The financial services industry is a frequent target of hackers, but a larger threat may be trusted insiders since they have access to a lot of sensitive customer data.  Advisers within wealth management practices regularly share data with other advisers, staff members, a counterparty or a trusted third-party service provider. They may inadvertently or deliberately share that data with unauthorized people and pose a risk to their firms and customers. Once shared, most firms have no control over that data. The Ponemon Institute illustrates this risk by reporting that 65% of cyber breaches originated with third parties.

Insiders regularly share customer or other sensitive information with colleagues and third-parties by generating and downloading reports from a database. Typically the reports are spreadsheets which make it easy to analyze the data. Access to the database may be restricted, but once in a spreadsheet, the sensitive data is easy to share with anyone.

Just recently, BlackRock inadvertently exposed names, email addresses and other information of 20,000 independent wealth management advisers. The data was in several spreadsheets from an internal customer relationship management system and was inadvertently posted on a website by an internal user. There was no hacking, just a mistake by a trusted insider.

In 2017, New York implemented comprehensive cybersecurity regulations to protect New York’s financial services industry and consumers from cyber attacks. Other jurisdictions are following suit. High-profile cases like the Morgan Stanley broker who stole data on more than 350,000 of the bank’s wealthiest clients in 2014 was clearly on the minds of regulators when they created these regulations. Even with these rules in place, BlackRock still experienced a data breach.

Typical approaches to stop data breaches focus on protecting devices and locations from unauthorized access, rather than the data stored on them. These solutions force you to create complex business rules that monitor data movement and alert you to abnormal activities. In the BlackRock and Morgan Stanley cases, authorized users had legitimate access to sensitive data, so these tools may not have flagged anything as abnormal.

The only effective way to restrict access of sensitive data to authorized users is to encrypt it and apply security policies that govern its access. This ensures that only authorized users can access the data, regardless of the file’s location or format. This includes sending data to a counterparty or other third-party service provider. Once encrypted, the organization can trace user activities and even revoke access whether stored on a local system, mobile device, website or cloud-based repository. If someone accesses the file, they cannot read its contents unless explicitly granted access to it.

Morgan Stanley could have prevented its employee from accessing customer information on his home computer by encrypting it and setting appropriate policies. Once he left the company, his access to company data could be immediately revoked. The BlackRock spreadsheets would have been useless to any unauthorized person, since no one could read their contents unless explicitly granted access. If hackers stole the data in either case, it would be useless to them, since it was encrypted and the hackers had no authorization to access it.

Investors trust wealth management firms to protect their sensitive data. Encrypting files and controlling user access maintains that trust and complies with privacy regulations.

Photo credit: Pavel Rybin

Fasoo sponsored and presented at an event in Columbus, OH on November 13, 2018 entitled “Incident Detection, Response and Recovery” highlighting how to prepare and manage an incident response plan for cybersecurity and data protection.  Presented and cosponsored by Catalyst Solutions, IBM and Huntington Insurance, the event brought together experts in legal, insurance, law enforcement, government, accounting and security disciplines to discuss the legal, technical and business issues of preparing for and responding to a data breach.

Bill Blake, Senior Vice President and CCO of Fasoo, presented Incident Response & Recovery: Secure Collaboration for Critical Information which highlighted the Wrapsody platform as a solution to help manage the development, access and control of an incident response plan (IRP).  Bill showed an example of a CISO, Legal Counsel and an external Advisory firm securely collaborating on an IRP and how to control who could access the plan and any supporting documents involved in a response.  The example showed how easy it is to securely collaborate on developing and managing the plan, but also on limiting access prior to, during and after a breach occurs.  Since Wrapsody encrypts documents and controls their access, it guarantees only authorized users can access them.  This is critical because if an incident response plan got into the wrong hands, malicious insiders or external parties could compromise an organization’s data security.

Ed Rice, an attorney at Sherrard, German & Kelly, P.C., talked about the importance of having a data security program in place.  “Not only does it make good business sense, but under the regulatory landscape, for instance in NY, MA and CA, having such a program is a requirement when a company deals in data containing personal information.  Ohio’s new data protection act actually provides a “safe harbor” from liability for a data breach if the company has in place a good data security program”.

One key to a data breach response is maintaining attorney – client privilege between internal or outside counsel and the organizations involved in the breach.  A cybersecurity incident is not considered a data breach until an attorney says it is.  An attorney should be involved in developing the plan so the plan and any supporting documents are considered attorney work product and come under attorney – client privilege.  Since Wrapsody limits access to authorized users, if a malicious insider tried to share documents with external parties, they would not be accessible.  If a court tried to subpoena the documents, attorney-client privilege would protect them legally, but Wrapsody’s encryption and access control would prevent access to the files themselves.  Another key is having a detailed audit log of document access to prove to auditors, regulators and law enforcement who accessed the IRP during its preparation and execution, thus also helping establish what is subject to attorney – client privilege.

Once an event occurs and the organization executes the IRP, access is controlled and audited.  If internal systems are compromised, Wrapsody enables mobile access to the IRP through a phone and tablet.  Since each version of the IRP and any supporting documents are automatically synced to the Wrapsody server, those involved in the response will have access to the latest information, even if the IRP itself was hit with ransomware.

Protecting company and customer information is the main goal of cybersecurity.  Preventing a data breach is a key tactic, but you need to have a viable incident response plan so you can act quickly and decisively if or when a breach occurs.  Using Wrapsody to prepare and manage the plan along with sensitive documents should be a key tactic in your cybersecurity program.