Encrypting Emails, Files for Clients is Crucial, but not Always Followed

Article citing Brian Edelman, Financial Computer CEO.
Link to the article: InvestmentNews.

Encryption is one of the best bets for securing clients’ sensitive information.

Encrypting emails and shared files is one of the best bets for securing clients’ sensitive information, yet not all advisers are taking the initiative.

Regulators require advisory firms to securely manage their clients’ information, though not necessarily through encryption. Some states, including Massachusetts, California and Nevada, require advisers to encrypt clients’ personally identifiable information.

“Absolutely advisers should be using encryption,” said E.J. Yerzak, partner and vice president of technology at Ascendant Compliance Management. “The cost of a breach makes it a no brainer.”

Encryption involves scrambling information so unauthorized users can’t read it. While it is just one part of an overall security system, it has a key role, giving companies a way to encode words, numbers and images to prevent misuse.

Considering how critical electronic communication is between an adviser and client, and how attractive it is for cyber criminals, experts say advisers should encrypt data being sent back and forth in e-mails as well as data stored on hard drives or in a cloud.

Encryption is not utilized by 46% of the advisers asked in a 2014 North American Securities Administrators Association survey on cybersecurity practices of small and mid-sized investment adviser firms. Another 39% do encrypt data and 13% were unsure, according to the survey.

Many advisers avoid encrypting data because they view it as inconvenient. Others avoid it because they — or their clients — are unfamiliar with the technology.

Advisers need to educate their clients around these security measures, said Brian Edelman, chief executive of Financial Computer Services, a cybersecurity firm.

“It should be seamless,” Mr. Edelman said. “If they find themselves doing extra steps because of security, they may have chosen the wrong security.”

Several forms of data should be encrypted, including the actual messages, the browser being used to access the content and stationary content, such as archived emails, said Sid Yenamandra, chief executive of Entreda, a cybersecurity and risk-management company. Emails can be encrypted within their email services or by using software. Advisers should check that their web browsers are set up with Secure Socket Layer, or SSL, which they can do by finding an “https” in front of the web address they’re accessing.

Commonwealth Financial Network, an independent broker-dealer based in Boston, follows strict procedures around encryption under the Massachusetts state law, said Darren Tedesco, managing principal of innovation and strategy at Commonwealth Financial Network.

Big companies outside the financial services industry also see the importance of encrypting information. Google stepped up its encryption offering this year, adding a feature that indicates to users if they are receiving or sending an email to someone without a secure connection. Facebook Messenger recently announced it is now testing an end-to-end encryption option for private conversations.

File storage is another crucial area worth encrypting. Ascendant’s Mr. Yerzak said he is seeing a rise in using client portals, a hot commodity by vendors this year, to securely share confidential documents but said there needs to be policies in place to ensure they’re being used properly. Mr. Edelman said advisers should look for best-of-breed vendors, usually focused on the financial services industry, and ask questions of the companies on their security measures.

Even with this extra layer of encrypted content though, advisers need to do their due diligence when electronically communicating with clients. Hackers targeted the financial services industry 300% more than other businesses between January and May 2015, according to a Websense Security Labs report, and financial firms are still falling short in the cybersecurity arena, according to an External IT study.

Advisers should take the extra step of ensuring the communication is with their client, such as David Haas, an adviser with Cereus Financial in Franklin Lakes, N.J. Even though he uses encryption for his messages, he still calls clients when it’s really important.

“You still need to make sure that both sides are who you expect,” Mr. Haas said.