Cybersecurity

Yan Huard

Yan Huard is chief of information security at Croesus, a Montreal-based information technology (IT) firm that offers sophisticated wealth-management solutions to financial services institutions across North America.

Financial advisors need to balance the way they transmit information with the importance of the data they are sending

By Yan Huard |

Financial advisors are constantly exchanging strategies, data and other highly personal communications with clients. The importance of protecting such sensitive information is crucial, and failure to do so could damage client relationships, or worse, produce serious legal consequences.

This being an age of technology, the vast majority of client/advisor communications are now done using emails, the cloud and even fax — yes, it still exists. Each medium has its strengths and weaknesses, and when it comes to sending information to clients, advisors need to consider both the tools they use to transmit it and the importance of the data. Too often, I have seen professionals taking into account only one of those aspects while ignoring the other. This can leave open considerable security breaches.

For example, if you use a secure hypertext transfer protocol (a.k.a. HTTPS) connection when browsing websites, the link between you and the server is encrypted. Although the technology is not perfect, for most applications, it goes a long way toward protecting the data being transmitted. The issue relates to what happens to the data once they have been transferred: they stay unencrypted on your platform and readable by anyone who accesses them. If the data are sensitive, they should be protected when they are being sent, but also after they reach their destination.

With that in mind, let's explore some strengths and weaknesses of popular methods that advisors use when communicating with clients:

> Emails are like postcards. Although they're practical and easy to use, they provide particularly poor data protection as anybody can read them. Thus, advisors need to be extra cautious to not include confidential information, such as statements or transaction records, when using this method of communication.

> Encrypted email is a bit like a postcard you put in an envelope. Encrypted email's major downside is that both parties need to use the same encryption method. There are two ways of doing this. The first is through dedicated encryption software. The second is to use secure email service providers. I generally suggest the latter because they are far more convenient and require less technical skills.

That said, like many professionals in the financial services sector, my personal security needs are particularly stringent. Being more technical, I've always used dedicated encryption software.  Whichever option you choose, make sure you provide the recipient his password in a direct and secure manner (i.e.: personally by phone).

> Password protected documents supply an excellent balance between security and usability. Extra caution should be used when choosing the document's password; ensure that it's sufficiently long and includes special characters. As the body of the email through which you're sending these documents will likely be unencrypted, do not disclose their nature as this could generate unwanted interest.

> Fax is one of the most insecure methods of transmitting information. Fax machines often sit in the middle of crowded offices, accessible to almost anyone. Furthermore, faxes are like images and can be easily forged. The good news is that with today's technology, faxes are going the way of the dodo bird. I strongly recommend you don't do anything to slow that process!

> Fax over IP (online fax) is far better than traditional fax machines. Online fax solution providers usually offer secure services using encrypted transmission and storage mechanisms and generally comply with regulations such as the U.S. Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act and the Personal Information Protection and Electronic Documents Act. Before choosing a service provider, make sure to review its standard licensing agreement and security statements.

> Personal information delivery is the safest method by far. There are no intermediaries between you and the recipient. That said, when the documents are in digital format (i.e., on a USB key), it's still a good practice to encrypt them as the delivery device could be lost or stolen. Multiple solutions are available, including VeraCrypt, AxCrypt or GNU Privacy Guard. You could also consider document encryption as an alternative to password-protected documents.

The tools advisors use to mitigate unwanted information disclosure risks when communicating information to clients strike a balance between the transmission method and the importance of the data. Thus, advisors need to be conscious of this balance and to prioritize tools that address clients' needs for convenience and practicality, while prioritizing heightened security protection.
 

Related Content