Many firms are underprepared for the scenario of managing their entire workforce remotely, or for the increased cybersecurity risks that come along with that, experts say. And data security compliance is one area regulators are unlikely to ease up on.
A growing number of private equity firms are sending staff home to work remotely in response to the covid-19 outbreak. But most companies’ remote working capabilities haven’t been tested for large-scale prolonged use.
“Most firms are not geared up for this,” said James Tedman, partner at ACA Aponix, a technology and cybersecurity services provider. “The majority of these systems are created to allow people to work remotely over weekends or in the evenings. They’re not necessarily designed for staff to work from home for an extended period of time.”
One of the key security risks associated with working remotely is data loss, which can be mitigated by using remote desktop solutions or a corporate VPN, says Tedman. But firms that do not have the appropriate measures in place will need to remain vigilant of staff accessing and sending sensitive deal and portfolio data through personal devices and accounts in order to carry out their work, especially in light of the EU’s General Data Protection Regulation.
“Under GDPR, when individuals are working remotely, they need to make sure that appropriate security measures are in place to protect that data,” said Goodwin Procter associate Curtis McCluskey. “Given the wake of coronavirus, companies will be expected to make sure that their remote working policies are up to scratch to comply with those GDPR obligations around security.”
Regardless of the potential severity of the pandemic, regulatory bodies look unlikely to ease compliance rules in the short term. US self-regulatory organization FINRA put out guidance on March 9 warning that the “risk of cyber events” can spike when firms increase their “use of remote offices or telework arrangements,” and advised vigilance.
UK regulator the Financial Conduct Authority has already issued a statement to say that, amid any disruption caused by coronavirus, it still expects firms to “take all reasonable steps to meet their regulatory obligations,” making specific reference to firms with staff working from home.
For firms that don’t already have the relevant infrastructure in place, it will take time to implement the necessary provisions to allow all employees to work remotely in a secure way. But it is vital in these instances that firms continue to prioritize cybersecurity, even where it may restrict day-to-day working. Michael Asher, CIO at cybersecurity provider RFA, advises that firms take a “least-privileged access” approach, limiting access to corporate systems only to individuals and devices that have explicitly granted permission to it.
“We’re advising that everyone follow best practices and enable least-privileged access methodology to make sure that, even if it’s critical and time-sensitive, they don’t provide access to everyone.”