Michael van Lierop, Founder of New Outlook, published a great blog describing how their clients are...
Only a hermit would have failed to notice the increase in identity theft, cyber and data breaches in recent years. The figures are startling. In 2020, the number of data breaches in the United States totalled 1001 cases, according to Statista. It also recorded over 155.8 million individuals affected by data exposure during 2020.
The 2020 Verizon report found that in the financial planning and insurance industries alone, there were 1,509 incidents. 448 of these incidents had confirmed data disclosure. Of the data compromised, 77% were clients' personal information, 35% were credentials, 32% were bank-related breaches, and 35% are listed as 'other.'
Exposure of sensitive data is a real risk and one that criminals are keen to expose. And while data breaches result from planned cyber-attacks on an organization's database, data exposures are caused by human error such as weak internal cyber-security. Neither situation is a good one to be in and so individuals need to take action to make sure they are not affected.
It's vital that consumers are diligent about where and how they share their financial information on the internet, and via email is definitely off the table. This also comes down to the acts of financial advisors. Many will simply request these documents via email because it's convenient, especially since the beginning of the coronavirus pandemic. It’s also very convenient to start texting clients, posting opinions on social media, but those are highly regulated activities and compliance does not permit these ‘convenient’ activities.
So what does this mean in practice? How can advisors and clients share sensitive information securely? In the past using the physical post came with its own inherent security risks. Email largely superseded the post, but that too comes with its own risk.
Risks of email
Indeed phishing, data security, and identity theft are a major issue when using email. The problem with that is that information in email bodies cannot be encrypted. As a result, sending sensitive information through plain text emails is not permitted via IRA rules. Elsewhere guidance is patchy. The EU GDPR does not specifically identify how personal data can be sent via email. PIPEDA also does not have any public information available that identifies how electronic patient data can be sent securely over email. Which is ironic considering PCI DSS – a set of controls and obligations for companies that handle credit card information – explicitly states avoiding using email to transmit card data given the trail of copies in sent folders, draft folders, inboxes, browser caches, and email trash folders.
To put it simply, the lack of guidelines and abundance of generic guidelines don't particularly help the public understand how to send sensitive information safely via the internet.
And attachments are no better: Sharing information with attachments containing personal data or scanned documents is risky. Simple misdelivery; an email going to the wrong person is more commonplace than you might think. In organizations greater than 1,000 employees, this happens almost twice daily (https://www.tessian.com/blog/fat-finger-misdirected-email/) Misconfiguration is another issue. This is when a system administrator does not secure a cloud storage bucket or accidentally misconfigures firewall settings.
The risk of being hacked is another issue. Hackers introduce spyware and malware into a system in order to steal data
Some malware is embedded in images, including PDF and JPEG files. If opened these files corrupt a system or delete files from a hard drive. Keylogging malware, for example, can be stored in an email attachment and executed when opened or when the victim clicks a malicious link. From there, the keylogger can record keys pressed on the user's keyboard to capture passwords and other relevant account information and detail.
Hackers are also using ransomware to encrypt an individual's data and then blackmail them. And phishing, meanwhile, uses psychological and social manipulation with the intention of gaining access to sensitive data and information such as IDs and passwords that can then be sold on.
Secure data and document storage and exchange is thus, a pressing issue. Using a platform can significantly reduce attacks of all kinds because would be criminals tend to go for easy targets- like e-mails. Using a platform gives both advisor and client access to a secure hub to securely share sensitive documents-- without the need for risky emails. The advisor also benefits from reduced regulatory compliance risks and better overall security. This serves to up confidence levels for both client and advisor and can be a real value add in a world where the threat of data theft is real.
SideDrawer is an API-based document management platform that improves the client experience around collaboration and organization for businesses of all sizes. Our SaaS product is used by advisors, planners, executors and other professionals to securely collect and share sensitive client data and documents. Our infrastructure agnostic APIs are truly scalable, allowing fintechs and enterprises to save significant development resources on non-core, but critical document management workflows.