Blog

Data Privacy and Protection – A Primer for Financial Services Firms

06-27-2018, 04:12   Blog   

Data privacy and protection has become a daily headline with everything from the latest data breaches at major institutions such as Equifax, to intentional exploitation of consumer information by Facebook. Around the globe, governments and regulatory organizations are reacting with more privacy requirements as companies struggle to find the balance between protecting confidential client information and providing both businesses and clients the ease of sharing information with legitimate parties.

Most companies provide a standard language privacy and data protection notice that is designed to meet regulatory requirements more than to educate clients about what a company does to protect their confidential information. As a concerned financial services firm, you will want to take that extra step to identify whatyou can do to protect confidential client information.

Here is a list of things you will want to consider adding to your data protection and privacy strategy:

  1. Secure Authenticated Computers and Mobile Devices

    Desktop and laptop computers, tablets and mobile phones provide efficiencies in conducting business, but all devices are vulnerable to attacks if not adequately protected with required complex passwords, malware/spyware, encryption and other sophisticated security measures. Using a device for email purposes only also creates a cybersecurity risk, as email is one of the most common ways that hackers use to access confidential client information through schemes such as phishing, ransomware and other illegal and unethical tactics.

    Recommended action: Require all home office employees, financial advisors and their office staff to use only secure, authenticated devices to conduct business. Every device used to conduct business (including email) should be monitored 24/7 with a rigorous check of the device as it connects to your systems and networks. This includes the strength and age of passwords used, whether the device’s critical software is up to date and how the device is accessing your systems and networks, to include a secure Wi-Fi or approved connection type. You will want to receive notifications when a device is not safe; this will allow you to take action to fix the problem or deny access to your systems and networks.

  2. Secure Systems & Networks and Ongoing Cybersecurity Risk Assessment

    Strong technical and administrative controls to secure internal systems and networks are core to the protection of confidential client information. Most firms employ a variety of basic technical and administrative controls that restrict access to only those individuals who need the systems and networks to do their job. Knowing what technical and administrative controls are needed for a specific company requires a detailed Cybersecurity Risk Assessment tailored to the company’s business model. It also requires implementation of controls and management of the systems and networks by qualified internal staff or a professional Managed Security Service Provider (MSSP). Equally important is oversight or “auditing” of the ongoing security functions performed by external MSSPs or internal staff to ensure that the technical and administrative controls are in place and working properly.

    Recommended action: Complete ongoing Cybersecurity Risk Assessments and enhance technical and administrative controls to address the key risks identified with your internal systems and networks. Consider using a professional MSSP to implement and manage your technical and administrative controls, which are continually evaluated to ensure industry requirements and best practices are followed. The MSSP should be “audited” by an external third party which verifies that its technical and administrative controls are in place and working properly.

    Securing internal systems and networks is critical, but the reality is that confidential client information is also sent, received, accessed and shared across many external networks through the Internet. In the financial services industry, clients demand easy access to their financial information using the Internet. The security risks of data aggregation (i.e., accumulated data from multiple sources or accounts shared with authorized users) are well documented by the Financial Industry Regulatory Authority (FINRA)1, the Consumer Financial Protection Bureau (CFPB)2, and the Securities Industry and Financial Markets Association (SIFMA)3. Most companies rely on a secure Application Programming Interface (API), Virtual Private Network (VPN), encryption or other types of secure connections to send, receive, access or share confidential client information with other companies. Those solutions are slow and unsafe because they are based on a broken security model and do not address the key security problem: the open Internet.

    Recommended action: Get “under the Dome,”™ which means you are moving off the open Internet. The Dome, offered by cleverDome, Inc., provides a global standard of trust where authenticated firms use a secure private network to send, receive, share and access confidential client information. Data is routed off of the open Internet and into a private network that requires authentication from every user and every device to access the Dome. Under the Dome, data is fractionalized, or split up into many pieces, and dispersed over multiple channels. The result is a private network that is safe, reliable and fast.

  3. Shore Up Third-Party Vendor Due Diligence

    Third-party vendors have become an essential part of providing software or services to the financial services industry, but these vendors lack regulation and minimum cybersecurity standards to protect confidential client information. B/Ds and RIAs are responsible for ensuring the vendors they use are adequately protecting confidential client information. This is a massive undertaking that financial services firms struggle with because it requires significant resources and expertise to properly evaluate cybersecurity protections in place at vendors. It is also an enormous burden to the vendors who must constantly respond to diverse and extensive due diligence requests they receive from their B/D and RIA clients. Both are hampered by the lack of common minimum cybersecurity standards.

    Recommended action: Utilize the third party vendor due diligence completed by cleverDome on all cleverDome Members. This means that any software or services vendor, custodian, B/D or RIA who sends, receives, shares or accesses confidential client information successfully completes the cleverDome due diligence process and satisfies minimum cybersecurity standards that meet and/or exceed requirements applicable to financial services firms. It also establishes the global standard of trust under the Dome™ because all cleverDome Members are known to each other and have satisfied the due diligence requirements before they are allowed to send, receive, share or access confidential client information.

  4. Provide Cybersecurity Awareness Training and Testing

    Utilizing secure devices, systems and networks are crucial components of a strong cybersecurity program, but technology tools alone are insufficient. Effective cybersecurity requires a human element. Approximately two-thirds of cybersecurity insurance claims were due to human error (i.e., employees falling prey to phishing links or failing to take preventative measures such as regularly changing passwords)4. Rigorous training and testing of all individuals involved in servicing financial advisors and their clients reduces the instances of human error that increases cybersecurity risks.

    Recommended action: Require home office employees, financial advisors and their staff to complete training and testing to identify their vulnerabilities and strengthen their reaction to potentially dangerous situations such as phishing attacks. The training is designed to address common types of attacks targeted at individuals working in the financial services industry, and provide specific guidance based on how the individual reacted to the test. For instance, a user may receive a suspicious link intentionally sent by the training system. If the user clicks on the link, the training system will inform that user of the failed test and direct the user to complete additional training.

  5. Create an Incident Response Plan and Obtain Cybersecurity Insurance

    No cybersecurity program is perfect. Human error, nefarious hackers and the need for ever evolving technical controls will eventually lead to a data security breach that results in unintended exposure of confidential client information. When a breach does occur, the most important step is to respond quickly and appropriately. This requires a detailed incident response plan executed by a dedicated team of internal and external resources. Many firms do not have the internal expertise or resources to address data security breaches, which is why cybersecurity insurance is necessary. A comprehensive cybersecurity insurance policy provides not only the financial resources to respond to a data security breach, but also the technical and legal expertise to ensure that the breach is thoroughly investigated and remediated, and that all regulatory and client notification requirements are satisfied. But not all B/D or RIA cybersecurity insurance policies provide coverage for independent contractor financial advisors and their businesses, so it is important to understand who and what is covered.

    Recommended action: Implement and test an Incident Response Plan. Dedicate internal resources who are involved in investigating and responding to data security incidents. Obtain a comprehensive cybersecurity insurance policy that covers not only your firm and its home office employees, but also your independent contractor financial advisors and their businesses.


In summary, every financial services firm should be committed to securing confidential client information and assisting financial advisors in being cybersecurity compliant beyond current industry standards. To do this, you will need to establish strong systems and controls that are verified by independent parties. Your culture of cybersecurity compliance will set high standards of conduct to build trust and to provide you comfort in doing business in today’s complex digital world.