As the COVID-19 outbreak continues, investment advisory firms are shifting many employees to working outside the office.
Although for investment advisory representatives working outside the office is nothing new, however in the attempt to slow the spread of COVID-19, many firms are requiring employees that may not be used to working from home, to do so.
The risk of any individuals working remotely dramatically increases the risk of a compliance deficiency and or a failure to properly protect the firm’s most sensitive data.
Among the necessary countermeasures, a firm must employ a program to manage the use of mobile devices. The program must include what devices can be used for business purposes, allowing for the proper mobile device management application and training.
A mobile device management application will enable the capture of correspondence, supervision and security features.
Electronic communication, especially via mobile channels, has become the primary means of communication for many professionals.
Advisory firms are now using text messaging and other online forums to communicate among employees and with clients.
However, in 2020, mobile devices like smartphones and tablets have also replaced the role traditionally held by computers. For example, advisory employees may use a mobile device to access a firm’s client information or even reply to a client request via text.
Therefore, while investment advisers do their best to contain COVID-19 by working at home, the firm must be conscious of mobile
devices used by all its employees.
The importance of approved devices has always been a foundation of a firm’s mobile device policy; however, it becomes even more vital as advisory employees that usually work primarily at the advisory office may now be working from home.
An advisory firm may have to buy and set up new devices for some of those newly working from home. For example, administrative assistants may not lack a company laptop, but a smartphone or tablet may assist their ability to accomplish advisory work remotely.
This is especially true if a firm’s incoming phone calls are being forwarded to remote individuals.
Firm that do not offer company devices may promote and adopt a bring your own device (BYOD) policy. A BYOD policy simply means the firm will allow the use of a personal mobile device (i.e., smartphone and/or tablet) to access firm files and data, often confidential.
As this may seem an expedient answer during the COVID-19 crisis, it may create undue risk if the device is not managed by the firm.
Therefore, a firm must take immediate steps to employ a mobile device management (MDM) application to manage and supervise the mobile activities of newly home-based employees.
When addressing the subject of permitted devices, a firm must also ensure it has a program to accurately inventory and track the number of approved devices using the system; this would include any new devices added or ones no longer in use.
Mobile device management
A mobile device management application or program will most likely come pre-loaded on firm-owned devices. For employee-owned devices such applications must be approved and usually manually added.
MDMs are the best tool for a firm’s compliance department to contain the risks associated with mobile devices used for business purposes.
For example, an MDM may enable archiving of messages or disable the use of apps such as iMessage, which cannot be archived.
Messaging and correspondence retention and the ability to ensure remote employees are using the proper channels is critical for remote working activities.
This is especially important as employees may be speaking and messaging each other concerning advisory business. Remote employees must be aware of the best ways to communicate, whether the firm has an approved instant messaging system or limits the communication to firm email accounts in an attempt to ensure compliance.
In addition, an MDM may play a major role ensuring proper mobile device security. In a recent Securities and Exchange Commission report, it identified MDMs as an industry practice and approach that can help manage and combat the cyber security risks associated with mobile devices.
An MDM may require high levels of authentication for access and frequent password changes. An MDM may also ensure current antivirus software is used. Mobile devices are at risk of becoming infected by and/or transmitting viruses or Trojans, worms and spyware (collectively malware) just like a desktop or laptop computers.
Lastly, the MDM may offer the ability to remotely clear data and content from a device that has been lost or compromised.
Even though advisory firms are currently dealing with the COVID-19 effects, it can be worthwhile to conduct training even during this difficult time.
Ideally, in the short-term, training should review the approved devices for business communication and steps if a new device needs to be used while working at home.
The training should also attempt to increase awareness of the types of risks and vulnerabilities that an employee might face, and what to do if a device is lost or stolen or a breach is detected during these turbulent times.
In addition, it would be suggested to include an attestation of understanding when it comes to mobile-device adviser policies.
For a regularly updated list of U.S. federal regulations related to the COVID-19/novel coronavirus update, please click on this link to the Skopos Labs Cornoavirus Policy Tracker.