As we reported here, FINRA issued guidance to member firms and their associated persons earlier this month to remain “vigilant in their surveillance against cyber threats and take steps to reduce the risk of cyber events.” In order to reinforce that earlier warning, FINRA has issued a second guidance document reminding firms and their associated persons of practices and procedures to support their cybersecurity infrastructure in response to COVID-19. The latest guidance focuses on smaller and regional firms and the challenges presented by registered representatives, operations and supervisory personnel conducting business through remote access to the firm’s network.
Among other things, FINRA recommends the following:
For Associated Persons and their Home Offices (Computers and Mobile Devices)
- Use only a secure network connection to access your firm’s work environment (e.g., a company provided VPN or other secure website);
- Check for and update software and patches to home networking equipment on a timely basis;
- Change default usernames and passwords on home networking equipment; and
- Strictly follow firm’s policy on file-storage and backup of customer information.
For Member Firms
- Provide staff with secure connection to the firm’s work environment, including training and periodic reminders on how to do so;
- Re-evaluate access by associated persons within the firm to “sensitive systems and data”; and
- Provide training and periodic reminders to all associated persons on potential scams and attacks on firm systems listed below.
FINRA also reminds firms and their associated persons to be mindful of scams and attacks which may attempt to be disguised as the following:
- Phishing scams that reference COVID-19, Coronavirus or related matters;
- Fake, unsolicited calls to or from the “Helpdesk” which request passwords or log-in information, and want to discuss home preparedness (how to log-in, etc.); and
- Malicious links in emails or online sites, offering the download of “free software”.
Finally, FINRA again reminds firms and all associated persons that they should know how to proceed if they encounter a cyber threat, including whom to contact, how to do so, and any emergency procedure to follow. The complete alert can be found here.