Skip to main content

How Working from Home Builds Compliance Risk for Financial Services



Learn How to Mitigate SEC & FINRA Compliance Risks for Remote Work

If you have worked in financial services for more than a minute, then you already know your firm faces huge potential compliance risks with most or all of your employees working from home. Whether you are registered with the state, FINRA, the SEC – or all three – every regulatory body overseeing your trading and investing expects you to do everything and anything to protect your client data, and that goes triple for your clients.

Many industries have adopted business continuity plans (BCPs) along with strict rules for data privacy, encryption and general cybersecurity; however, financial services have an added security impetus. Cyber risk is tied to value, and brokers, dealers and advisors work with assets worth tens to hundreds of millions of dollars – any piece of data (as well as the money itself) holds a lot of value for hackers. This vulnerability creates compliance risk for your firm, and the only way to fight it is to take every step you can to ensure around the clock data security and a clear, decisive BCP.

Here the factors that lead to working from home building SEC and FINRA compliance risk, as well as a few steps to help mitigate them:

How Normal Compliance Risks are Strained When Working from Home

If you and your team are working remotely, then you are already going through the first step of your business continuity planning. How many businesses would have been able to successfully shift to the new normal even 20 years ago, when personal use wireless Internet was just starting to pick up steam? Most working professionals are familiar with the basic technology that allows work from home, but the real problem lies in how many do not know how to handle the differences in the new environment.

Institutions being hacked has become a part of life (and has led to a lot of “cyber stress”), and unfortunately the factors that have made it so commonplace have not gone away. In fact, they have grown in response to the increased vulnerability that comes with having so many unprepared remote workers accessing business data from potentially unsecure devices and networks. Hackers are opportunistic, and human error leads to a lot of opportunity when processes changes – and the new normal is a big change for many.

Key Facts

Expanded Cyber Risk Builds Compliance Risk

Understanding how working from home brings compliance risk for financial firms requires knowing the nature of cyber risk outside of the new normal. The key to everything in this modern digital age is data, even more so for any professional services company that hinges on customer data to capture and deliver value. Recording your clients’ information may seem like a rudimentary, even benign task, but you must recognize the cybersecurity danger tied to each and every file to be able to truly learn how to protect them.

Hackers have their own methodologies for generating and capturing value, and ransomware has taken off because it is relatively one of the simplest ways to do so. Every byte of data is like a piece of a bigger puzzle, and selling off access to some of the pieces is easier than trying to acquire the entire puzzle – and diminishes the chances of getting caught. Under this approach, cybercriminals do not have to hack your entire firm, they only need someone deep enough into the system already and vulnerable enough to do it discreetly.

Key Facts

Outdated Regulations Will Not Protect You from Audits

The SEC and FINRA have thankfully released guidance on how to adjust to working from home compliance risk, but there have been few, if any, fundamental changes to regulation. Even the guidance from these regulatory agencies reflects the rigid nature of the law in financial services, and there are no signs there will be many latitudes granted for the difficulties of the new normal. It does not matter how much the current situation has changed from 1940 – these same ordinances still apply to financial services, and noncompliance could still lead to being audited.

Even if the regulations have remained mostly the same, processes have certainly changed for both FINRA and the SEC as well as brokers and dealers. Many compliance-related tasks are now done electronically, especially when it comes to documentation. However, those same obligations for information security are still in effect, and keeping these communications secure should be considered a business continuity item.



Key Facts

Make Technology Work for You Instead of Against You

Working from home is not all doom and gloom, and keeping your firm protected from compliance risks is just a matter of balancing human proficiency with technology application. People are the last line of cyber defense, and augmenting an employee cybersecurity training program with outsourced monitoring by cyber experts will secure your endpoints internally and externally. The tools themselves are not the problem – it is how people use it (or don’t) that generates vulnerabilities and leaves your network open to exploits.

Bad security hygiene is unfortunately all too common in both personal and commercial spaces – there are likely as many reports on unsecure practices as there are on unsecure vendors. However, even the most proactive technology provider cannot plan for every occurrence and human error, and most certainly did not account for COVID-19. To make remote work cybersecure, you must ensure employees know how to get the best cybersecurity value from their hardware and software.

Key Facts

  • 47% of surveyed companies are deploying new endpoint protections, anti-phishing tools or VPN software
  • 80% of surveyed companies are engaging new cybersecurity professionals during COVID-19

Address Every SBD with Your BCP

In the wake of several disasters – natural or otherwise – that disrupted the market throughout the beginning of the 21st century, SEC and FINRA adjusted guidance to better include future possibilities. The concept of a “significant business disruption” (SBD) encapsulates regulatory thinking on what factors are preventable by firms like yours, and what you should be doing to prevent them. In the case of working from home, regulators expect you to enable a continuation of service delivery to your clients and all that entails within a reasonable standard.

Obviously, there is a cutoff at certain external disruptions (i.e., terrorist attack), but you are still responsible for addressing every internal SBD that could affect your remote work. These do and will include any network downtime, hardware malfunctions and cybersecurity incidents that could not only interrupt service (and access), but could potentially cause damage at any stage. Your BCP and disaster recovery policies must have steps in place to handle all the possible occurrences that could prevent seamless business operations while telecommuting.

Key Facts

  • 60% of investment managers say cybersecurity risk will be one of the top concerns 2020 – 2022
  • Over 55% of wealth managers had to modify or create a new BCP for COVID-19

Protect Against Compliance Risks with Solutions to the Cybersecurity Crisis

2020 was set to bring a cybersecurity crisis even before COVID-19 brought on the new normal, and millions of Americans working from home has only intensified the cyber threats. However, SWK has solutions in place that will enable you to mitigate the compliance risks that come with working from home and help you fulfill state, SEC and FINRA regulations for business continuity.

Download our white paper here to learn more about protecting yourself from the cybersecurity and ensuring around the clock compliance.

First Name
Last Name
Titleyour full name
PhonePhone Number
Companyyour full name
FormCraft - WordPress form builder