Learn How to Mitigate SEC & FINRA Compliance Risks for Remote Work
If you have worked in financial services for more than a minute, then you already know your firm faces huge potential compliance risks with most or all of your employees working from home. Whether you are registered with the state, FINRA, the SEC – or all three – every regulatory body overseeing your trading and investing expects you to do everything and anything to protect your client data, and that goes triple for your clients.
Many industries have adopted business continuity plans (BCPs) along with strict rules for data privacy, encryption and general cybersecurity; however, financial services have an added security impetus. Cyber risk is tied to value, and brokers, dealers and advisors work with assets worth tens to hundreds of millions of dollars – any piece of data (as well as the money itself) holds a lot of value for hackers. This vulnerability creates compliance risk for your firm, and the only way to fight it is to take every step you can to ensure around the clock data security and a clear, decisive BCP.
Here the factors that lead to working from home building SEC and FINRA compliance risk, as well as a few steps to help mitigate them:
How Normal Compliance Risks are Strained When Working from Home
If you and your team are working remotely, then you are already going through the first step of your business continuity planning. How many businesses would have been able to successfully shift to the new normal even 20 years ago, when personal use wireless Internet was just starting to pick up steam? Most working professionals are familiar with the basic technology that allows work from home, but the real problem lies in how many do not know how to handle the differences in the new environment.
Institutions being hacked has become a part of life (and has led to a lot of “cyber stress”), and unfortunately the factors that have made it so commonplace have not gone away. In fact, they have grown in response to the increased vulnerability that comes with having so many unprepared remote workers accessing business data from potentially unsecure devices and networks. Hackers are opportunistic, and human error leads to a lot of opportunity when processes changes – and the new normal is a big change for many.
- Cyber attacks against financial services rose 238% between February and April 2020
- 52% of surveyed remote workers admitted a lack of strict security practice working from home
- 20% of surveyed companies have deployed multi-factor authentication (MFA) since COVID-19 began
- Over 39% of surveyed companies will increase cloud security investments by year-end 2020
Expanded Cyber Risk Builds Compliance Risk
Understanding how working from home brings compliance risk for financial firms requires knowing the nature of cyber risk outside of the new normal. The key to everything in this modern digital age is data, even more so for any professional services company that hinges on customer data to capture and deliver value. Recording your clients’ information may seem like a rudimentary, even benign task, but you must recognize the cybersecurity danger tied to each and every file to be able to truly learn how to protect them.
Hackers have their own methodologies for generating and capturing value, and ransomware has taken off because it is relatively one of the simplest ways to do so. Every byte of data is like a piece of a bigger puzzle, and selling off access to some of the pieces is easier than trying to acquire the entire puzzle – and diminishes the chances of getting caught. Under this approach, cybercriminals do not have to hack your entire firm, they only need someone deep enough into the system already and vulnerable enough to do it discreetly.
- 82,000 new malware types are released per day
- Ransomware downtime costs rose 200% from 2018 to 2019
- 40% of surveyed businesses have outsourced cybersecurity needs since the start of COVID-19
Outdated Regulations Will Not Protect You from Audits
The SEC and FINRA have thankfully released guidance on how to adjust to working from home compliance risk, but there have been few, if any, fundamental changes to regulation. Even the guidance from these regulatory agencies reflects the rigid nature of the law in financial services, and there are no signs there will be many latitudes granted for the difficulties of the new normal. It does not matter how much the current situation has changed from 1940 – these same ordinances still apply to financial services, and noncompliance could still lead to being audited.
Even if the regulations have remained mostly the same, processes have certainly changed for both FINRA and the SEC as well as brokers and dealers. Many compliance-related tasks are now done electronically, especially when it comes to documentation. However, those same obligations for information security are still in effect, and keeping these communications secure should be considered a business continuity item.
- 47 states (plus DC) have data breach laws in place
- Noncompliance with breach laws has accounted for almost $2 billion in fines in 2019
- FINRA has advised RIAs and BDs to include pandemic preparedness in their BCP since at least 2009
Make Technology Work for You Instead of Against You
Working from home is not all doom and gloom, and keeping your firm protected from compliance risks is just a matter of balancing human proficiency with technology application. People are the last line of cyber defense, and augmenting an employee cybersecurity training program with outsourced monitoring by cyber experts will secure your endpoints internally and externally. The tools themselves are not the problem – it is how people use it (or don’t) that generates vulnerabilities and leaves your network open to exploits.
Bad security hygiene is unfortunately all too common in both personal and commercial spaces – there are likely as many reports on unsecure practices as there are on unsecure vendors. However, even the most proactive technology provider cannot plan for every occurrence and human error, and most certainly did not account for COVID-19. To make remote work cybersecure, you must ensure employees know how to get the best cybersecurity value from their hardware and software.
- 47% of surveyed companies are deploying new endpoint protections, anti-phishing tools or VPN software
- 80% of surveyed companies are engaging new cybersecurity professionals during COVID-19
Address Every SBD with Your BCP
In the wake of several disasters – natural or otherwise – that disrupted the market throughout the beginning of the 21st century, SEC and FINRA adjusted guidance to better include future possibilities. The concept of a “significant business disruption” (SBD) encapsulates regulatory thinking on what factors are preventable by firms like yours, and what you should be doing to prevent them. In the case of working from home, regulators expect you to enable a continuation of service delivery to your clients and all that entails within a reasonable standard.
Obviously, there is a cutoff at certain external disruptions (i.e., terrorist attack), but you are still responsible for addressing every internal SBD that could affect your remote work. These do and will include any network downtime, hardware malfunctions and cybersecurity incidents that could not only interrupt service (and access), but could potentially cause damage at any stage. Your BCP and disaster recovery policies must have steps in place to handle all the possible occurrences that could prevent seamless business operations while telecommuting.
- 60% of investment managers say cybersecurity risk will be one of the top concerns 2020 – 2022
- Over 55% of wealth managers had to modify or create a new BCP for COVID-19
Protect Against Compliance Risks with Solutions to the Cybersecurity Crisis
2020 was set to bring a cybersecurity crisis even before COVID-19 brought on the new normal, and millions of Americans working from home has only intensified the cyber threats. However, SWK has solutions in place that will enable you to mitigate the compliance risks that come with working from home and help you fulfill state, SEC and FINRA regulations for business continuity.
Download our white paper here to learn more about protecting yourself from the cybersecurity and ensuring around the clock compliance.