The nature of work is changing as the workforce attempts to adapt to working completely remote. For most broker-dealers and investment advisers that are working remote due to the COVID-19 pandemic and recent state issued stay-at-home orders, you’ve now become part of an actual working test of your business continuity plan and cybersecurity program all at once. And by now, many of you have discovered what works and what doesn’t. Time to stop and pivot. Welcome to remote work as the new normal— for now at least.
The COVID-19 pandemic has certainly disrupted routines for everyone, not the least of which is your normal day-to-day business activities. The massive scale of the outbreak and its sheer unpredictability have made it challenging for firms to continue to conduct their business remotely. However, by understanding the following risks associated with remote work, firms can better prepare themselves for meeting the regulatory challenges that lie ahead.
1. Treat your home office as your regular office
Although this may be difficult for some depending on your home set-up, your focus should be on establishing a dedicated space in which to work that is clean, secure, and separate from the rest of the house. Implement a “clean desk policy” similar to regular work policies so that you eliminate or at least reduce any firm/client related documents lying around your desk in plain view. You should also focus on physical safeguarding measures by being able to secure your home office and any file cabinets inside the office. Your home office should be separate enough from the rest of the house to provide some element of privacy for calls while reducing everyday interruptions and/or distractions around the house. Easier said than done, but it’s something to work toward for your security and peace of mind.
2. Review your business continuity & cybersecurity plans
In light of current events, you should revisit your firm’s business continuity and cybersecurity plans to ensure that your processes are properly aligned with your firm’s policies and procedures. If not, you may want to adjust them, or your processes, to the new normal. Even when firms are able to utilize remote working policies, they will need to prepare employees who are unaccustomed to remote working to navigate the challenges ahead. Firms that have prepared, implemented and tested “workable” contingency plans related to business continuity and cybersecurity events were likely ahead of most in terms of firm readiness. Also, firms that are experienced in working virtually and that have deployed certain collaboration technologies and infrastructure for remote working in the normal course of business will generally fair better in their ability to implement crisis management protocols and quickly adapt to unprecedented situations. For firms that rely on legacy systems and dated processes, the shift to remote work will come with significant obstacles. If your firm’s business continuity or cybersecurity plan doesn’t specifically address how to implement and continue to operate under a remote work plan, it’s time to address it.
3. Practice basic security measures
Nothing is full proof and no data is 100% secure, but there are certain basic security measures you can implement while working remote that will provide additional layers of security for better protection. Mobile security, VPN, and zero-trust network access are in high demand right now as firms rush to ensure that their employees can connect to their applications from wherever they are. While working remote, be sure to take inventory of personal vs. business equipment used for business purposes. There is a simple reason for this: personal equipment often lacks the level of security measures that firms install and implement for their business equipment. This makes using personal equipment especially susceptible to hackers especially in times of crisis. The following are simple steps you can take to limit your risk.
a. Enhance your authentication systems— Whether you’re using your phone/smartphone, computer or other external devices/drives (if permitted), it’s important to utilize some form reliable authentication system to open and operate your devices. Whether you decide to use a basic PIN, strong password or phrase or relay on biometric authentication such as fingerprint or facial recognition will largely depend on the device used and the data it contains. Regarding the use of passwords in general, some common sense goes a long way. For example, you should use strong passwords with at least eight characters of lowercase and uppercase letters, numbers and symbols; change your passwords periodically; make sure to use different passwords for different accounts; always log off when leaving your device; avoid entering passwords on computers you don’t control; and avoid entering passwords when using unsecured Wi-Fi connections.
b. Increase your personal security— Implement security measures on all devices used for business related purposes. For those of you using a work computer at home, most firms have installed anti-virus software and other security tools which add a layer of protection. If your firm provides access to a corporate Virtual Private Network (VPN), you can use it to access your firm’s network as it provides better protection by using an encrypted layered tunneling protocol where VPN users use authentication methods, including passwords or certificates to gain access to the VPN.
If you don’t have access to a corporate VPN, you can also try a personal VPN such as ExpressVPN, Norton Secure VPN, NordVPN or others, provided its permitted by your firm’s procedures and compliance dept. However, remain cautious as VPNs have limitations. They generally protect you during transit as you move from site to site, but it's up to you to stay safe and secure when you arrive at your destination site, and VPNs won’t protect you from phishing scams or other malicious software or applications. As recent as March 13th, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security’s cyber agency, issued an alert pointing to specific cyber vulnerabilities around working from home versus the office. CISA zeroed in on potential cyberattacks on virtual private networks (VPNs) which may make it easier to telecommute, but, according to CISA, they also open up a tempting way for hackers to get in.
