Journal of Financial Planning: March 2012
Ash Bhatnagar, CFP®, is president and founder of FA Cloud Technologies, providing compliance-ready business solutions for the independent adviser. He is an expert in designing and integrating infrastructure, and has more than 20 years of financial industry experience in addition to his IT background. Contact Bhatnagar at Ash@facloudtech.com.
In the past few years, there has been great focus in regulation around securing client data—specifically, making vendors more responsible for security and for providing more information to clients (advisers). But in light of the recent hacking incident at Stratfor Global Intelligence, a security firm that works with many Fortune 500 companies, including banks, and even Homeland Security, advisers might be thinking: how do I combat this? In the Stratfor hacking, anywhere from 200GB to 6TB of data was stolen. Credit card and personal information was taken, which was used to make donations to the Red Cross. Although humorous at first, much of the hacked information was slowly leaked to the public.
Email: Overlooked Vulnerability
Let’s go over regulations first. Most know about Reg-SP and The Massachusetts Rule. Each is meant to protect client data. All advisers I speak to really do not want client data to be compromised; it is their worst nightmare. But if you asked regulators to go into your system and determine where the risks are, I doubt whether they would know where to begin. They will most likely ask for your operations manual to review. So advisers are left to tackle security on their own.
Let’s start with what I feel is the most vulnerable area—it is not your client data but your email system. There are many forms of email protocol: POP3, SMTP, IMAP, MS Exchange, and now Google. Many advisers use the POP3/SMTP method because it is the cheapest. But when asked if the mail is secure, they do not know.
Understanding Email Traffic via the Internet
Running your own mail server takes hardware, software, and staff. Unless you have the dollars to support a mail server in your office, you most likely subscribe to some type of third-party mail service. What happens in this case is any mail you originate is sent via the Internet to your mail server, which then sends the mail to the recipient’s mail server, again via the Internet, and then finally to the recipient’s desktop via the Internet. So your messages are actually exchanged over the Internet three times—giving a hacker three opportunities to view and take advantage of your email. This is the process even if your colleague is sitting right next to you.
POP3 Mail. When you use POP3 (for receiving email), for instance, the user name and password are sent over the Internet, essentially letting anyone look at your email. This is one reason you might get a strange email from a friend with an odd link. Someone hijacked that friend’s email account and is using it to send spam. So unless you initiate secure socket layer (SSL) (the standard security technology for establishing an encrypted link between a web server and a browser) and/or check that your email service provider has done something to ensure secure communications, your email is not secure.
The next item to think about is, even if email is secure from your computer to the mail server, what happens when it leaves your server and goes to the recipient’s server? Here you have no control over your recipient’s server or PC. If your email is going to a business, then most likely the mail is secure. If it is a personal account, ask your mail provider the question. Whatever the answer, add it to your compliance manual. Additionally, add to your manual how your mail is secure.
When using this type of basic email service, after you receive an email it is on your computer only; it is typically not saved on the service provider’s server. If it is, it may cost extra. So backing up your email is completely your responsibility.
MS Exchange. Most everyone has heard of Microsoft Exchange. MS Exchange is offered in two formats: using your own server or a hosted service. The advantage of MS Exchange is that it offers a tremendous amount of flexibility per individual user and more overall for the network administrator. In addition, MS Exchange supports business functions such as calendaring, meeting and task management, and web-based email access. Unfortunately, the expense of running an MS Exchange server or using a third-party service is high, but in this scenario, you are certain that communication with your colleague is secure. With email outside your server, you are never certain. Administration on the MS Exchange server is not for amateurs—you should know something about networking and email services before approaching MS Exchange administration.
Most MS Exchange service providers store email on their server until the email is archived. They also offer backup services, which can be expensive.
Google. One of the newest players in the email market is Google. Google has been offering email services to the retail market for a few years now, and recently extended this service to businesses. Google offers the security required between you and the server, but after it leaves that server it is an unknown. Google also offers calendaring, collaboration, and other features. The expense is not high, but you need to know how to administer the services. Once again, you’ll need network knowledge as well as mail-server knowledge.
All of this gets further complicated with “smart” devices. Most devices have an email-capable phone and even a pad of some sort. Some offer data service and some do not. In either case, is the communication secure? Unfortunately, you will need to ask your specific provider. If you are using an unsecure WiFi signal (no password needed to enter), assume that everything your pad is sending or receiving is sent for everyone to view. This means anyone who knows what they’re doing can see what you are doing—including your passwords. I cannot say for certain that all devices behave this way because there are so many out there, but you should research and feel comfortable with your activity on mobile devices. Speaking of that, is your device password-protected? If not, it should be!
Monitoring Your Employee Email
Compliance regulations require the monitoring of employee email communication. Although this action may seem difficult at first, it is not that bad. If you use Outlook, its tools can find key words or phrases in an email and perform a certain action to that specific email. For example, if you wanted to stop all outbound email with the word “account” in it and have it routed for a compliance check, you can perform this function in Outlook. Unfortunately, you have to set up each computer. MS Exchange and Google make this a little simpler—you can perform this function once on the server for all users. Again, you must have technical knowledge.
Why Encryption Doesn’t Work
Regulators talk about encrypting sensitive information in email. I personally find encryption does not work well. With encryption, you normally have a password that has to be implemented by the recipient. It is one thing to ask a business partner to accept encrypted email, but I find it is nearly impossible to get clients to go through the decryption process. Google offers an encrypting service and it works well, but again, a recipient needs to input the password to read the email, which I find very cumbersome and not worth the problems it creates.
An alternative to encryption is simply not to send sensitive information via email. Call your clients—they like hearing from their adviser. There is always faxing, although I am not a fan of faxes. Sending a password-protected document is crude, but works well. Lastly, virtual servers can be used to share information. You will need an ID and password, and they all use SSL.
Understanding the flow of data is the first step to a secure email system. Using SSL is the next step, but most advisers do not check into this, as most use Outlook with parameters given to them by the service provider. And don’t forget, having good internal email policies and controls will go a long way toward helping you stay compliant with securing client data when communicating through email.