In response to the broad and varied effects of COVID-19, SEC registrants have been faced with new operational, technological, commercial, and other challenges and issues. Due to the pandemic, many Firms have shifted to predominantly operating from remote sites, and these transitions may raise compliance issues and other risks that could impact protracted remote operations.
In a recent risk alert, the OCIE has identified a number of COVID-19-related issues, risks, and practices relevant to SEC-registered firms.
In particular, Firms should assess their policies and procedures and consider their ability to operate critical business functions during emergency events.
What does this mean for regulated financial firms?
- Supervisory and compliance policies and procedures may need to be modified or enhanced to address some of the unique risks and conflicts of interest present in remote operations.
- Review continuity plans to address the challenges of remote work and make changes to compliance policies and procedures.
- Be aware that video conferencing may create vulnerabilities around the potential loss of sensitive information.
- Pay particular attention to the risks regarding access to systems, investor data protection, and cybersecurity.
- Conduct heightened reviews of personnel access rights and controls as individuals take on new or expanded roles in order to maintain business operations.
- Use validated encryption technologies to protect communications and data stored on all devices, including personally-owned devices.
- Ensure that remote access servers are secured effectively and kept fully patched.
- Use VPN for secure access.
- Enhance system access security, such as requiring the use of multi-factor authentication (MFA).
- Address new or additional cyber-related issues related to third parties, which may also be operating remotely when accessing Firms’ systems.
- Step up phishing training and testing to improve awareness around phishing attacks.
- Make sure all anti-malware is up to date and all desktops are patched.
- Review the need for new hardware to work from home effectively and securely.
- Make sure your calls are private and your computer isn’t accessible to the rest of the family. Letting people use home PCs/Macs to access the company’s file share from a computer that has weak security puts the entire firm at risk.
- Install remote 24x7x365 security and device monitoring.
Unsure if your firm is SEC compliant?
Read the full alert here: https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf