As wealth managers are now forced to work from home, it raises questions about cybersecurity, protection of data and safety of clients' and firms' information. In the third and final part of a series, author Wendy Spires examines the issues.
Along with being our head of research, Wendy Spires is a Certified GDPR Practitioner who takes a keen interest in all things related to data privacy in wealth management.
This is the final instalment of a three-part feature examining remote working risks, which offers practical tips from experts on maintaining security and data protection compliance. (See the first two instalments here and here.)
Having set out a range of data protection risks emerging from remote working, we now turn to what the experts are advising so that wealth managers can be both agile and compliant with their data protection obligations under the GDPR and similar regulations. Long-term, the COVID-19 cloud may have the silver lining of having driven digitisation forward in great leaps for many firms. But expedited digital change can of course bring massive risks along with it.
As previously set out, the ideal of employees only using company terminal equipment may not be achievable, so this should be the first point of security triage.
“In the short-term demand for company laptops may well be outstripping the company’s ability to supply them. In recognition of this, the ability to enrol and securely manage employees’ own devices, or any new ‘endpoints’, is a matter of urgency,” advises Mark Roberts, partner for Defence and Cyber at Capita Consulting. “And in doing so, organisations need to address thorny issues like privacy, data ownership, acceptable use and vulnerability and patch management.”
Roberts also urges firms to face the reality that if suitable solutions for the new normal are not provided, “the natural human desire to do a good job might result in people adopting their own alternative solutions or workarounds”. As Part 2 of this feature highlighted, video conferencing and instant messaging are areas of particular danger.
Confront and quantify risks
Lest we forget, the Accountability Principle is at the heart of the GDPR (and other data protection regulations modelled on it). Data controllers are ultimately accountable for only using trustworthy data processors to work compliantly on their behalf, and to pay close attention to regulatory roles and responsibilities in any multi-processor arrangements they enter into. Time may be short, but firms forced to adopt third-party (and even mass market) tools faster than they would like must not neglect their due diligence (and ongoing monitoring) obligations, ensuring that Data Protection Impact Assessments are carried out where necessary. (In fact, best practice dictates they almost invariably are so that potential high risks to data subjects’ rights and freedoms are not overlooked.)
A certain amount of heightened risk may be inevitable and, as Roberts observes, “There is no such thing as risk-free or being totally secure. Organisations need to be clear on how much risk they are prepared to accept.” Rather than aiming to completely eliminate risk (which would probably mean shutting up shop) the onus rather has to be on recognising and managing it.
“Like everyone at present, wealth managers need to make pragmatic decisions, so it’s about intelligent risk when working with new suppliers,” says Sorcha Lorimer, CEO of Trace AI, a software vendor for data protection compliance. “Make sure you know what risks you are taking: read the terms, confront worst-case scenarios and use a model to frame making informed decisions. We’re seeing a lot of use of our smart processor assessment tools currently, which is encouraging on this front.”
Don’t neglect documentation
As in other areas, collaboration and an acknowledgement that compliance is a “moving target” are key, she continues: “Data protection regimes intend to make compliance real and ‘alive’ as a culture, so the authorities want to see key documentation like Data Privacy Impact Assessments being iterative, discursive and collaborative.
“It is also vital to update privacy notices, processing records and consent documentation to take account of any new processing operations and third-party technology. Data protection compliance hinges on robust documentation: if it isn’t documented, it isn’t done.”
Another vital GDPR concept is that of “privacy by design and by default” (Article 25), which means careful risk assessments and privacy champions being brought in before any new projects or processing operations commence. Remediation may well be a current reality for many, but firms can take heart from the fact that the concerted efforts they evidence can serve as mitigation if breaches do come to pass.
A significant barrier here will of course be the prevalence of static documentation at even large organisations (for which, read scores of disconnected Word files and Excel workbooks for things like Article 30 Records of Processing Activity). As such, over the long term, we can expect migration of data governance and compliance to Software-as-a-Service tools to mirror that already seen in activities like client onboarding, where multiple handoffs between highly dispersed teams are also necessary.
