When Zoom became a must-have application for COVID-19 it created a weighty compliance concern for law firms and financial firms.
The lightning adoption speed of the video conferencing platform uncovered privacy and security issues and opened up potential pathways for fraudsters into secure networks.
The problems surfaced with a series of disturbing attacks, videos planted in classrooms and office meetings as online pranks involved crude racist and pornographic video streams, are the digital graffiti of the hacker world.
Firms struggling to keep operating in an era of social distancing and work-from-home operations have many choices for video conferencing applications. But Zoom’s sudden 200-million person user base, compared to 10 million before the pandemic, makes it hard to ignore. And every cloud-based online teleconferencing service can have similar basic vulnerabilities. Like all cloud-based applications they are ‘self-service’ technologies that require configuration and proper training to assure security.
Everyday pieces of everyday software often has millions of lines of code, and each piece must fall into place at the right time to synch up securely. Multiply the problem by factors of magnitude when thousands of works head to home-based systems. “Technology and information security may not be as strong in work-from-home environments as in office settings, and the risk of exposure of sensitive information may be greater,” said ACA Compliance in a recent blog.
The concerns are heightened in “heavily regulated industries like financial services, where the mantra has been to disable or prohibit access to some of the tools and features that were perceived to be risky or too expensive to govern,” said Robert Cruz of risk and compliance consultant Smarsh. “The current health situation has altered that equation.” Survival, at the moment, means adaptation. And even in the long run, staying relevant and connected in a world requires rapid risk assessments, the lesson of COVID-19. Firms cannot calculate every possible risk for every situation but must focus on top-level concerns.
Key risk/reward scenarios to be mindful of
Here are five risk/reward scenarios that virtually every firm (financial firms in particular) will encounter:
1. The remote, connected world always is most stressed at the gateways, and compliance must focus on the critical links — Even in normal times, third parties pose a challenge. The Zoom case shows what can happen in times of dramatic change. Improper passwords and screening allowed unauthorised use. Zoom itself, in last year’s SEC filing it said, “The experience of our users depends upon the interoperability of our platform across devices, operating systems and third-party applications that we do not control.” FEMA has long warned “There is no one ‘silver bullet’ to solve the interoperability challenge.” This applies not only to new software applications but every vendor and outside relationship. But prioritise. The focus should be on the firm’s most valuable assets and critical infrastructure.
2. Business continuity plans were not created with COVID-19 in mind, and are for reference, not for the rules of the road — Among the perils in disruptive times are “rule followers” who ignore present conditions. Business continuity plans were put in place to provide resiliency and protection and not to handcuff firms facing a crisis. Besides, as a top Securities and Exchange Commission official told a group of compliance professionals, “No one’s BCP plan is working well right now.” The SEC is looking at how well firms implement their BCP’s but firms will also need to improvise. The Financial Industry Regulatory Authority said coronavirus plans “should be sufficiently flexible to address a wide range of possible effects.” Some firms will find cyber defense plans, with their focus on “data in motion” and serial risk assessments, may be more relevant than continuity plans in which backup systems were the focus.
3. It is the best of times and the worst of times for free applications — and compliance must ride herd on rogue installations — Technology staff will be hard to reach, and early adopters inside firms will be quick to offer helpful advice to co-workers. But work-at-homers should be warned against free stuff — even from co-workers or helpful tech-staff, who tend to like experimenting. The applications might work wonders on the standalone desktop but wreak havoc to the network. There are reasons, however, to jump onto some new solutions, and even established tech players are offering free software. But all must be vetted. “The growing mass market adoption of these technologies will drive an even more rigorous due diligence process to win over the more risk averse and conservative firms but also expose firms to security and privacy concerns.”
4. Bad news and serious complaints to helplines and offices must travel upward, but compliance should mind the gaps and the quiet spots — Keep lines of communication open, especially help desks, internal and external. Just as important, update surveillance search terms for COVID-19 matters and filter out routine noise. The stress factors may bring out the worst in workers, and flare-ups will flare, but there is no “hierarchy of problems,” and support staff and administrative aides can be as valuable as a division executive in identifying new threats. The office not heard from, or reports not filed, or the too-fast with the answers operations manager, all provide clues. Trust will be vital. The goal is to have 100% staff buy-in for resilient compliance — but stay in touch. Messages of positive cultural value could be restorative for workers facing the hardship of isolation.
5. Watch out for killer data, in all of its forms, during the COVID-19 pandemic — This is the last-but-not-least risk vector. Finance runs on information and no events in modern history have generated as much data as the COVID-19 coronavirus. Regulators are watching. The SEC made alternative data an examination priority and firms must know if that vaccine breakthrough came from non-public information. Was it obtained by crashing a pharmaceutical team briefing government officials? The everyday use of webinars has already led to leaks and exploits.
Firms that manage will be out front and better prepared when life returns to normal, or for the black swan next time. Looking at the data portion alone, the lessons learned now will apply in the future as alternative sources and new technology applications spew vast amounts of data that only artificial intelligence applications can handle. “A rapid transformation to a suddenly remote workforce entails adjustments in management processes, measurement systems, operational and cost analyses,” said Cruz.
In the past, firms have repeatedly shunned risky innovations and regulators have raised red flags. Fintech has gradually changed the industry, working remotely changes the equation more, Cruz added. “The tide has turned rapidly in the past few weeks.”
The author of this article is Richard Satran, Financial Journalist, Thomson Reuters Regulatory Intelligence. Richard’s article first appeared over at Answers On, the Thomson Reuters publication.