Every time I meet Brian Edelman, chief executive of FCI Cyber, I am petrified by what he tells me. But I am also reassured by the knowledge he shares, as I can act on it. I want to share some of these lessons here.
I was privileged to introduce him on a stream I was leading at the latest T3 conference in the US and I would urge you to also read my summary of his presentation at the T3 event before that, which covered important issues still very much valid for advice firms today.
This year, Edelman stressed further key issues crucial to protecting customers. While the Financial Conduct Authority is not currently as demanding as the US Securities and Exchange Commission when it comes to an adviser’s cyber security, I think it is a matter of when, not if, this will change. The industry must prepare now for more stringent regulations.
The industry must prepare now for more stringent regulations
Perhaps the most significant message is that cyber criminals now recognise what a good target advice firms are. They hold valuable data and, by their smaller nature, are more vulnerable than larger organisations. They are being explicitly targeted for attack.
Edelman stressed the importance of using the cyber security settings you already have. Most systems have strong protections but people do not use them. Have you configured and applied all you can in your email software, for example?
The end connection to the customer is a frequent vulnerability and if this endpoint (tech speak for where the data ends up) is not secure, it undermines all the good things you might have done up until then.
Advice firms are being explicitly targeted for attack
Advisers must use either secure client portals (probably the best option) or encrypted email for client communications.I am amazed by the number of advisers still using webmail such as Yahoo and Gmail for their business email. As far back as 2008, the Financial Services Authority said in its Data Security in Financial Services paper that this was not secure enough.
Cyber is a community responsibility and, while the regulator will ultimately focus on what advisers do, platforms, asset managers, discretionary fund managers and insurers could do more to help them.
I have previously seen emails from providers responding to advisers using encrypted mail to send sensitive data asking them to submit the information unencrypted. This must stop.
Only 4% of advice firms have cyber insurance. It’s time to act
There is also the problem of large corporates expecting all advisers to use the same encryption service as them. The price soon mounts up when obtaining licences for different systems at different organisations.
Aegon, Abrdn, HSBC, Lloyds (including Embark and Scottish Widows) and Royal London are some providers using Unipass Mailock, along with many smaller companies in the world of advice, such as SimplyBiz and Just. It’s important more look to join, as advisers will find working with this list of companies easier and less expensive.
Cyber security requires constant vigilance. A recent study found 70% of small businesses that suffer a large data loss close within a year and only 4% of advice firms have cyber insurance. It’s time to act.
Any business that handles client data fich as Financial Adviser firms should be proactibne in ensuring they have their IT bases covered.
Best hire/rent a high security library/access facility, then have files sent in encrypted ‘packets’…
Personally, I would avoid US server based Co.s as these seem to be the most hacked etc…
There a few around, the delay is hardly noticeable… bit like reading the papers with a coffee to hand…
Better still, and positioning wise, get a subaltern to do it all…