Proofpoint: Security Considerations for Financial Services During the Covid-19 Pandemic

(The blog post was originally published on March 26, 2020 by our partner, Proofpoint on their page)

Credit markets are zero bound and equity markets stumbled into a technical bear market. This volatility is creating inefficiencies not only in monetary policy and market information uncertainty but also in financial services operational response and threat exposure.

Cybercriminals are leveraging this global uncertainty. Our threat intelligence team is seeing the cumulative volume of coronavirus-related email lures representing the greatest collection of attack types united by a single theme that they have seen in years, if not ever. Several considerations financial services firms should make now and, in the future, are contending with elevated business email compromise (BEC) periods, work from home scenarios and business continuity planning (BCP).

Market-Moving [Mis-] Information

Market-Moving [Mis-] Information can cause markets to swing on speculation, as demonstrated by the multiple market halts over the past couple weeks. In volatile periods attackers can introduce purposeful market manipulation with regard to pandemics from reports of false hopes for pump-and-dump schemes on small pharma stocks to exaggerated death rates in economically volatile countries to conspiracy theories on ulterior cause and/or motives of this outbreak. Motivations for market-moving events will also vary from purely monetary gain to economic disruption of a nation-state adversary.

Business Email Compromise

As information shock transmission takes place, communications and information transparency gets worse. Amidst rising times of confusion, cybercriminal activity increases. We are seeing the continued success of BEC in financial services and the pandemic offers a great vehicle for compromise. 

Work from home

Two areas specifically with work from home scenarios are dealing with non-critical personal and with highly regulated and infrastructure-heavy groups such as advisors and traders. Beyond internet capacity issues, firms need to ensure any local or cloud email, collaboration and productivity suites that will be going over personal and unsecured lines or lackluster VPNs have higher-order levels of protection. 

More unique situations exist for traders, as an example, where having the right infrastructure to deal with remote business is being questioned should quarantining come to it. Capabilities have improved such as web-based Bloomberg terminals and trade order and execution management systems.

Italy provides us the best backdrop to contend with a mass quarantine scenario. Much of Italy’s trading rooms are working remotely in the Lombardy region. This is a complicated situation being navigated as regulators must offer flexibility and liquidity could be hampered without full trading operations should markets react more violently.

Other groups that we typically see as susceptible, which work from home arrangements will also test, are those dealing with sensitive proprietary or non-public information. Namely analyst and investment banking groups dealing with research and pending M&A transaction information.

Further, once remote, supervision can be compromised opening the door for potential risks. Do banks have recorded communication compliance capabilities in these scenarios? This would also extend to wealth advisors and brokers. 

BCP

Lastly, the virus is pressing firms to ramp up their BCP plans. Financial markets have drastically improved their capabilities since 9/11, other influenza outbreaks (swine and avian), SARS and ongoing compliance measure requirements. The FCA has issued a Statement on Covid-19 (coronavirus) for example highlighting its expectations firms are prepared. The question arises as to how business continuity planning will have to change going forward to address the scenarios discussed above as well as others.

As this event has given us a new unprecedented new planning scenario, there is not a clear-cut answer right now as to exactly how planning will change. However, much like the guaranteed changes to come from financial services regulators, in the supply chain, fiscal and public safety response, we will see cybersecurity measures change as well.