Keeping cloud-based data secure

Cloud computing can offer applications and data-processing services you can’t develop easily on your own. But how can you use this technology while keeping your data secure?

Cloud services have become ubiquitous. Professionals of all stripes use them for tasks and services such as customer-relationship management software, databases, mailing-list management and office productivity. Some people store their documents in the cloud for safekeeping; others use the cloud to manage their document backups.

Even if you haven’t used cloud services yet, you may be persuaded to do so. A recent report from the C.D. Howe Institute entitled Next-Gen Financial Advice: Digital Innovation and Canada’s Policymakers predicts that financial advisors will embrace technology in the next few years to differentiate themselves and cater to the needs of an increasingly demanding client base.

The report identifies cloud technology as a foundational resource for financial services in the coming years. The cloud supports many technologies, including digital onboarding, social media interaction, artificial intelligence and online client portals. These will be critical for advisors, the report warns.

However, cloud computing carries risks along with its potential to enhance your financial advisory business. You are placing your data – and possibly your clients’ data – in someone else’s hands. The cloud service provider may not even be in Canada. What rules should you follow when using these services?

The Investment Industry Regulatory Organization of Canada’s cybersecurity best practices guide doesn’t prohibit the use of cloud computing. Instead, the guide states that a cloud service provider should be able to provide solid business references to illustrate its track record and should carry certification from a security standards authority. The service provider also should outline its cybersecurity and privacy controls and allow others to verify them.

The Mutual Fund Dealers Association of Canada (MFDA) names cybersecurity as a strategic priority in both its 2018-2022 Strategy Plan and its 2019 MFDA Initiatives and Priorities documents. As well, the MFDA published a bulletin (0690-C) in 2016 that addresses cybersecurity and also runs a voluntary cybersecurity- assessment program for smaller dealers.

“The MFDA has rules in place relating to the protection of client confidentiality generally, which would include protecting client information from cyberthreats,” says Brett Konyu, manager of member education with the self-regulatory organization. “MFDA rules require each member to develop and maintain written policies and procedures relating to confidentiality and the protection of client information held by it in respect of clients by the firm and its advisors.”

At the federal level, privacy controls fall under the Personal Information Protection and Electronic Documents Act (PIPEDA), which was passed in 2000 – long before modern cloud services existed. PIPEDA doesn’t prohibit cloud computing, even when the cloud provider is in another country, but the act warns providers to protect information. The act also warns that companies using cloud services ultimately are responsible for protecting that information.

So, for example, if Dropbox somehow lost your client’s sensitive data, you would be considered liable under PIPEDA.

The law regarding storing data elsewhere may get an overhaul soon. In April 2019, the Office of the Privacy Commissioner (OPC) published a consultation document regarding transborder data flows, which could change the rules concerning where you can store information in the cloud. Under the proposed rules, a company sending personal information across borders, including to a data processor such as a cloud service provider, must get consent from that information’s owner.

This consultation closes in June 2019, and the OPC is likely to enact the change as a guideline rather than as a change in legislation. If the rule change is enacted, businesses are likely to test it in court, according to Michael Geist, Canada research chair in Internet and e-commerce law and professor at the University of Ottawa. He predicts “enormous implications” for e-commerce and data flows and says that organizations will have to rethink their compliance policies. At the least, this change will mean updating your consent-gathering forms and language.

Changing rules doesn’t mean you shouldn’t use cloud services in your practice. But you should protect yourself and your clients before diving in.

“The biggest takeaway is to remember that your clients are not just trusting you with their financial information and looking for financial advice,” says Mark Nunnikhoven, vice president of cloud research at Trend Micro Inc., a security software company in Ottawa. “They’re also trusting you with their personal data. The onus is on you as the investment advisor to keep that protected – not just by Canadian law, but because that trust is part of a personal relationship with your client.”

The first step is to check with your investment dealer, which may have its own limitations on what kinds of cloud-based service you may use. If you are able to use a cloud-based service, take extra precautions to ensure that you’re protecting yourself and your clients.

The first step is to ensure that you store only necessary information in the cloud. Where possible, avoid storing sensitive personal data unless you need it for the process for which you’re using the cloud.

Nunnikhoven warns that you should use an indicator that refers to a client, such as his or her name, when storing information in the cloud rather than the client’s account number. That number, he says, should never leave an internal secured system. Following this advice would be good practice when using the cloud to store notes from a client meeting, for example.

When you need to store files with more detailed information, use an encryption service. Sometimes, cloud-based services provide encryption options themselves using a password. (Check the provider’s technical information.) For example, Microsoft Corp.’s Office 365 lets you use Office message encryption to encrypt messages you send to clients, even if they are not Office 365 subscribers.

Whether your cloud-based service uses its own encryption or not, you also can encrypt your files using an encryption key you control. Use either an encryption application, such as AxCrypt (, or an online encryption service, such as BoxCryptor ( When sending sensitive documents to clients, you can integrate your cloud-based service with a system such as Whisply (, which will let you send files safely with a PIN to unlock them.

Cloud services need not put your data at extra risk. Taking precautionary steps to secure data before it takes flight to the cloud can offer you and your clients the benefit of digital automation while protecting precious information from prying eyes.