As a financial advisor, you have access to your clients’ most sensitive personal details.
From account numbers to net worth, Social Security numbers, and family history, your servers are full of information that, in the wrong hands, could spell catastrophe for the people who’ve entrusted it to you.
That’s why data security is such a crucial topic for financial advisors. Yet despite the risks, a large number of financial advisors don’t fully understand how to mitigate those risks, or how to deal with a cybersecurity crisis.
At least, that’s according to a report by the Financial Planning Association's Research and Practice Institute. The report found that only 40 percent of financial advisors feel that they fully understand the issues and risks around cybersecurity, while just 29 percent believe they’re fully prepared to mitigate and manage cybersecurity risks.
In today’s digital world, that’s just not adequate. Here are a few critical points that you or your firm should be addressing.
Don’t rely on consumer-grade security products to protect your clients’ information.
Larger financial advising firms generally use specialized software or hire an IT firm to handle their cybersecurity.
However, if yours doesn’t, or if you’re an independent advisor, you may be relying on the same level of security that the rest of us use when we’re buying a kitchen mixer from our favorite store.
That’s not to say that Google and other companies that store sensitive data aren’t doing a good job with cybersecurity. But in the financial industry it’s simply not enough. If you really want your clients’ data to be secure, you should seriously consider hiring an IT firm to provide specialized services like firewalls, antivirus programs, secure remote access, and encryption.
Have a plan for how to dispose of a client’s information if they leave your firm.
It doesn’t matter to a hacker whether the data you have is for current or former clients. Once a client leaves or passes away, you must have a plan for how to permanently and securely dispose of their personal information.
That’s fairly easy with paper records, as shredding is standard office practice. But how do you dispose of electronic records?
Electronic records require two steps to be properly disposed of: sanitization and disposal. An IT firm can help you ensure that you complete both of these steps properly.
But there’s more to it than the disposal itself. Where is all this data stored? Are there any thumb drives that you may have forgotten about that contain client files? Are there any employee desktops or laptops that might contain downloaded information?
You’ve got to be absolutely thorough when it comes to stored client data - otherwise, you run great risk of a breach.
Be extremely cautious about who has access to client information.
Unless you’re an independent advisor who works alone, chances are there’s someone else in your firm who has access to your client’s information.
This is often necessary - after all, if you’re on vacation in the Bahamas and one of your clients has an immediate need, it’s nice to have someone else on hand who can help them.
But it’s important to be selective about who can access what. Does the receptionist need access to your clients’ account numbers? Probably not.
The issue is not so much a matter of trust, but of vulnerability. While it’s doubtful that your receptionist would intentionally compromise client data, he or she could fall victim to an email scam that results in a criminal getting his or her email password. If that’s the same password he or she uses to get into your secure system, your data is no longer secure.
Develop a Written Information Security Plan, or WISP.
The best way to ensure that the data you’re entrusted with is secure is to develop a Written Information Security Plan, or WISP.
A WISP is a document that outlines what information a firm has, what systems (both technological and administrative) are in place to protect that information, who has access to it, what will be done in the event of a breach, and more.
Once your WISP is in place, remember to review it every two or three years, or any time you make a change that could affect it - switching cloud providers, for example, or moving from the cloud to on-premise servers.
Data security should be of paramount importance to financial advisors. For more on improving your client services, read our post “How Financial Advisors Can Better Serve Their Senior Clients.”