Defending against COVID-19: the unforeseen risks

Financial institutions are well equipped and prepared in crisis management. However, it is safe to say that what countries around the globe are experiencing is nothing like what was ever anticipated. Now more than ever business continuity plans and procedures are critical.

Since February, BAE Systems Applied Intelligence’s Threat Intelligence team has tracked numerous threat actors across the globe ramping up their attempts to steal data and secure information from institutions across the globe through phishing attempts via email. These attempts made users believe they were receiving the latest information from the Center for Disease Control (CDC) or the World Health Organisation (WHO) rather; they were just an attempt to transmit malware and prey on vulnerabilities. These attempts could get bolder and will last as long as the need for information around COVID-19 exists.

Defending against COVID-19: The unforeseen risks.

In light of this new reality, leaders and managers may find themselves in a response management mode that is unfamiliar. The situation may cause them to pivot from their traditional leadership roles to the role of command and control.

There are a number of action items that can be considered immediately to address the newfound reality we are all facing:

Cybersecurity

Bad actors thrive in crisis situations and feed on the vulnerability of populations and companies. Financial institutions must ensure that cyber protection protocols are followed and adhered to as employees migrate from centralised work locations to remote work locations. Such work conditions require additional layers of security around data. Be it authentication levels, corporate devices safeguarded already or setting up new hardware for employees to use, ensuring the protection of company data will reap rewards later on.

As work from home (WFH) becomes widespread for institutions, virtual meeting platforms will be utilised more than ever before. This will lead to loopholes in most of our infrastructure and perhaps more exposure. Security protocols should be followed with special attention on guests that have dialed in. As can be seen with all these suggestions, the proper training must be in place for employees to understand what correct procedures are and how they may uphold them.

Provide staff with updates on observations or investigations resulting from the crises that may result in the requirement to file a suspicious activity report (SAR).

Lastly, special attention should be given to internal surveillance of emails and other communication that could place people and the financial institution at risk.

Communication

Identify specific official messaging for internal policies and disseminate immediately and regularly. Establish a hotline, both phone, and email, with a 24/7 response system. A primary aspect of any pandemic plan will be to educate employees on the necessary precautions set out by the WHO or your government’s ruling body and institute necessary travel restrictions and workplace precautionary methods. Additionally, establish employee assistance programs (EAPs) including psychological services and financial counseling. Diverse religious clergy are a valuable component of the support system.

The second line of communication is to empower employees with the knowledge of procedures for business continuity, for security, and for their own peace of mind. Provide internal timely official updates to ensure complete and comprehensive awareness of the actions that are being taken. Constant status information is critical for effective management – if anything, over communicate to remove any doubt or assumptions and combat misinformation.

Vendors and customers

Contact your existing vendors and understand their capabilities to respond and help with technology or human problems as you encounter them. Remember, the vendors are also in crisis management mode operations.

Pay particular attention to the changes in customer identification program (CIP), beneficial ownership elements of the KYC program. Are the changes frequent? Are they significant – like a move from Florida to Maine? Even the smallest email and cell phone change should be watched at this time.

Compliance

Manage the crisis with sensitivity for Health Insurance Portability and Accountability (HIPAA), National Incident Management System (NIMS) and the General Data Protection Regulation  (GDPR) and other privacy issues.

Third parties

Identify external resources and government entities that can provide assistance with tasks and needs that are beyond the capability of the financial institutions’ staff or fixed resources. Establishing a law enforcement liaison to maintain communication with local authorities during a crisis eases communication for the entire organisation and allows for greater transparency for the actions of the day.

These crises like other global crises will eventually abate and pass. Financial institutions should conduct a post-crisis critical incident debriefing and be ready to adopt organisational and cultural change in reflection of the experience.