On March 26, 2020, the Financial Industry Regulatory Authority (FINRA) issued an Information Notice advising broker-dealers that are adjusting their work processes in response to the coronavirus disease 2019 (COVID-19) pandemic to address increased vulnerability to cybersecurity attacks and to protect customer and firm data on firm and home networks and personal devices.
The Information Notice provides broker-dealers and their associated persons with numerous suggested measures for strengthening cybersecurity controls in areas facing increased risks associated with employees working remotely. Notwithstanding the need to maintain an active business and to ensure the health and safety of employees, FINRA cautions broker-dealers to remain vigilant in their surveillance for cyber threats and take steps to reduce the risk of cyber events.
FINRA noted the following measures for consideration by associated persons:
Office and home networks
- using secure network connections to access the broker-dealer’s work environment, for example, through a Virtual Private Network (VPN) or secure firm or third-party website;
- securing Wi-Fi connections by using a stringent security protocol; and
- applying software updates and patches to routers on a timely basis, and periodically changing default user names and passwords on home networking equipment such as Wi-Fi routers.
Computers and mobile devices
- applying updates and patches to operating system and applications on a timely basis;
- installing anti-virus and anti-malware software and, where the software is purchased on subscription, caution individuals not to allow subscriptions to lapse leaving computers unprotected;
- checking the firm’s policy employees for keeping files on personal devices, especially with respect to files containing customer personally identifiable information; and
- locking screens before stepping away from the computer when working in shared spaces.
The Information Notice cautions individuals to be sensitive to scams and attacks being used to take advantage of the current situation, including:
- phishing scams referencing COVID-19, coronavirus and/or related matters;
- unsolicited calls from help desks requesting passwords or seeking to walk the individual through home preparedness; and
- malicious links in emails, online sites and unofficial download sites, especially those offering free software.
FINRA encourages associated persons to understand their role in the broker-dealer’s incident response plan and the appropriate people to contact in the event of cybersecurity incidents, including:
- data breaches;
- loss or exposure of customer personally identifiable information;
- successful email attacks;
- ransomware; and
- lost or stolen devices.
FINRA noted the following measures for consideration by firms:
Network security controls
- giving employees working remotely secure connections to the work environment or sensitive applications using methods such as VPN or multifactor authentication; and
- evaluating privileges for accessing sensitive systems and data.
Training and awareness
FINRA’s suggested training and awareness topics include:
- Connecting securely from remote locations;
- scams and attacks such as coronavirus-related phishing scams;
- unsolicited calls requesting passwords or offering assistance with home preparedness; and
- malicious links in emails, online sites and unofficial download sites.
The Information Notice also notes that firms may wish to alert their IT support staff and others involved in managing and/or supporting employees to be diligent in vetting incoming calls to avoid fraudsters using the significant increase in remote work to engage in schemes such as:
- bogus calls requesting password resets or reporting lost phones or equipment; and
- fraudsters contacting Help Desks requesting password resets in order to obtain information about technical or business operations in an effort to steal funds.
FINRA encourages firms to provide employees with important IT support staff contact information and information with respect to handling emergency situations.
Finally, the Information Notice includes links to COVID-19-related resources that may be helpful to firms and their associated persons, including:
If you have any questions regarding FINRA’s Information Notice, please contact your DLA Piper relationship partner or a member of the DLA Piper financial services team.
Please visit our Coronavirus Resource Center and subscribe to our mailing list to receive alerts, webinar invitations and other publications to help you navigate this challenging time.
This information does not, and is not intended to, constitute legal advice. All information, content, and materials are for general informational purposes only. No reader should act, or refrain from acting, with respect to any particular legal matter on the basis of this information without first seeking legal advice from counsel in the relevant jurisdiction.