Federal and state regulators warn of increased cybersecurity threats due to the novel coronavirus (COVID-19) crisis and underscore the necessity of heightened information security measures as companies require their workforces to report virtually. On March 10, 2020, the New York Department of Financial Services ("NYDFS"), which regulates financial services companies, specifically asked virtual currency businesses to provide assurances of their plans to address and respond to COVID-19, including cybersecurity-related risks such as the security of remote work and remote access; potential increase of cyberattacks and fraud; and the readiness of third-party service providers and suppliers.
While the Securities and Exchange Commission (“SEC” or “Commission”) ordered conditional relief for publicly traded companies affected by the COVID-19 pandemic by permitting an additional 45 days to file disclosure reports, SEC Chairman Jay Clayton noted that companies should “provide investors with insight regarding their assessment of, and plans for addressing material risks to their business and operations resulting from the coronavirus … to keep investors and markets informed of material developments.” Public companies should ensure that their risk factor disclosures related to COVID-19 are specific to the company’s business and refrain from boilerplate language. Cybersecurity risk factors related to the COVID-19 pandemic include the disruption to the company’s business operation due to employees working from home and the increased threat of a cyberattack due to the remote working environment.
Companies will likely experience an increase in phishing attacks using purported news or expertise on COVID-19 in order to induce employees to click on hyperlinks or attachments infected with malware. While information technology staff must focus on supporting remote work as opposed to information security initiatives, they must also monitor systems' security. The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) warns that cybercriminals will take advantage of this environment to launch attacks which will further disrupt operations.
Upon deploying a remote workforce, companies should immediately:
- Alert employees of the likely uptick of phishing attempts and encourage employees to report phishing emails;
- Identify a method to contact all employees outside of using the company system in the event the company is a victim of a cyberattack;
- Implement or update virtual private networks (“VPNs”) to ensure that internet traffic is properly encrypted and encourage employees not to use public or insecure home networks without a VPN connection;
- Advise employees not to download or transfer company information to personal devices, email accounts or third-party cloud storage;
- Issue multifactor authentication (“MFA”) tokens to employees if not already in place;
- Train employees on good cyber hygiene, to use additional care with confidential information, and to conduct all company business on company-issued devices.
In addition, companies should prepare to manage a data security incident remotely:
- Review and update security incident response plan to address the management of a security incident remotely;
- Confirm preferred third-party forensic investigation firm, legal counsel and notification vendors have resources available to assist in the event of an incident;
- Establish an internal response team to respond to the loss of access to the company information system, and guarantee the team has hard copies of the plans in the event that it cannot be accessed electronically;
- Evaluate the company’s contractual and regulatory notification obligations in the event of a security incident and the contractual obligations of critical third-party service providers;
- Contact CISA to report incidents, phishing, malware, and other cybersecurity concerns;
- Review and confirm cyber liability insurance coverage.
Further, companies should anticipate potential regulatory scrutiny of cybersecurity plans and update current information security policies to include established guidelines on remote access to company information systems, test the limitations of the VPN to prepare for increased usage, continue the performance of regular penetration tests, and document all guidance and training issued to employees regarding secure remote work practices.