INSIGHT: SEC Expects Key Safety Steps for Remote Workforce

The early days of the coronavirus pandemic presented a unique challenge for financial firms and professionals, requiring rapid transition to a fully remote work environment while guarding against an onslaught of compliance risks caused by the pandemic and related market events.

Now that the initial pandemic response has settled into an ongoing state of operations, the SEC’s Office of Compliance Inspections and Examinations (OCIE) has alerted industry members—specifically registered broker-dealers and investment advisers—of some key observations and recommendations regarding these pandemic-related risks.

OCIE’s alert identifies several thematic concerns, consisting mainly of ordinary-course challenges that have been exacerbated by the remote-work environment and pandemic-related market volatility.

Safeguarding Investor Assets and Combating Financial Stressors

The paramount regulatory concern for investment firms and professionals is protecting investor assets. OCIE stresses the need to review procedures for handling investor checks and making related disclosures to investors about any potential delays, especially if the pandemic has disrupted a firm’s mail processing.

OCIE also cautions that firms should be attentive to any unusual or unscheduled withdrawal activity and consider implementing additional safeguards around identity validation and alternative, trusted contacts for vulnerable classes of investors, including the elderly.

Beyond protecting investor assets, OCIE also reminds firms of the need to control against improper incentives created by decreased economic activity, including professionals making unnecessary recommendations for account and product transfers, and seeking loans from investors.

OCIE also recommends that firms enhance their due diligence of potentially fraudulent offerings, including those touting pandemic-related products or offerings.

Supervising Personnel and Continuity of Operations

While the operational challenges of remote-only work are not unique to the financial services industry, investment firms have the more unique challenge of fulfilling their regulatory mandate to supervise their regulated personnel, no matter where they sit.

OCIE’s concerns include monitoring activity in products especially vulnerable to market activity, such as oil-linked products; limitations on diligence related to third-party managers, investments, and holding companies; and required vetting of new personnel at the firm.

The functioning of a firm’s business continuity plan is one of the more obvious takeaways from the past six months, and OCIE encourages firms to review how their operations during the pandemic may necessitate changes to their plan, including whether certain personnel have had to assume additional duties outside their normal responsibilities and if the firm’s facilities and technology have weathered the demands of the remote environment.

Data Security and Protection

With this new, remote-only mode of operation likely to last beyond the pandemic, OCIE recommends that SEC registrants assess their information security programs to address risks specific to working remotely: (1) remote access and the use of web-based applications; (2) increased use of personally owned devices; (3) changes in control over physical documents; and (4) increased opportunities for phishing and social engineering

Firms should consider certain measures as they conduct their reviews and consider potential enhancements to their information security practices:

1. Identity protection. Firms should remind investors to contact them directly by telephone at a known and trusted number to report any suspicious activity. For their part, firms should review and enhance their wire transfer/disbursement policies and procedures with additional measures to validate the individual’s identity, accuracy of information provided, and authorization to make the request. Firms may also want to consider whether any internal authorization requires multiple approvals and validation by telephone to a previously established, trusted number.
2. Access rights. Review firm personnel’s access rights and controls. Firms may want to specifically consider whether they have applied principles of least privileged access, updated to reflect changed roles and responsibilities over the past few months. Firms may also want to consider whether existing logging is sufficient to capture privileged access to sensitive data and whether existing monitoring provides real-time, actionable alerts.
3. Encryption. Use validated encryption techniques aligned with NIST or other industry-recognized standards to protect communications and data at rest, including on personally owned devices.
4. Patch management. Ensure remote access servers are secured and maintained as fully patched. Firms may want to consider whether they are effectively scanning for vulnerabilities and following patch management schedules and that any risk-rated framework for prioritizing vulnerabilities for remediation is appropriate to current operating conditions.
5. Multifactor authentication. OCIE specifically recommends enhancing system access security, including by requiring the use of multifactor authentication.
6. Third-party oversight. Firms may want to review relevant contractual language or information security exhibits to verify third-party cybersecurity and their contractual rights to issue supplemental vendor security questionnaires. Firms may want to confirm that any open remediation items from prior due diligence exercises have been addressed and resolved.
7. Training. OCIE recommends firms provide supplemental training and reminders that address risks specific to working from home or new practices driven by working-from-home arrangements. These may include anti-phishing training, cautioning against the use of web-based applications to share information if unsecured, promoting the use of encryption, and reinforcing the importance of secure disposal of physical records at remote locations.

Compliance Needs Remain Constant

Looking back on the many unforeseen changes over the past six months, and ahead to the unknowns for the remainder of 2020, OCIE’s alert provides a timely reminder for investment firms to fully assess their responses to the pandemic and ensure they have been meaningfully integrated into the firm’s overall compliance procedures.

Firms should remain vigilant that any iterative changes or adaptations made in response to the pandemic are consistent with their supervisory system, and ensure that they are adequately documenting these changes for future exams and regulatory reviews.

While some procedural missteps or lapses in the early days of the pandemic could potentially be forgiven with the benefit of hindsight, OCIE’s alert reminds firms that today, ordinary-course compliance processes should be vetted to ensure conformity with the extraordinary-course reality imposed by the pandemic.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Tim Foley is counsel at Alston & Bird LLP in Washington, D.C., in the firm’s Financial Services & Products Group. He advises broker-dealers and other financial institutions in regulatory compliance and enforcement matters involving the SEC, FINRA, self-regulatory (SRO) agencies and state and foreign regulatory agencies.

Katherine Doty Hanniford is a senior associate at Alston & Bird LLP in Washington, D.C., and a member of the firm’s Technology & Privacy and Cybersecurity Preparedness & Response teams. She focuses her practice on cybersecurity and privacy compliance and enforcement.