What Financial Services need to consider managing security through the Covid-19 (coronavirus) pandemic

Contributing: @checco John Checco, Financial Services CISO Advisor

Opinions expressed are solely my own and do not express the views or opinions of my employer.

Credit markets are zero bound and equity markets have stumbled into a bear market this week - the fastest ever. Volatility has returned in a big way. With it, inefficiencies have appeared given a contagion drastically different than previously dealt with. The market is seeing inefficiencies not only in monetary policy impacts on supply shocks and market information uncertainty, but also financial services operational response and threat exposure. This presents a ripe opportunity for bad actors during global uncertainty. Several considerations financial services firms should make now and, in the future, are contending with misinformation, elevated business email compromise (BEC) periods, work from home scenarios and business continuity planning (BCP).

Market-Moving [Mis-] Information - Like other worldwide issues, “over-hyped and/or fake news" can cause markets to swing wildly on speculation, as demonstrated by the NYSE 15-minute “cool-down” Monday and again yesterday morning. Increasingly, we may see more purposeful market manipulation with regard to pandemics from reports of false hopes for pump-and-dump schemes on small pharma stocks, to exaggerated death rates in economically volatile countries, to conspiracy theories on ulterior cause and/or motives of this outbreak. Motivations for market-moving events will also vary from purely monetary gain to economic disruption of a nation-state adversary. Tread lightly with the information received, as well as trade prudently until the market volatility subsides.

Business email compromise - As information shock transmission takes place, communications and information transparency gets worse. Amidst rising times of confusion potential bad actor activity increases. We are seeing the continued success of BEC in financial services and the pandemic offers a great vehicle for compromise. 

Work from home - Two areas specifically with work from home scenarios are dealing with non-critical personal and with highly regulated and infrastructure-heavy groups such as advisors and traders. Beyond internet capacity issues that are being tested, firms need to ensure any local or cloud email, collaboration and productivity suites that will be going over personal and unsecured lines or lackluster VPNs have higher-order levels of protection. 

 More unique situations exist for traders, as an example, where having the right infrastructure to deal with remote business is being questioned should quarantining come to it. Capabilities have improved such as web-based Bloomberg terminals capabilities and trade order and execution management systems.

Italy provides us the best backdrop to contend with a mass quarantine scenario. Much of Italy's trading rooms are working remotely in the Lombardy region. This is a complicated situation being navigated as regulators must offer flexibility and liquidity could be hampered without full trading operations should markets react more violently. Once remote, supervision can be compromised opening the door for potential risks. Do banks have recorded communication compliance capabilities in these scenarios? This would also extend to wealth advisors and brokers. 

BCP - Lastly, the virus is pressing firms to ramp up their BCP plans. Financial markets have drastically improved their capabilities since 9/11, other influenza outbreaks (swine and avian), SARS and ongoing compliance measure requirements. The FCA has issued a Statement on Covid-19 (coronavirus) for example highlighting its expectations firms are prepared. The question arises as to how business continuity planning will have to change going forward to address two or the scenarios discussed above as well as others.

As this event has given us a new unprecedented new planning scenario, there is not a clear-cut answer right now as to exactly how planning will change. However, much like the guaranteed changes to come from financial services regulators, in the supply chain, fiscal and public safety response, we will see cybersecurity measures change as well.  

Please share your thoughts and other financial services examples and considerations the industry should weigh for immediate and future planning.