If you're using your own computer and can't access your firm's internal network, at a minimum you will need to add protection by installing anti-virus software such as Microsoft Defender, Norton Security, McAfee Total Protection, Malwarebytes or others that scan for the latest virus, malware, spyware and ransomware attacks to defend yourself from hackers.
c. Update your software—make sure that applications running on your phone, laptop/desktop and their operations systems are updated and patched. Even routers need to be secured, though router makers often install these updates automatically. As recent as March 25th, in letters to Google, Netgear, Belkin and others, Sen. Mark Warner of Virginia urged vendors to help ensure that their wireless access points, routers, modems, mesh network systems, and related connectivity products remain secure and cannot be easily exploited to attack consumer systems and workplace networks.
d. Use two-factor authentication— consider two-factor authentication to provide added security when accessing sites that may contain sensitive or personally identifiable information (PII). Two-Factor Authentication (2FA), also known as Multi-Factor Authentication (MFA), is a method of authorizing a login using two pieces of authentication. The two pieces are usually defined as something the user has, and something the user knows. Under basic log-in procedures where you enter your username and password, your password serves as your single factor authentication. However, 2FA adds a second level of authentication to your basic log-in procedure by requiring two out of three types of credentials before being able to access an account.
e. Avoid phishing scams— Phishing is a cybercrime in which a target is contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into revealing or providing sensitive data such as personally identifiable information (PII).
In light of current events, the National Cyber Security Centre (NCSC) recently issued a warning that criminals are looking to exploit the spread of coronavirus to conduct cyberattacks and hacking campaigns and evidence now points to an increase in overall hacking incidents and an increase in hacking threats that use terms like "coronavirus" or "COVID-19" to trick users into handing over sensitive information or installing malicious software. Everyone can fall prey to phishing scams so it’s important to remain vigilant and follow the ten basic guidelines to keep you safe from phishing scams.
4. Contact your third-party vendors
Most of us try to leverage technology to make our jobs more efficient and effective. However, you are only as secure and effective as the vendors who assist you with your critical business functions. Remain cautious as disruptions, outages and delays may occur which can ultimately affect your business and may potentially result in notifications to your clients. Whether you rely on vendors to assist with trading systems, research & data analysis, CRM, portfolio management, social media & email archiving, compliance, cybersecurity, legal, accounting or others, all aspects of your business are considered important in terms of your internal supply chain and should be treated equally important as your lifeline to seamless operations. Check with your vendors frequently regarding their operating levels and status during this crisis and make adjustments if necessary. In the event that you consider new third-party vendors to assist you with your business, make sure you perform thorough due diligence through the use of due diligence checklists for broker-dealers or investment advisers or other means in terms of determining core considerations (e.g. security, costs, functionality, ease of use, etc.) to ensure the right fit for your firm’s size, scope and operational function.
5. Contact your regulator regarding changes to your firm’s business
In the event your firm experiences a material change to its business due to remote work policies, firms may want to reach out to your regulator to communicate such changes. The different types of notifications will largely depend on whether you’re a broker-dealer, investment adviser or branch office of either type. For example, FINRA member broker-dealers may consider notifying their designated Risk Monitoring Analyst (previously referred to as Regulatory Coordinator) based on FINRA’s recent exam and risk monitoring program transformation to a Single Point of Accountability per member firm. SEC registered investment advisers may consider notifying their SEC regional office in addition to any Form ADV filing updates if needed, and state registered investment advisers may consider notifying their respective state regulatory agency in their home state in addition to any Form ADV filing updates if needed. Notifications may be triggered by potential delays in regulatory reporting deadlines or other compliance related matters where contacting your regulator may mitigate circumstances by demonstrating transparency and open lines of communications with regulators regarding deficiencies resulting from the current crisis.
6. Check reliable resources to stay current on the developing crisis
To stay on top of current events and how they may impact you and your advisory business, you should monitor core resource sites for developments in the ever changing regulatory landscape. First, from a global health perspective, advisers should visit the WHO and CDC websites to get the latest on COVID-19 developments. Second, advisers should monitor regulatory sites such as SEC (for registered broker-dealers and federally covered advisers), NASAA and specific state regulatory websites (for state registered firms), and FINRA (for broker-dealers and dual registered advisers) on the recent regulatory developments to COVID-19. Firms should also check their specific custodians, clearing firms and other vendors specific to assisting with business operations on recent developments and contingency plans related to COVID-19.
