The COVID-19 pandemic has upended our personal and professional lives and many businesses are adjusting to this new environment in which working from home could be the new normal for an extended period of time. Since many firms have shifted to working remotely, Chief Compliance Officers (“CCOs”), Information Security Officers (“ISOs”), and IT departments and vendors (“IT Providers”) are having to consider how their firm’s cybersecurity could be impacted when their employees are accessing their networks from personal laptops and desktop computers.
Cybersecurity is an integral component of a firm’s overall business continuity and disaster recovery plan (“BCP”) and should be approached with the same amount of rigor and scrutiny as it would be under normal business operations. Still, many CCOs and ISOs may have questions and concerns about how to best approach cybersecurity under these unprecedented circumstances, such as:
- Should I be creating an inventory of my employees’ personal devices?
- How do I monitor the security of my employees’ home networks?
- How secure does a home network have to be?
- How should my employees access my firm’s network?
- If an employees’ home network experiences a cyber-incident, what should I do?
- How do I ensure that my clients’ information remains protected and secure while my employees are working remotely?
In this Risk Management Update, we discuss additional cybersecurity protocols to consider, which are focused on workplace changes due to COVID-19.
Inventories: Know Your Employees’ Devices
The shift to remote working allows firms to have more flexibility in continuing business operations from remote locations, while also limiting employee and client exposure to COVID-19. However, it also creates additional cybersecurity risks and vulnerabilities for firms.
During normal business operations, inventories of equipment and software are an essential component of any cybersecurity program. Among other things, inventories allow firms to determine the numbers, models, and access points for all devices that are currently accessing a firm’s network and provides insight into associated risk factors and vulnerabilities. By documenting and creating an inventory of devices your employees are using while working remotely, CCOs, ISOs, and IT Providers can better apply cybersecurity frameworks to mitigate risk to their firms’ networks and address any vulnerabilities.
When creating an inventory of devices, consider having employees complete a questionnaire that requests information about all devices that are being used remotely, including laptops and desktop computers, smart phones, tablets, Wi-Fi routers and modems, along with how the devices are being used. Below are examples of questions to include:
- What are the makes and models of your devices as well as serial numbers and service tags?
- How are you accessing the Internet from home?
- Is your Wi-Fi password ten or more characters and does it contain uppercase and lowercase letters, numbers, and symbols?
- What software or applications are installed on your personal devices that are being used for business purposes?
- What kind of anti-virus and anti-malware software do you have installed on your personal devices?
- Are you using wireless devices to connect to your laptop or desktop computer including printers, scanners, fax machines, and/or mice?
- How are you accessing the firm’s networks? Are you using a VPN, web browser, or desktop program?
Additionally, ask employees about their remote workspace in order to assess whether there are any privacy concerns that need to be addressed. For example, documents containing PII should be maintained in the same secure manner as they would within a normal office environment.
Once the inventory has been completed, it’s important for CCOs, ISOs and IT Providers to work together to determine whether there are existing risks and vulnerabilities that need to be addressed. For example, additional or updated software might need to be added to an employee’s personal device(s), security patches might need to be deployed, and/or new company-issued hardware might need to be ordered. With a thorough and well organized inventory, firms are better positioned to identify, assess, and address any cybersecurity issues that arise.
Training is the First Line of Defense
The first line of defense for a firm in preventing a cyberattack is training. Well-trained employees are essential to a firm’s cybersecurity program under normal business operations and even more so in a remote working environment.
As you create a training program for your employees, consider addressing subjects such as:
- Cybersecurity threats and identity-theft red flags;
- Protection controls in place, including encryption protocols and strong passwords;
- Device management policies;
- Understanding allowed user access based on job responsibilities;
- The firm’s incident response procedures;
- Using multi-factor authentication for software and personal devices;
- Best practices for maintaining client privacy while working remotely; and
- How to strengthen encryption and password protocols for home networks.
Importantly, regardless of the location of where work is being performed, firms and their employees remain responsible for maintaining client confidentiality and ensuring that their networks remain secure. Therefore, providing training to employees as they adapt to this new remote working environment is a necessity in ensuring the strength of your cybersecurity program remains robust.
Lastly, firms should apply their cybersecurity programs in the same manner that they would under normal business operations. Below are some additional considerations that firms should bear in mind while their employees continue to work remotely:
Cybersecurity Risk Assessments
During normal business operations, a risk assessment should be performed at least annually and should cover cybersecurity policies and procedures, current cyber-threats and vulnerabilities, and identify low, medium, and high risks as they pertain to governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. During COVID-19, firms should consider performing a focused risk assessment to help ensure potential additional vulnerabilities and risks are identified and addressed.
CCOs, ISOs, and IT Providers should look to external resources such as the SEC’s “Cybersecurity and You”,) as well as information issued by the Cybersecurity and Infrastructure Security Agency, which provide guidance for small to mid-size businesses on what to evaluate when conducting cybersecurity risk assessments. Core Compliance also has a checklist for cybersecurity considerations for annual reviews, which we believe can be adapted for risk assessments.
Incident Response Plans
Incident response plans (“IRPs”) should be reviewed and updated at least annually. However, in light of business changes due to COVID-19, firms should consider running tabletop exercises to determine whether their IRP’s identification, containment, eradication, and post-recovery procedures are still effective. These exercises should be documented and based on the firm’s findings, the IRPs should be updated.
As firms consider the well-being of their employees and businesses during these uncertain times, cybersecurity should be a central element of discussion by senior management, and CCOs, ISOs, and IT Providers should ensure that they maintain open lines of communication with employees about their responsibilities with respect to cybersecurity protocols.
For more information on, or assistance with conducting reviews of your cybersecurity policies, conducting a cybersecurity risk assessment, or other compliance areas, please contact us at firstname.lastname@example.org, at (619) 278- 0020, or visit us at www.corecls.com.
Author: Adam Stutz, Compliance Consultant; Editor: Tina Mitchell, Managing Director, Consultation Services; Core Compliance & Legal Services (“CCLS”). CCLS works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms, and banks on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
 E.g. The National Institute of Standards and Technology (“NIST”) Framework Core includes the following core components as part of its cybersecurity framework: identify, protect, detect, respond, and recover. National Institute of Standards and Technology ("NIST"). “Cybersecurity Framework.” NIST, 21 Apr. 2020, www.nist.gov/cyberframework.
 See Cybersecurity Checklist