The financial services industry is a frequent target of hackers, but a larger threat may be trusted insiders since they have access to a lot of sensitive customer data. Advisers within wealth management practices regularly share data with other advisers, staff members, a counterparty or a trusted third-party service provider. They may inadvertently or deliberately share that data with unauthorized people and pose a risk to their firms and customers. Once shared, most firms have no control over that data. The Ponemon Institute illustrates this risk by reporting that 65% of cyber breaches originated with third parties.
Insiders regularly share customer or other sensitive information with colleagues and third-parties by generating and downloading reports from a database. Typically the reports are spreadsheets which make it easy to analyze the data. Access to the database may be restricted, but once in a spreadsheet, the sensitive data is easy to share with anyone.
Just recently, BlackRock inadvertently exposed names, email addresses and other information of 20,000 independent wealth management advisers. The data was in several spreadsheets from an internal customer relationship management system and was inadvertently posted on a website by an internal user. There was no hacking, just a mistake by a trusted insider.
In 2017, New York implemented comprehensive cybersecurity regulations to protect New York’s financial services industry and consumers from cyber attacks. Other jurisdictions are following suit. High-profile cases like the Morgan Stanley broker who stole data on more than 350,000 of the bank’s wealthiest clients in 2014 was clearly on the minds of regulators when they created these regulations. Even with these rules in place, BlackRock still experienced a data breach.
Typical approaches to stop data breaches focus on protecting devices and locations from unauthorized access, rather than the data stored on them. These solutions force you to create complex business rules that monitor data movement and alert you to abnormal activities. In the BlackRock and Morgan Stanley cases, authorized users had legitimate access to sensitive data, so these tools may not have flagged anything as abnormal.
The only effective way to restrict access of sensitive data to authorized users is to encrypt it and apply security policies that govern its access. This ensures that only authorized users can access the data, regardless of the file’s location or format. This includes sending data to a counterparty or other third-party service provider. Once encrypted, the organization can trace user activities and even revoke access whether stored on a local system, mobile device, website or cloud-based repository. If someone accesses the file, they cannot read its contents unless explicitly granted access to it.
Morgan Stanley could have prevented its employee from accessing customer information on his home computer by encrypting it and setting appropriate policies. Once he left the company, his access to company data could be immediately revoked. The BlackRock spreadsheets would have been useless to any unauthorized person, since no one could read their contents unless explicitly granted access. If hackers stole the data in either case, it would be useless to them, since it was encrypted and the hackers had no authorization to access it.
Investors trust wealth management firms to protect their sensitive data. Encrypting files and controlling user access maintains that trust and complies with privacy regulations.
Photo credit: Pavel Rybin