Journal of Financial Planning; July 2011
The same electronic tools that have brought so much ease to the lives of financial advisers have resulted in a whole new set of concerns as well. Just how secure are the client files stored on my office server, or out in a cloud somewhere? What sort of compliance regulations affect my data storage plans? And perhaps, most importantly, how do I convince my clients that their confidential information will never be breached?
An entire security industry has developed with the express purpose of answering these kinds of questions. Many of the solutions go far beyond the kind of security breaches advisory firms have been experiencing, but that may be what clients need to hear in the end. “Clients are really concerned, because this is something that’s been in the news all the time,” says Ash Bhatnagar, CFP®, president of RIA Independence Company in Titusville, New Jersey, which helps advisers develop independent businesses. “To do the most you can becomes imperative as a matter of client servicing.”
For some advisers, especially those with larger practices, the safest and most cost-effective move has been to move everything out of their offices and into so-called cloud computing. “Advisers don’t really need any technology in their offices besides their Internet connection and their PC,” says Bhatnagar. “That’s my goal.”
How Cloud Computing Works
With cloud computing, the user’s computer contains no files or even software; everything is stored and accessed remotely. While it makes people nervous to lose that kind of control over their most vital files, in many ways cloud computing is a safer alternative to local storage. The vendors have invested heavily in security infrastructure and can develop purer systems that make it harder for hackers to break into. “SalesForce, as an example, has seven different server firms throughout the world, using industry-leading technology,” explains Jay Rivard, SalesForce practice director at Harvest Solutions, a CRM consulting firm in Waltham, Massachusetts, that concentrates on financial advisers. “The data resides on like machines, so unlike on-premise apps, where they might have different types of servers and operating systems, in the hosted world it’s all the same.”
Although it makes some advisers nervous to send confidential data to an unknown location, the files are encrypted before they’re uploaded to the cloud, and the storage firm has no ability to unlock them. The standard procedure is for each vendor to back up all its files regularly—every hour or two hours—then validate whether the backup successfully happened for all the data by looking for changes on the encrypted data. And the providers must follow compliance requirements at least as strict as any adviser, usually more so, because they have to account for regulations from many different states as well as the federal rules. Peter Herzog, senior software and systems specialist at ActiFi in Plymouth, Minnesota, which provides software and solutions for financial advisers, thinks this makes security tougher and the ability for advisers to validate it greater.
“A lot of these providers, since they have multiple financial advisory offices on their system, have to go through multiple types of compliance audits—so they’re continually being audited and tested,” Herzog says. “There’s a definite perception that you can lose control of your data, but you can request from a vendor a report from their last compliance. If they can’t provide that, they better have a reason why.”
Or you can run a simple test to make sure that everything is not only backed up but readily available if you need it. “You definitely need to have a test process in place,” says Bhatnagar. “What I do is say, ‘I lost a file 10 days ago, and I need to recover it.’ And call the help desk; that’s what you’re paying for. And see what they do. You’d be surprised—some people can’t actually recover it! Then you know it’s time to move on.”
Many of the larger Internet players have moved into the cloud storage space, including Amazon, Microsoft, and Google. With an incredible amount of bandwidth at their disposal, large web-based firms are a natural for this sort of thing. While there might seem to be greater security concerns—Google’s Gmail was hacked into this past April, and there have been rampant stories about people being surprised at a perceived lack of privacy with Google Docs—it’s important to remember that these are huge companies with varying levels of service available. The version you pay for would have a complete, validated level of security, quite unlike the free apps out there. There are also smaller, boutique IT shops that offer storage solutions for small businesses; Herzog singles out Network Alliance and IVDesk as cloud providers that have done reliable work for financial advisers.
There are drawbacks to storing everything offsite though. If for whatever reason you need to recall all your data from your cloud site, it can be very cumbersome, involving sending the provider a hard drive, having all your information downloaded to it, then having it shipped back to you.
Do-It-Yourself Storage and Encryption
Storing data files in your office still makes a lot of sense for a smaller, one-person shop. “Hard-drive storage is cheap nowadays,” Herzog says. “You can buy multi-terabyte hard drives for just a few hundred bucks or less.”
Bhatnagar agrees, saying that not only do the economics work particularly well for smaller firms but the security can be tighter as well. He found a server from ioSafe that was particularly impressive: “It’s fire-proof and flood-proof, and it was a $320 solution—and no cloud’s ever going to beat that for the amount of space that you get,” he says. “I think that’s a great solution for a one- or two-person shop.” Still, he also recommends contracting with a third party for backup, just in case.
