Given the widespread success of remote working during the COVID-19 crisis, it would be no surprise if at least some of the recent changes to the way in which we work may be permanent. However, the risks to information security which arise from remote working should not be underestimated.
The very nature of the wealth management industry means that the types of information which are held, accessed and processed tend to be highly sensitive and security breaches may involve financial and reputational damage not just to the business but to clients as well.
Financial services regulators have made information and cyber security priorities for financial services businesses and have been at pains to make clear that such businesses should be alert to the additional dangers posed by the COVID-19.
What are those dangers? Remote working places additional demands on businesses to be able to scale up the remote systems access which businesses had previously provided to a relatively small number of employees to a much larger population.
This has undoubtedly placed greater strain on IT systems and know-how whilst simultaneously meaning that employees are working with less supervision than previously.
Additionally, lockdown may mean that employees, clients and counterparties may be prone to behaviours which are less than desirable from an information security viewpoint. They will be potentially operating in an unfamiliar environment and will be attempting to manage and communicate using systems and processes which may be unfamiliar to them. They also may be finding their home environment and financial circumstances stressful.
In such an environment, the risk of mistakes occurring in relation to information security is naturally higher. In addition, the risk of falling prey to criminal activity such as those involving social engineering may also be higher in such circumstances – even the World Health Organisation has seen fit to issue warnings regarding COVID-19 relating to email and WhatsApp fraud whilst many industry observers have reported ‘spikes’ in phishing attacks using concerns around COVID-19.
Isolation also has other risks. Employees who are intent on wrongdoing may feel that they are less scrutinised in their home environment and may feel more confident in misusing or misappropriating confidential information. Whilst such activity is rare – and most research suggests that the number of information security breaches arising from human error dwarfs the number caused by deliberate action by employees – it does exist and the risks of malicious activity should be considered.
Additionally, being in lockdown has led to a rapid uptake of new applications – particularly those in the field of video conferencing. Such applications are not necessarily sufficiently secure for enterprise use – and even where they are, employees and clients may be tempted to utilise non-business versions which lack the security features which will secure them appropriately. One recent example involves allegations that a media correspondent for a newspaper listened in to the Zoom meetings of another media organisation as staff were told sensitive news of pay cuts and other measures during the pandemic.
Focus on Systems – whilst information and systems security expertise and response may be at a premium, it has never been more critical to ensure that your IT systems are properly resourced and configured. Where third party applications such as Zoom are used, you should ensure that they are secure. Where security cannot be guaranteed…
Focus on Planning – whilst most regulated financial service businesses would have had business continuity plans, many of those plans would not have envisaged a pandemic causing a lockdown of work places of the nature which we are now experiencing. Revisiting BCP plans, business risk assessments and outsourcing arrangements should be an immediate and ongoing priority for wealth management businesses.
Focus on Response – information security breaches will inevitably occur at some point. COVID-19 may make detection and response more difficult for information security teams and competition for resource may be fierce, so securing access to appropriate help (including outside help if necessary) should be a priority.
Focus on Employees – as noted above, much of the risk in terms of information security will come from the behaviours of employees. Ensuring that the activities of employees are appropriately (and lawfully) monitored and managed should be a priority. Additionally, employee rest and wellbeing should be considered as an information security priority – better rested employees are arguably far less likely to make the kind of errors which lead to significant breaches. On a day-to-day basis, the focus for employees should be on ensuring that they understand their remote working tools and that they comply with information security measures in their remote working environment. These should include at the very least:
- Refraining from sending or copying information to personal devices wherever possible
- Maintaining a safe area for documents at home
- Trying to ensure that screens cannot be viewed by other family members
- Trying to make sure that telephone calls cannot be overheard
- Using appropriate encryption for transporting
Focus on Clients and Counterparties – making sure that clients are well informed about information security risk should be a priority. Obviously, wealth management businesses should ensure that they provide secure means of communication with clients and counterparties and secure ways of managing funds and investments. However, even the best security will be undone unless there is a focus on ensuring that clients understand how to (and are encouraged to) use them. There is a temptation to regard such issues as being for clients to figure out themselves – this is not a view that clients are likely to share if things go wrong.
Focus on the Future – when the pandemic is brought under control and lockdown ends, wealth management businesses (and their clients) may find themselves under a significant amount of pressure. The temptation may be to cut spending on activities regarded as “non core” – potentially including information security. Doing so may ultimately prove to be a false economy.