US FINRA Issues Cybersecurity Guidance on Working Securely from Home During Covid-19

The resilience of US firms’ business operations has come under scrutiny in the light of Covid-19. In this context, the US self-regulator of securities broker-dealers, the Financial Industry Regulatory Authority (FINRA), has issued a cybersecurity alert intended to help member firms, including those in the fintech and digital securities space, strengthen their systems and internal controls in areas where cyber risks may be heightened because of the pandemic.

Increased risks from teleworking

FINRA is concerned that the risk of cyber events may be increased due to remote working arrangements and heightened anxiety and confusion among firms’ staff and others working on behalf of the member firm. In its cybersecurity alert, FINRA provides guidance on steps firms and staff should take to minimize the vulnerabilities of teleworking and strengthen cybersecurity systems and controls.

The alert supplements recent related guidance in Regulatory Notice 20-08, encouraging member firms to review their business continuity plans to enhance their cybersecurity preparedness and operational resiliency in light of the pandemic.

FINRA guidance

FINRA’s guidance highlights safeguards that member firms should implement, as well as additional security measures that staff working remotely should follow. Taken together, this cybersecurity guidance will assist firms in “remain[ing] vigilant in their surveillance against cyberthreats.”

In particular, FINRA recommends that firms:

  • Provide staff with a secure connection to the firm’s work environment to access firm or client data or sensitive applications (e.g., a virtual private network (VPN) or remote desktop with multi-factor authentication);
  • Evaluate staff privileges to limit access to sensitive systems and data to authorized personnel;
  • Train staff, including IT support staff and others involved in managing or supporting staff, on potential scams and attacks, as well as on how to connect safely and securely to office applications from a remote location (such as a home office); and
  • Provide staff with important IT support contact information (e.g., whom to call, how to contact them, when to contact them and how to handle emergency situations).

Further, FINRA recommends that members’ staff and associated persons working on behalf of firms:

  • Use a secure Wi-Fi and network connections to access their respective member’s work environment (e.g., through a company-provided VPN or through a secure firm or third-party website);
  • Change default user names and passwords on home networking equipment, such as Wi-Fi routers;
  • Check for and apply updates and patches to the operating system and any applications, including anti-virus and anti-malware software, for all devices accessing the firm’s work environment on a timely basis;
  • Remain sensitive to scams and attacks designed to exploit the current situation, including phishing scams referencing Covid-19, fake or unsolicited calls from a “Helpdesk” and malicious links in emails and online sites — this includes being cautious of requests for passwords or confidential information and offers to download “free software”; and
  • Understand their roles in each of their member firm’s incident response plans and whom to contact in the event of a cybersecurity incident (e.g., a data breach, customer data loss, ransomware, a successful email attack, or even a lost or stolen device).
Next steps

FINRA emphasises that these measures are neither mandatory nor exhaustive. Though not mandatory, this cybersecurity guidance warrants careful attention as cyber and phishing attacks are on the rise since the start of the Covid-19 pandemic. Firms – especially newer fintech and digital securities firms whose teleworking systems and controls may be relatively untested – should evaluate the cyber threats specific to their business and implement appropriate pre-emptive measures based on their operational needs and available resources to keep their firm and client data safe.

Authors: Elliot Jack, Jerome Roche, Caitlin Metcalf, Elias Gurewitsch