group P.C. ("JLG") and in no way be construed as legal advice. The opinions shared in the publication reflect those of the authors, and not necessarily the views of JLG. For more specific information or recent industry developments or particular situations, you should seek legal opinion or counsel.
You hereby are notified that any review, dissemination or copying of this message and its attachments, if any, is strictly prohibited. These materials may be considered ATTORNEY ADVERTISING in some jurisdictions.
 For additional information regarding business continuity plans, see recent JLG Legal Risk Management Tip from March 2020, available at: https://www.jackolg.com/tip-Immediate-Impacts-COVID-19-Investment-Adviser-Compliance-Programs-MJACKO.
 As of April 20, 2020, 46 states plus the District of Columbia have issued some form of Shelter-In-Place order; see https://www.finra.org/rules-guidance/key-topics/covid-19/shelter-in-place.
 In addition to cybersecurity concerns, investment fraud has also been on the rise in correlation with the pandemic. Numerous states have issued warnings to investors of these schemes, including California and New York.
 https://www.infosecurity-magazine.com/news/cyberattacks-up-37-over-past-month/. Note also that part of this spike can be attributed to the increase in children using home networks due to school closures; if a hacker can penetrate the child’s device, the whole network, including the parents’ work devices, may be exposed.
 See discussion of this topic in the SEC’s Risk Alert: Observations from Cybersecurity Examinations, available at https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.
 The SEC’s 2015 guidance on Cybersecurity is instructive; see https://www.sec.gov/investment/im-guidance-2015-02.pdf.
 The U.S. Department of Homeland Security’s Cyber-Infrastructure and Security Agency (“CISA”) recently issued guidance about mitigation of potential vulnerabilities in your VPN. Included among the suggestions are keeping software on all devices up to date, evaluating the strength of employee passwords, employee training about potential phishing attempts, and increasing efforts of IT security personnel. See https://www.us-cert.gov/ncas/alerts/aa20-073a.