As wealth managers are now forced to work from home, it raises questions about cybersecurity, protection of data and safety of clients' and firms' information. In the second part of a series, author Wendy Spires examines the issues.

Along with being our head of research, Wendy Spires is a Certified GDPR Practitioner who takes a keen interest in all things related to data privacy in wealth management. This is Part 2 of a three-part feature examining the risks surrounding remote working, with specific reference to new communication channels.

It is a sad fact of life that bad actors will always seize on crises as an opportunity, and so it is proving amid the unprecedented disruption stemming from the COVID-19 pandemic. It is undoubtedly good that life can go on in the digital realm, but risk exposure has rocketed for firms dealing in highly sensitive financial and personal information – as wealth managers most certainly are.

As the first part of this feature argued, the depth of knowledge that wealth managers require to advise and service their clients to the highest standards could now present an acute weakness if that data is not sufficiently protected. And, with firms all over the world having been forced into remote working with scant notice, it is easy to see how this could very often be the case.

The notion that cybercrime is an ever-evolving threat has never had greater force behind it. Day by day an ever more alarming picture emerges of vulnerabilities being exploited at both the corporate and individual level. Business policies, technical set-ups and staff training are being tested in the most challenging of circumstances; business continuity planning may well cover an office burning down, but hardly a global pandemic forcing all staff to work from home -- or wherever they found themselves at lockdown -- for an indefinite period. Even with the best will in the world to protect client data privacy, firms could be exposed to regulatory censure, fines and litigation. 

No time to catch up
Overarching this issue are, of course, the tools and broader technology architecture wealth managers have in place. The lucky ones will be well advanced in their digitisation journey already and so have secure tools for video conferencing, screen-sharing and instant messaging with clients already available (or at least internal facilities that can readily be turned outwards). 

Where this is not the case, firms may be forced to turn to mass-market technology and, as recent headlines have highlighted, security here is often dubious at best. The video conferencing tool Zoom is truly experiencing the “best and worst of times” at present, becoming both immensely popular globally and the subject of a shareholder lawsuit over an alleged coverup of security flaws. “No time to catch up” is true in both senses.

That compliance is a moving target has never been truer too. Operational agility is, of course, vital to achieving what both institutions and clients need right now, but firms sacrifice due diligence on the altar of expediency at their peril.
 

More channels, more catches
The plethora of communication channels available today is an area of huge data protection danger. Given that wealth managers were hammered by clients for “hiding under their desks” during the financial crisis, it will be hard for advisors not to respond to worried clients contacting them via social media messaging platforms like WhatsApp or Facebook Messenger where one can be easily found. 

Rock solid encryption often means that no-one (not even governments) can access message trails apart from the sender and recipient, creating huge record-keeping issues from a financial regulation perspective (although monitoring software does exist for some forms of social media). But communicating via third-party messaging platforms could very likely prove a violation of the GDPR too - since that client’s details will be processed outside the confines of the institution’s systems and the “technical and organisational measures” it will have in place. If advisors are the ones adding clients’ contact details, then a whole slew of issues around data processing consent come into play.

Social engineering hacks via phishing emails should be well covered by staff training and – one hopes – be robustly defended against by advisors only working from home on company laptops that are well protected by anti-virus and anti-spam software. However, using personal mobile devices is common and “smishing” is a growing phenomenon in which legitimate-looking texts, in-app and push messages contain ransom or malware. The world of litigation pain this kind of liability could invite is beyond the scope of this article to discuss. (Instant messaging will be the subject of a forthcoming thought-piece by Capita Consulting, however). 

Difficulty maintaining discipline
As previously set out, risk-appropriate “technical and organisational measures” are the bedrock of GDPR compliance and these must always take into account the technological “state of the art”. Encryption is much beloved by the legislation, as are technical best practices like pseudonymisation and permissioned access to client data. Having advisors work only from remote desktops with tight security built in is clearly the ideal, but it is difficult not to imagine that a high degree of off-piste computing is not taking place in some quarters. In febrile times like these it is easy for discipline to slip, particularly when IT support and replacement equipment are not readily available. Saving files locally, working on data via spreadsheets or even printing documents out for ease of reference are all understandable outcomes as advisors work in trying circumstances with potentially hundreds of very worried clients.

At an even more basic level, organisations may well have a “clean desk” policy, as expressly advocated by GDPR, but who now has an entirely private working space or secure disposal facilities? Partners, children and even housemates cannot be banished and privacy screen filters are a detail that might have been easily forgotten in the confusion of recent weeks. Nor is eavesdropping on client conversations – intentionally or otherwise – to be ruled out, particularly now that the warmer weather demands that windows are open. In any case, are telephone lines always secure?

Are smart devices smart to have around?
As the law firm Mishcon de Reya recently advised its staff, smart speakers are another massive source of risk. Although devices like Alexa are only meant to “awaken” on command words, studies show these can be accidentally set off up to 19 times a day, and for long periods. Even more alarmingly, tech companies have been forced to admit that human beings are sometimes listening in on conversations (and more) as part of attempts to improve the tools’ voice recognition capabilities. In a world of smart watches, doorbells, baby monitors and so on, it is clear that an advisor’s home may be very far from an ideal data protection environment. 

Of course, none of this is a criticism of advisors or even really of wealth management firms themselves. We are in the midst of a true “black swan” event, the implications of which are only just starting to be glimpsed. At present, institutions will be focusing on the battle to preserve their clients’ wealth and adapting their business models for far-reaching change. 

The fact remains, however, that the requirement to protect data privacy has not gone away – and the threats to it have never been greater. Regulatory actions and litigation over mishandled investments hit the sector hard in the years after the last big crisis. It is to be hoped that a deluge of data privacy lawsuits and enforcement actions are not going to rain down on the sector following this one.

Having highlighted some of the emerging dangers, the final part of this feature will see experts outlining practical steps that firms can take to protect clients - and themselves - from rapidly proliferating data protection risks.