COVID-19: Key Cybersecurity Issues for Financial Services Firm Employees

Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on whatsapp
Share on reddit

As most financial services firms move to an off-site working model and navigate the “new normal,” it is even more critical that they take steps to mitigate the increased cybersecurity risks arising from the COVID-19 pandemic.

CISA and FINRA have emphasized the need for firms employees to practice intensified alertness concerning cybersecurity risks that will look to exploit human beings as a weak link. CISA and other government agencies have been predicting for the last several weeks about the dangers posed by cybercriminals and other scammers exploiting the COVID pandemic and self-isolation.

Financial services firms, especially, must remember to warn their employees of the threat posed by phishing emails regularly. These emails are becoming more complex and difficult to spot. They are being programmed to exploit the difficulty and anxiety about the pandemic. Here are a few reported phishing attempts already made during this COVID crisis:

  • Fraudulent purchase orders for face masks or other supplies;
  • Communications made to look like it was sent by the World Health Organization or another health or governmental organization;
  • Fraudulent “remote workplace testing” emails that ask for login or other authentication information; and
  • Requests for donations that fool genuine relief organizations.

To gain access, a phishing attack only needs to convince one employee to open an attachment, click on a link, or provide essential authentication information, which could then jeopardize the firm’s security or release malware that could make some or all of the firm’s systems unavailable for an extensive period of time. Under the most favorable conditions, a strong phishing attack can cause notable harm and business delays. In situations where firms have moved partially or completely to remote work or isolation, or where on-site IT monitoring and support has been decreased, they can be even more debilitating and painful to address.

Because employees are a significant point of vulnerability, it’s important to utilize these measures: 

  • Email alerts 
  • Training (which could be conducted using a webinar or a teleconference), and
  • Phishing tests (i.e., conducting phishing simulation emails) 

These can go a long way in lessening the risks. A firm’s existing information security training programs and materials can and certainly should be leveraged for this purpose. It’s recommended to now tailored to the extent possible to the current COVID-19 situation.

Important: Create or Have a Plan for Responding to a Cybersecurity Incident

Finally, firms should prepare for the possible eventuality of a cybersecurity occurrence. Firms should immediately evaluate any team and response plan currently in place to ensure that it is capable of responding in our current environment. If a cybersecurity incident were to occur, firms must consider whether any notices are required to submit to personnel, other affected individuals (e.g., customers or clients) or, governmental authorities. For instance, if client information is obtained or extorted from a firm’s systems, it could then trigger reporting obligations under various data breach notifications laws.

If you have any questions, feel free to contact us.

Share this post with your friends and colleagues

Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on reddit
Share on pocket

Subscribe to our Newsletter

The ComplianceWorks newsletter is intended to keep you informed of regulatory changes and insights in advance of their effective date so your institution can have the necessary policies, procedures and processes in place to be compliant at the time of enactment.

Don’t Stop Here

More To Explore

Subscribe to our Newsletter
to get the Latest Compliance Insights

Keep up to date on investment adviser compliance news via our blog