7. Remain vigilant when using communication systems and technology
For remote workers, the majority of information sent and/or received comes from communication systems such as your phone (e.g. home or mobile device) and computer (e.g. email and video conferencing, etc.). Web and video conferencing, cloud-based file sharing and networking solutions have become critical systems allowing remote workers to continue to perform everyday functions and stay productive. Many companies including Zoom, Microsoft Teams, Cisco Webex, GoToMeeting, Free Conference Call, Google Hangouts Meet, Slack and others provide video conferencing solutions and other tools to assist remote workers, and in some cases for free in response to the current crisis. Some vendors such as Cisco and McAfee are also offering some of their security products at no charge in response to the current crisis.
However, no technology is without its set of risks. As an example, Zoom appears to be a popular choice among many firms because of its ease of set-up, use and sharing, but beware of “Zoom bombing” which is used to describe Zoom’s online virtual meetings where user sessions are interrupted or hijacked by unwelcome guests who are looking for ways to create disruption on the Internet. To protect from these types of intrusions, it’s best to familiarize yourself with Zoom’s settings and features and security measures surrounding your Personal Meeting ID (PMI) and how to avoid using your PMI to host public events which Zoom has posted on its Zoom blog.
Also, be sure to review the privacy policies of each vendor to ensure that they don’t violate your firm’s existing privacy policies or procedures. For example, some vendors may have certain privacy considerations regarding its collection and use of data (see Kate O’Flaherty’s recent Forbes article Zoom’s A Lifeline During COVID-19: This Is Why It’s Also A Privacy Risk).
8. Monitor your Cloud Storage and File Sharing Systems
Although many firms use cloud storage to store, share and maintain their books and records, the current COVID-19 pandemic has prompted many other firms to migrate to the cloud for security and ease of access for remote work. Cloud storage and file sharing sites such as Microsoft OneDrive, Dropbox, Box, SugarSync, Google Drive, Sharefile and others are popular with small to medium sized broker-dealers and investment advisers. When using cloud storage and file sharing sites, be sure to use two-factor authentication for enhanced security measures and review your policies on managed access rights to ensure that the right people have the right access to sensitive documents to adjust and update if and when needed.
However, some broker-dealer and investment advisers have yet to use cloud storage or fully migrate to a digital format and still maintain hardcopy books and records. For firms that maintain all or some books and records in hardcopy format, be sure to properly safeguard all firm and client related records maintained remotely and carefully follow firm policies on safeguarding client information.
9. Check your Form BR branch office status for changes
For broker-dealers and investment advisers, there are certain reporting obligations to FINRA regarding the type and status of each branch office through the Uniform Branch Office Registration Form (Form BR). Firms are encouraged to review its remote work policies to see how they may impact its current branch office registration status. In particular, Item 2 of the Form BR allows for firms to indicate the “types of financial industry activities conducted by the applicant at this branch office” which includes sales, investment advisory activities, investment banking/underwriting/research, market making/trading, back office operations, public finance and other. As firms shift to a remote work environment, firms may have to update their Form BRs related to specific branch offices as a result of changes in office type, changes in supervisory personnel, changes in types of branch related or other business activities or other arrangements.
10. Keep your Customers Informed (and document your communications)
Whether it’s an emerging crisis or a sudden shift toward remote work, sometimes the ability to effectively communicate with your clients becomes more difficult and complex. When it comes to clients, its best to keep the lines of communication open and frequent in terms of the developing events and how they may impact your relationship with your clients and your current and business operations. The ability to stay calm in times of uncertainty is paramount and clients need to be reassured that they’re in good hands and that their level attention and service remain steady regardless of the circumstances. When working remote and communicating with clients, you need to ensure that all communications are conducted within firm approved communication systems (e.g. email, social media, text, blogs, etc.) and that all communications are archived and properly maintained in accordance with books and records requirements through the use of vendors such as Global Relay, Smarsh and others.
Broker-dealers and investment advisers along with other businesses everywhere face unimaginable hardship as this crisis forces everyone to self-isolate for safety. No business could have predicted what we’re now experiencing. As firms face new realities, remote work brings with it a unique set of challenges to which all firms will need to adjust while mitigating risk. Inequities in firm resources and digital access which impacts a firm’s degree of readiness, further complicate matters. Firms must closely monitor the ongoing developments of this crisis to identify its implications for routine business activities and make adjustments to help adapt to new working norms. Now more than ever firms must keep a keen eye on the developing risks associated with these new norms as they navigate this unprecedented time together.