Cybersecurity for Remote Workers: Keeping Financial Information Secure

The New York Department of Financial Services (NYDFS) has been proactive in responding to COVID-19 issues and released guidance on April 13 alerting covered entities to the significant increase of cyber incidents during COVID-19. The NYDFS requires all banks, insurance companies, and other financial services institutions and licensees regulated by DFS to have a robust cybersecurity program in place that is designed to protect consumers' private data, among other requirements. For regulated financial entities that must file with the NYDFS, the deadline for Certification of Compliance for calendar year 2019 had been extended from its original deadline of April 15, 2020 to June 1, 2020.

The NYDFS noted three heightened risks during COVID-19: 1) cyber criminals exploiting the physical shift to a remote working environment; 2) increased phishing and online fraud attempts; and 3) cybersecurity challenges from third party vendors who don't have adequate security measures. It's recommended that companies should implement features such as Multi-Factor Authentication and secure VPN connection to encrypt data in order to make remote access as secure as possible. Company employees are consistently identified as one of the main insider threats through which data from financial institutions or their clients are compromised. One of the main issues since the start of COVID-19 and working from home is the use of personal devices to conduct business as the devices typically lack security measures as company issued devices. According to NYDFS, businesses should be knowledgeable of the associated security risks and implement appropriate controls to mitigate those risks which may include updating current bring-your-own-device (BYOD) policies to cover mass remote working. For company issued devices, businesses should consider locking devices to prevent users from adding or deleting applications and installing appropriate security software, such as endpoint detection/response and mobile device management.

One issue that businesses have been grappling with during COVID-19 is processing financial payments outside of a secure work environment. As businesses have shifted their operations to a remote work force, businesses are facing security concerns as payment card information is now being processed outside secure work facilities and into employee homes. In order to process payment card information, most banks and major credit cards require businesses to comply with Payment Card Industry Data Security Standards (PCI DSS).

In response to COVID-19, the PCI Security Standards Council PCI SSC created a COVID-19 resource page on its website and uploaded resources and guidance reminding businesses of their PCI obligations. PCI DSS still applies during this public health emergency and businesses still need to maintain security practices to protect credit card holder data. For processing payments remotely, the PCI Security Standards Council (SSC) recommends businesses implement a security awareness program which emphasizes employee training on the business's security policies and procedures and have employees sign an acknowledgement form that they have received the training. It is a best practice to restrict physical access to media containing payment card data, such as call or screen recordings, as well as networking and communications hardware. If an employee must write down payment information on paper, then employees should understand that this information is sensitive and should be stored in a secure location. It should be shredded once it is no longer needed. Phishing emails more than quadrupled in March 2020 as hackers leveraged the outbreak to their advantage. As a result, all employees should be trained to be aware of potential phishing calls. In addition, businesses should also ensure that incident response plans are up-to-date and include how to respond to incidents from a remote work environment.

It is important for financial institutions to reassess their vulnerabilities in the current working environment, but the challenge is being able to assess those vulnerabilities while maintaining business continuity. Businesses need to consider where their data is stored on their systems and what technical controls they have in place to secure and safeguard the data. They should also consider the following:

• Perform a risk assessment test on your IT system to help identify potential vulnerabilities.
• Implement or update virtual private networks (VPNs) to ensure that internet traffic is properly encrypted and encourage employees not to use public or insecure home networks without a VPN connection.
• Advise employees not to download or transfer company information to personal devices, email accounts or third-party cloud storage.
• Issue multifactor authentication (MFA) tokens to employees if not already in place.
• Conduct online training for employees on data security, including how to report vulnerabilities or suspected data breaches.
• Update your security incident response plan to address the management of a cybersecurity incident remotely.
• Confirm cyber liability insurance coverage and review coverage for cybersecurity incidents.

*****

Ashley Thomas is an associate in the cybersecurity and privacy group at Morris, Manning & Martin LLP. She can be reached at [email protected] or at 202-971-4266.