Storing your own files also leaves security up to the discretion of the individual adviser, which usually means encryption. Encryption is in the process of moving from a 128-bit standard up to 256 bits, although in the early days of encryption 40 bits were considered sufficient. The bits refer to the different possible key values generated randomly to encrypt the data. Because they use a binary code, the number of bits allows a total possible range of values of two raised to that number’s power; in other words, 40-bit encryption used two to the 40th power possible outcomes.
That may seem like a lot, but today’s high-speed computers are able to shuffle through that many values in fairly short order, leading to the rise of 128-bit encryption and now 256-bit encryption. FINRA, for one example, now requires all communications sent to it be encrypted at a 256-bit level. Is that overkill? Herzog thinks not: “Computers today are so fast that 256-bit encryption is very practical in the vast majority of applications,” he says, “and I would tell advisers to use it if they have the option.”
What to Encrypt
The first question any adviser must answer is, “How much do I want to encrypt?” The client files themselves need to be encrypted, which in some jurisdictions is a necessity. Massachusetts, for example, requires that any clients’ personal information be encrypted when it’s sent across the Internet or stored on portable devices such as laptops or CDs.
Beyond that lies the option of hardware encryption, which even makes it difficult for people to gain access to the machines themselves. There’s little doubt that hardware encryption has been increasing, and it certainly does add an extra level of protection. Bhatnagar also finds that hardware encryption can be more stable and less prone to bugs than encrypting files. But it can also be very costly, because each piece of equipment will require its own encryption.
It’s possible to encrypt your software as well—the applications on which your client files run. This would prevent any hackers or burglars from running your programs at all, whether remotely or within your office. But Herzog argues strongly against it. “A lot of people have a tendency to encrypt their whole setup, and I think that’s a big mistake,” he says. “What they should be doing is separating their data from their software. Microsoft Word and Excel and PowerPoint—there’s no need to encrypt all that information. You can always reload the software and recover all your files.”
There are even encrypted flash drives for moving data from one place to another. In a sense, this is the most necessary environment for security, because it’s probably more likely that you’d mislay a flash drive than get your server hacked into. IronKey, for one, makes a USB drive with 256-bit hardware encryption, capable of storing up to 32 gigabytes of memory. They’ll cost $75 to $150; if you need less storage space, Corsair makes an 8-gigabyte version that sells for only $50.
CRM Integration as Security
Another aspect that has enhanced data security is the growth of CRM (customer relationship management) systems. By encapsulating so much of your data and processes under one umbrella, a CRM solution can incorporate security factors while greatly reducing the potential for some kind of breach or error. “Integration just for efficiency’s sake is widely popular, but from a security perspective, to remove any sort of human error when you have to duplicate data and enter it twice into the system—absolutely that reduces risk,” says Herzog.
“The ability to store all that sensitive data, especially integrating back-office tools … in one spot and be able to report off of it is huge,” says Rivard. “These are essentially shrink-wrapped apps, so it’s much easier to deploy them, and it’s a much higher level of security than you can get on your own.”
The key is that everything is held within a single system, making it unnecessary to move files around or access them through a variety of applications. “For sensitive documents,” Rivard points out, “you can control access to them without having to distribute them with third-party products.”
Not all CRM systems are alike— different ones have different security capabilities. “The top-level types of CRM have very high levels of security within the applications themselves,” Rivard says. “Which flavors of that you get depends on the additions … the more expensive the additions, the higher level of security you can get.”
You need not just take a vendor’s word for it that you’ve got all the security you need. Herzog points out that there are concrete ways to validate the level of security you’re getting. “When you purchase a CRM or other document management system, look for solutions that have auditing capabilities in it, so that whenever anyone changes a field in it, or any value on a client record, that’s noted,” says Herzog. “It records who did it and what the previous value was and what the new value is. There’s a lot of data in CRMs, and to protect that you need to have some auditing around that, too.” You should also be aware that such security measures as encryption and firewalls vary from CRM to CRM. Make sure the system you have incorporates all the features you need.
Moving to a CRM system and creating a paperless office means other safeguards should be in place, particularly when it comes to destroying now-unneeded hard copies. “Many times you’ll have an original signature on a contract, and you want that scanned in to become paperless,” says Michelle Jacko, CEO of Core Compliance Legal Services in San Diego and managing partner of the Jacko Law Group. “Before you shred that original document, make sure that the integrity of the information is sound, and that it’s legible. An advisory contract requires an original signature; if you decide you’re going to shred that document, the regulations specifically state that it needs to be as close to an original format as possible.”
If you have a scanned advisory contract that does not contain the actual client signature, and wonder whether you need to have the client re-sign, Jacko says yes. “If you don’t have proof of that, it’s as if it were never agreed upon.”
