As most broker-dealers move to a telework model and navigate the “new normal,” it is critical that they take steps to mitigate the increased cybersecurity risks arising from the COVID-19 pandemic.
Guidance on Increased Cybersecurity Threats
On March 13, 2020, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) issued a similar alert that, although not specific to broker-dealers, provides additional information for organizations moving to a remote working environment and the steps they should take to adopt a heightened state of cybersecurity. In particular, CISA warns firms to anticipate sophisticated phishing attacks and to help employees to be on alert for these attacks.
Suggested cyber mitigation efforts include:
- Ensuring that virtual private networks (“VPNs”) and other remote access systems are properly patched with the latest available security updates and configurations;
- Checking that system entitlements are current;
- Employing the use of multifactor authentication (“MFA”) for associated persons who access systems remotely and implementing MFA on all VPN connections to increase security;
- Reminding associated persons of cyber risks through education and other exercises that promote heightened vigilance;
- Ensuring IT security personnel are prepared to ramp up remote access cybersecurity tasks, including log review, attack detection, and incident response and recovery and document these tasks in the configuration management policy; and
- Ensuring IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications — such as rate limiting — to prioritize users that will require higher bandwidths.
As a reminder, broker-dealers and other financial institutions are required to file Suspicious Activity Reports (“SARs”) with the U.S. Department of the Treasury's Financial Crimes Enforcement Network for certain cyber-events and cyber-enabled crime. Filing a SAR does not relieve financial institutions of any other applicable notification requirements, and compliance with the Cybersecurity Information Sharing Act does not relieve financial institutions of any SAR reporting requirements for cyber-events or cyber-enabled crime.
The Biggest Cybersecurity Weakness May Be Your Employees
Both FINRA and CISA guidance emphasize the need for employees to practice heightened vigilance with respect to cybersecurity risks that will exploit human beings as a weak link. CISA and other government agencies have been warning for several weeks about the risks posed by cyber criminals and other scammers exploiting the pandemic.
In particular, broker-dealers must regularly remind employees of the dangers posed by phishing emails. Phishing emails are becoming more sophisticated and difficult to spot, and are being designed to exploit uncertainty and anxiety about the pandemic. Reported phishing attempts already reported during this crisis include:
- Communications that look like they were sent by the World Health Organization or another health or governmental organization;
- Fake purchase orders for face masks or other supplies;
- False “remote workplace testing” emails that request login or other authentication information; and
- Requests for donations that spoof legitimate relief organizations.
To succeed, a phishing attack only needs to convince one employee to click a link, open an attachment, or provide authentication information, which could compromise the firm’s security or unleash malware that could render some or all firm systems inaccessible for an extended period of time. Under the best of circumstances, a successful phishing attack can cause significant harm and business interruptions. Where firms have moved partially or fully to remote work, or where on-site IT monitoring and support has been reduced, they can be even more debilitating and difficult to address.
Because employees are a major point of vulnerability, email alerts, trainings (which can be conducted via webinar or teleconference), and phishing tests (i.e., sending phishing simulation emails) can go a long way in mitigating the risks. Existing information security training programs and materials can and should be leveraged for this purpose, and tailored to the extent possible to current COVID-19 situation.
Have a Plan for Responding to a Cybersecurity Incident
Finally, firms should prepare for the potential eventuality of a cybersecurity incident. Firms should evaluate any team and response plan currently in place to ensure that it is capable of responding in the current environment. Should a cybersecurity incident occur, firms must consider whether any notices are required to personnel, other affected individuals (e.g., customers or clients) or, governmental authorities. For example, if client information is accessed or extracted from a firm’s systems, it could trigger reporting obligations under various data breach notifications laws.