Best cybersecurity practices for wealth managers: Why is cybersecurity so important?
Topaz attended the recent panel discussion “Managing the Cybersecurity Threat to Wealth Management” at Wealth Mosaic’s Wealthtech Talks. We heard the experiences in cybersecurity of:
- Ali M. Qureshi, Chief Revenue Officer & Co-Founder of SideDrawer
- Nino Vang Vojvodic, Co-Founder & CTO of ALT/AVE
- David Atkinson, Founder & CEO of SenseOn; and
- Terry Wilson, Global Partnership Director at Global Cyber Alliance
We would like to share our thoughts on their discussion and make additional contributions to the cybersecurity discourse.
Setting the scene is the elevated cybersecurity risk to the wealth management industry. Clients’ high wealth levels, the sensitivity and value of their data, and occasionally antiquated methods of data storage and transfer make high-net-worth individuals (HNWIs) prime targets.
According to the panel, the three most commonly exploited cybersecurity vulnerabilities are:
- Email. An old-fashioned and vulnerable protocol, the vulnerability of email can be exploited by sophisticated phishing attacks. Identity or data fraud are threats; so too is simply mistyping an email address.
- User verification. Weak passwords are vulnerable to brute force attacks. Rigorous password rules, password managers, and two-factor authentication comprise a baseline level of security.
- Misconfiguration of systems or access. Insecure infrastructure and poor access practices are actively identified and exploited by hackers.
Topaz is in full agreement with the panel that email should be eliminated in almost all instances. As we have discussed previously, email presents a litany of security threats. Both the wealth manager and the high-net-worth client are vulnerable to identity fraud and ransomware attacks, while misdirected emails are the number #1 source of data breaches.
Digital wealth management solutions should remove email from the equation entirely. Far better is a dedicated office-client communication channel that runs on an internal cloud-based software instance. Unbreakable AES-256 encryption can be applied to all communications, including chats, while secure document transfer can be conducted through self-contained portals.
User verification has moved far beyond simple passwords to include password management practices, password lockouts to mitigate brute-force attacks, and two-factor authentication as standard.
Additional layers of security can be added. Biometric data, such as fingerprint scanning, is increasingly used as a third authentication factor.
Digital token apps are an alternative. They consist of a separate mobile application provided to the end-user that asks them to perform a highly secure, one-time registration using a physical card reader with a physical chip card, both provided by the customer. Following registration of the mobile advice, digital token apps can be used to scan QR codes to allow access to the platform.
Misconfiguration of systems and access
The message from the panel was “take as good care of the data as the money”. According to IBM, misconfigurations can be caused by one or a combination of these reasons:
- Updating the software or hardware
- Human error in the configuration by an employee
- Backdoors that serve for a maintenance reason, etc.
Hence, it is vital to acknowledge these risks and take preventive measures. A solution with strict access controls minimizes systems and access risks by design.
Establishing cybersecurity as part of company culture
Another topic which was considered by the panel was regarding the culture and processes within the wealth management organization itself. There is a danger that wealth managers find security measures cumbersome, time-consuming, and detrimental to their core value of growing client wealth. This can lead to costly errors. According to a report by Shred-It, nearly half of business leaders revealed that they had experienced at least one data breach as a result of employee negligence. To mitigate this, companies need to establish cybersecurity as a part of their company culture, ensuring that all staff are continually made aware of the risks and the consequences to the firm in terms of legal and reputational damage.
As Ali M. Qureshi of SideDrawer said, “by demonstrating a commitment to safeguarding client data […] you are differentiating yourself”.
Our security principles
Topaz has been designed from the ground up as a secure system to ensure customer peace of mind. In particular, the following core principles are intrinsic to our solution:
- Authentication is always multi-factor and a federated identity management (FIM) option provides customer single sign-on (SSO) and enforcement of customer security policies.
- Client personal data is only persisted in a dedicated customer datastore; this can be located in a private cloud that is owned by the customer.
- Customers retain control and ownership of their clients’ data.
- User access control is managed by the customer.
- Topaz staff cannot log in to the live product (unless explicitly provisioned and requested by the customer).
- Data processed is always encrypted at rest, in transit over networks, and between internal services.
- Customer keys and other secrets are managed securely using a key vault.
- Active monitoring for security threats is in place.
- Topaz is subject to an ISO/IEC 27001 certification program and regular independent penetration testing.