Reinforce the “weakest link”
Despite - and in fact because of - the very alarming security threats facing wealth managers, Roberts urges firms to strike a careful balance between strict protocols and maintaining a caring tone with employees. “Reinforce a security culture where everyone knows what they should do and recognises its importance, but where staff also feel supported and assisted in the new working environment,” he says. “Minimising the threat to your organisation depends on taking immediate action in the event of an attack or lapse of judgement. This situation is difficult for everyone and it’s vital that personnel don’t feel hesitant about alerting their manager or IT team if they’ve made a mistake.”
Today’s tortured circumstances create acute vulnerability to social engineering cyberattacks which bad actors are jumping to exploit. Penetration testing and corresponding training covering spear-phishing should have already been part of the technical and organisational measures taken to ensure compliance with the security obligations under Article 32 of the GDPR. But now “smishing” (the mobile version) is now on the rise, creating further alarm around the use of employees’ own devices and novel communication channels. Pertinently, the French Data Protection Authority, the CNIL has taken the view that employers are responsible for the security of company data stored on devices that are not their own, including an employee's personal device.
Now is the time to consolidate employees’ understanding - and update policies - to take greater account of remote working, the experts say. “Our people are our weakest link, so start with immediate interventions here,” says Roberts. “Remote working policies need to be clear and include easy-to-follow steps that let employees make their home-working environment secure.” As Part 2 of this feature explained, the dangers are many, spanning technical, physical and human weaknesses.
The world being temporarily “on pause” may in fact present a perfect opportunity to sharpen staff up on data protection. “It’s so important to keep engaging staff when working remotely; we just need to find new ways of doing that,” says Lorimer. “With data protection issues in the headlines every day, there might be no better time for creating interactive policy suites and rolling out customised online learning programmes.”
IT security teams must have their hands particularly full at present, but much depends on them rapidly evolving existing measures and introducing new ones to take into account mass remote working. It is easy to miss things in challenging times and here Darren James, technical lead at Specops Software, advocates the following as the start of a data protection checklist.
“First is ensuring only the right people are given access to the data. This sounds simple, but mistakes are often made here. Second is where data is accessed from, particularly if employees are stranded away from home. Cross-border transfers can present huge compliance risks where certain countries are concerned, so conditional access and geo-blocking some locations may be wise.
“Third, choose carefully how employees access data, whether that be via a Virtual Private Network, a remote desktop or cloud, and with the latter be especially careful to ensure service providers meet your standards.
“Lastly, consider how you allow data to be handled and don’t neglect physical dangers. Will you allow printing or screenshots to be taken? Are privacy filters provided to shield data from prying eyes?”
As a password specialist, James also highlights under-appreciated dangers here. “Users also face genuine problems with password expiry and notification of password expiry - especially with their corporate active directory accounts [those providing access to network resources]. Native tools don’t really give administrators a lot of options, so a user’s risk of being locked out of their accounts for an extended period of time is much greater than in the past.” Data protection is as much about accessibility for those authorised as it is keeping those with nefarious intent out.
A holistic view of data protection
Unpleasant though it may be, with great uncertainty ahead thought must also be given to the suspension or termination of employment. “If someone does leave the organisation then their access must be removed in a timely manner, and any company devices that they may have should be securely wiped,” James cautions. “That is of course complicated by remote working in itself, but also by the Bring Your Own Device scenario, in particular global wipe versus selective wipe.”
Best practice in data protection calls for thinking that encompasses the entire lifecycle of the information the organisation handles. Just so, the adaptation of policies and practices for a new working from home paradigm calls for a holistic view of the technical, physical and human factors involved, and on a whole lifecycle basis too.
This piece has only scratched the surface of the dangers and safeguards that wealth managers should be thinking hard about during this most challenging of times. It is to be hoped that robust data protection and information governance are already in place and need only to be adapted and built upon. With all the other pressures institutions and their employees are under, this is certainly no time to be starting from scratch.