March 23, 2020
Many advisers have strong BCPs and have had remote work capabilities built into their regular processes for some time. However, when your entire workforce is working from home, resources can be strained and cause new concerns that were not contemplated previously.
In late January, the SEC’s Division of Compliance Inspections and Examinations (OCIE) issued a summary of cybersecurity and operational resiliency best practices resulting from observations during the thousands of exams the OCIE staff has performed over the past several years. We encourage you to review this document and work with your Operations and IT departments to determine if there are areas where you can enhance your practices.
OCIE Cybersecurity and Resiliency Observations
Additionally, due to the recent COVID-19 pandemic, we’re all facing challenges on how we conduct business. You’ve likely enacted your business continuity plan and have a much larger portion of your staff working from home than you are used to, if not all of your staff. This means some of your staff is likely working remotely for the first time and without an ideal technology setup in their home workspace. The current business environment may create situations for increased cybersecurity risk. A few examples are below:
• Many employees may not have home shredders. We recommend, at a minimum, instructing your employees to diligently save materials that require shredding in a box, rather than throwing in the normal trash, and to bring the box to the office in the future to be shred.
• Employees’ computers may not be connected to their home printers. The desire to print from home printers may incentivize prohibited actions like emailing a document to a personal email address or utilizing an unapproved file share program or unencrypted mobile storage device to transfer the file. We recommend reminding your employees that their cybersecurity or IT acceptable use policies still apply in the current environment. You may choose to grant an exception based on the need but at least then you will know what exceptions have been made.
• When your employees are working at home, some for the first time, they may be more vulnerable to phishing attacks amid their disrupted routines and as they experience more distractions. In addition, phishing attacks related to COVID-19 or social engineering emails appearing to come from your IT department to help streamline remote access, as an example, are likely to be more prevalent. We recommend you remind your employees to remain diligent during this time. Also consider increasing the frequency of your phishing email testing, if you are currently subscribed to a service, to determine if your employees’ new remote working environment represents an increased risk.
• Remote access applications that are used less often are also less likely to have multi-factor authentication in place. We recommend implementing MFA on any applications used for remote access if the application allows access to confidential or sensitive data.
Please let us know if you have any questions regarding the impact of COVID-19 on your compliance program or business operations, or if you need additional support or resources during this time. We will all get through this time using teamwork and come out better as a result of this experience.