Compliance with Privacy Issues
There are compliance reasons to keep your clients apprised of your security infrastructure as well. The Gramm-Leach-Bliley Act of 1999 (with its final rule in 2009) specifically requires financial institutions to provide their clients annual privacy notices. The rules also require that clients be notified of any information-sharing practices and be given the chance to opt out of them. (There are model privacy forms available online at www.sec.gov.)
These compliance requirements have clearly played a role in fueling the growth of the data-security industry. But enhanced levels of security do not seem to address hackers or thieves attempting to breach the files of individual advisers. Despite reports of leaks involving everything from 75 million PlayStation users to Best Buy’s e-mail lists, financial advisers have been spared thus far. “Hackers aren’t really looking for small advisers,” says Bhatnagar. “They’re trying to hack into J.P. Morgan.”
If breaches are virtually non-existent, why do advisers need to put so much money and effort into preventing them? For one thing, compliance demands it; for another, clients expect it. And there’s also the fact that a security breach is one thing your clientele would likely find unforgivable. “A breach is probably worse than losing 50 percent of their assets,” says Bhatnagar. “You can explain the 50 percent, but you can’t explain the breach.”
Advisers seem more concerned about what might be called accidental breaches of the type the New York Yankees suffered in April. An employee accidentally e-mailed a spreadsheet containing the names, addresses, e-mail addresses, and much more information about more than 20,000 of their season-ticket holders. Advisers live in fear that one of their employees will inadvertently reveal confidential information.
Fortunately, there are readily available fail-safes to keep such a thing from happening. “You can set up your e-mail software to look for keywords that [you] may be afraid of and stop those e-mails from going out,” Bhatnagar says. “Anything that says ‘your account number’ on it would get stopped.” You don’t need to go get a special application to set up such a safeguard; it’s included on Microsoft’s Outlook, the world’s most popular e-mail program. Just look under the Tools menu for “Rules and Alerts.” You can set it up for individual PCs or for your entire server.
“Breaches result more from people not really paying attention to their own security policies, or not having a policy at all,” says Herzog. “That’s more the problem that I [see] than actual security breaches.” Not being aware of the security issues led executives at the now-defunct broker-dealer GunnAllen to be charged with taking more than 16,000 client records from the firm as it was winding its business down. As Michelle Jacko puts it, the most common violation of security she sees is when advisers forget that confidential client records belong to the client, not to the firm.
“You need to be cognizant at all times that you’ve been entrusted with this confidential consumer information,” she says. She often sees offices at night where account numbers are left out in the open for the cleaning people to discover, while compliance requires that all the information be locked away at night. Similarly, on your way to becoming a paperless office, there are regulations covering the disposal of old files—they must be shredded rather than simply thrown away. Any scrap of paper with confidential information should be treated as if it had the potential for a security breach.
In the end, looking backward at the breaches that have occurred is not enough to keep yourself and your data safe. It’s imperative to look forward as well.
“Many security researchers are saying that we’re losing the battle, that hackers are still ahead of current security technology,” says Peter Herzog. Whatever hackers are doing today to infiltrate computer systems, you can bet they’ll have a new strategy tomorrow. Ultimately, data security is about making sure you’re ready for whatever comes next.
Tom Nawrocki, a former editor at Worth magazine, is now the editor in chief of Triton Financial Newsletters, which provides communications for elite wealth managers around the country. He can be reached at Tom.Nawrocki@TritonNews.com.
Sidebar:
Password Safety
There’s one very simple area of security in which there’s been a lot of good, defensive research lately: passwords. Hackers have several ways to infiltrate your passwords. There’s a dictionary attack, in which the hacker flies through a list of tens of thousands of words until he hits on the right one. Then there is what’s called a “brute-force” hack, where a computer shuffles through random characters until it lights upon the proper password.
The dictionary method is the reason people are now dissuaded from using common words as their passwords, and we’re usually forced to include numbers or other symbols in them. According to Thomas Baekdal, founder of the Baekdal online magazine, a remote computer can hack a simple password like “orange” in as little as three minutes. But the rise of brute-force hacking has meant that even random formulations of letters can be figured out in short order.
What’s the solution? Peter Herzog of ActiFi suggests that rather than passwords, use “pass-phrases.” Even a common phrase like “this is fun” can be a much more effective password than a six-letter jumble. “It’s ten times more secure to use a pass-phrase of three random words than ‘J4FS:2,’” Herzog says. “With six characters, it’s just a matter of time before they guess it.” Baekdal reckons that while a truly random collection of six letters might take a hacking program a month to breach, “thisisfun” would take 2,537 years.
If that’s not enough, there are other ways to deter hackers. Herzog recommends putting a time delay on any wrong password guesses, such that, for example, after 10 wrong guesses at a password, no one can try to enter new information for the next hour. Because hackers operate by use of high-speed password attempts, forcing them into an hour’s time-out would quickly make the effort cease to be worthwhile.