Voices

Protecting your advisory firm from a data breach

Maintaining client data on someone else’s remote servers — in the cloud — seems like a good alternative to storing information on local hard drives.

But is cloud storage the most secure way to keep sensitive files away from hackers?

Undoubtedly, for large wealth management firms with big budgets and client bases, it makes sense. Most small money managers, however, can’t afford a sophisticated IT staff to guard key data, regardless where or how it’s stored. And therein lies a huge cyber security problem.

Without proper IT oversight, even minor slips can lead to a firm’s fall. For example, employees may never change their passwords, or those passwords are easy to crack. Staff may access client data from laptops out in the world via insecure devices over open Wi-Fi networks. Even leaving a laptop open in a coffee shop, or checking an account from a public computer, could create a major vulnerability.

ANYTHING’S A MAJOR VULNERABLITY
What’s a major vulnerability? Imagine everything from brokerage account numbers to passwords to addresses, family names, dates of birth, driver’s license numbers, mothers’ maiden names and social security numbers available to anyone and everyone in cyberspace.

And think of all the things a hacker can do with that information: steal a client’s identity, hold your firm’s data for ransom or simply drain funded accounts, not to mention old-fashioned, non-digital crimes such as home burglary or even kidnapping.

These kinds of risks arise whenever your data resides on someone else’s data systems — public, private or hybrid — housed somewhere, whether a small off-site system or maybe on the big ones, Salesforce’s servers, Amazon Web Services, VMware or Microsoft’s Azure or 365.

Yes, your data may seem less at-risk off-site — in the care of a tech behemoth with a known brand name — its location creates a new set of security issues nowadays.

Consider: How secure is the cloud hosting company? How vetted are their employees? Are they adept enough to ward off a mini-bestiary of hacker tools, such as worms, Trojan horses, and viruses that can linger for months, perhaps years, in cloud systems?

What about the alphabet soup of DDOS (distributed denial-of-service attacks), RFID (radio frequency identification attacks and DRAM (dynamic access memory attacks)?

Kanner-Yvonne-Fiduciary Network

WHO IS LIABLE FOR BREACHES?

Perhaps the biggest issue for a planner, aside from the cyber attacks, is determining who is liable in the event of a breach. The cloud service provider? Or the planner? The SEC is telling planners that they are responsible for overseeing the providers, and that is quite a heavy lift, especially for smaller firms, who may lack technology skills.

Then there are the regulatory contradictions. For instance, regulators ask that firms protect and keep private clients’ information. They also ask for a disaster recovery plan. Sounds reasonable, right? But access, business continuity, and privacy are not easy to manage together. It means that a small firm has to house data in multiple locations that they don’t fully control.

The only way to 100% guarantee the protection of the data from hackers is not to have it connected to the internet — keep it on-site. But then there are issues of physical security instead of cyber security, and, besides, it's just not realistic.

FIXING THE PROBLEM

A partial solution may be to stay off cloud systems, as much as possible.

Alternatively, if you have to use cloud-based solutions, at a minimum make sure you:

1) Review the contract with regulatory counsel.
2) Ensure you are comfortable with the providers privacy and confidentiality provisions,
3) Understand how the provider will notify you if your information has been breached (how quickly are they obligated to notify you and how).
4) Follow your providers’ insurance coverage and remediation plans for breaches
5) Document in the agreement the process by which your data will be deleted in the event you decide to fire the provider (including the types of documentation the provider will deliver certifying that your data has been wiped from servers.

Remember, once you have been known to have a data breach, your entire business may already be destroyed. Who wants to work with a financial planner who has had a breach? It suggests the exact opposite of the trust that you seek to project.

Bottom line: for planners, it pays to educate yourself. Read the fine print, consider insurance and learn the best practices when it comes to client data security.

For reprint and licensing requests for this article, click here.
Technology Cyber security Data and information management Law and regulation Compliance
MORE FROM FINANCIAL PLANNING