In the registered investment adviser ("RIA") community, COVID-19 has raised more than public health concerns. With the number of states issuing stay-at-home orders to help slow the spread of coronoavirus, many investment advisory firms have shifted to a work from home model. Cloud-based software provides the ability to continue running a business in the event of an emergency by allowing access to critical company systems from any location, but working remote also creates a new set of considerations around issues like cybersecurity. With the switch to remote work, many RIA firms have seen a significant increase in attempted cyber criminal activity.
Increase in Phishing Email Attacks and Scams
Given the sensitive client information that RIA firms may have access to, advisory firms are a prime target for targeted phishing attacks. It is imperative firms are training all staff on how to identify a phishing email to protect sensitive internal information and client data. During turbulent times, firms are at an increased risk of cyber attacks and systems being compromised. With the use of remote offices and heightened anxiety among employees, in particular may make RIA firm employees more vulnerable to email phishing attacks.
In particular, there are a number of targeted phishing attacks taking place presently attempting to exploit the coronavirus disruption by encouraging advisory firm staff members to click on or respond to emails associated with the epidemic. For example, bad actors may target individual staff members with emails related to state or federal work from home updates, changes to healthcare benefits, changes in information security policy related to working from home, software required to install on computers in order to work from home, the latest epidemic statistics, or even discounted offers to hand sanitizers or other items in short supply.
It is imperative for firms to remain vigilant in their surveillance against cyber attacks and take steps to reduce the risk. We recommend firms pay close attention to the following when it comes to emails:
- Don't trust the sender display name
- Don't click on links contained within an email
- Check for grammatical and spelling errors
- Don't download any attachments
- Don't fall for urgent and action item subject lines
- No personal information should be sent via email
- Most important of all - If a mistake is made with such an email, ensure that staff is trained and comfortable immediately reporting the incident in order to contain and mitigate the potential damage.
Secure Internet Connections
Staff should be instructed to only access the internet from secure WiFi connections or via a virtual private network ("VPN"). Employees should avoid accessing public WiFi networks which are vulnerable to exploitation of sensitive information via a man-in-the-middle attack when a malicious actor is able to intercept information being transferred via an insecure internet connection.
Tracking Employee Devices Used to Conduct Business While Working Remotely
It is more than ever important for advisory firms to ensure that they have a full device inventory of all systems that staff members are utilizing while working from home. If staff members are utilizing their own devices to conduct work, there may be a number of new information security issues for RIA firms to consider. Policies and procedures will likely need to be updated to address these potential challenges. In particular, employees should not store any sensitive, non-public information on non-company devices without the proper security protections.
Fraudulent Wire Fraud Requests
An RIA firm improperly sending a wire to an unauthorized third party posing as a client continues to pose a growing threat. Unfortunately, hackers are beginning to more aggressively target high and ultra-high-net-worth individuals as the criminals recognize that such individuals offer greater wire fraud opportunity. This realization combined with increasing social engineering vulnerabilities means that all RIA firms are likely to experience client email hacking incidents.
With the current market shake-up and uncertainties around COVID-19, we highly recommend that RIA firms are more vigilant than ever in regards to client fund transfer requests. In particular, advisory firms should be focused on ensuring that all standard wire confirmation authorization and confirmation procedures are followed by all staff members. With client impersonation schemes on the rise with this current coronavirus epidemic, bad actors are looking to exploit inaccessibility to phones, computers, etc. in an effort to deceive advisory firm staff members into not following standard confirmation protocols.
Given the immense business risk, we strongly recommend that all RIA firms take these immediate steps to help mitigate wire fraud risk:
- Educate clients on information security best practices
- Educate clients on the firm's wire confirmation procedures
- Retrain staff members on proper policies and procedures designed to mitigate wire fraud risk
- Regularly train all RIA firm staff members on the latest coronavirus-related threats
- Test wire fraud policies and procedures
Unfortunately, with the rapid shift to a remote work force, for many RIA firms, previous cybersecurity-related policies and procedures may no longer be sufficient. More so than ever, investment advisers are a prime target for email phishing and other related cybersecurity attacks. Furthermore, email phishing attempts continue to grow more targeted and sophisticated as it relates to COVID-19. Investment advisory firms need to recognize the risk such attacks present and actively address these vulnerabilities by updating relevant policies and procedures and by conducting regular staff training.
The MyRIACompliance® cybersecurity platform empowers an RIA firm to efficiently construct, implement, and document a robust cybersecurity compliance program with a single solution. The platform is designed exclusively for RIA firms of all sizes who face unique people, technology, and third party vendor cybersecurity risks and regulatory requirements. The platform also includes special email phishing coronavirus-themed templates to better test and train RIA staff members while working remote.
RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.