As firms respond to the ongoing coronavirus pandemic by increasingly transitioning to remote and telework arrangements, the Financial Industry Regulatory Authority (“FINRA”) issued an alert on measures that firms and associated persons can take to address resulting cybersecurity vulnerabilities:
- Measures for Firms. Firms should take steps to ensure network security. This may include providing employees with secure connections (through the use of virtual-private networks (“VPNs”) or secure sessions with multi-factor authentication, for example) and regularly evaluating privileges to access sensitive information.
- Firms should also consider training staff on how to securely connect to the firm’s network from remote locations while avoiding potential scams or cyberattacks, and to alert the firm’s IT support staff about potential fraudsters seeking to exploit remote work arrangements by impersonating firm personnel.
- Measures for Associated Persons. Associated persons should utilize a secure connection to access a firm’s network and ensure that their wireless connections use stringent security protocols, their devices are using up-to-date software and non-default login credentials, they are using anti-virus and anti-malware software, and they secure their device when working in public areas. Associated persons should also review firm policies on storage and back-up of information, particularly where customer personally identifiable information is being accessed on personal devices.
- Associated persons should be aware of fraudsters using the current situation as a cover for cyberattacks, for example by impersonating “Helpdesk” personnel or engaging in tradition phishing scams. They should also consider their role in a firm’s incident response plan, including who they should contact and when.
The alert notes that it “does not create any new legal requirements or change any existing regulatory obligation.” For additional guidance on cybersecurity considerations for firms as they respond to the ongoing pandemic, please see our prior posting on the subject.