Ian McKenna: The Provider-Adviser Tussle Over Cyber Security

Inevitably, there will be a review of previous guidance to make sure it is being acted on. This could be a significant problem for the pensions and financial advice markets.

As far back as 2008, the then FSA published its Data Security in Financial Services report, providing valuable guidance on both digital and physical security. In March 2019, the FCA published its research paper, Cyber Security – Industry Insights. Both documents are essential reading for any advice business.

The 2008 report was clear: if a regulated business suffered a data breach, they would expect the firm to take action to protect customers against any future loss. Back then, the FSA identified that the average cost of rectifying a data breach was £55 for each customer record.

The same report highlighted that the regulator did not consider webmail such as Hotmail, Yahoo, and Gmail suitably secure for client communications. Despite this, in my experience, around one in five IFA firms still use such services for their standard email.

At the recent Empowering Advice Through Technology conference in London, a poll of delegates found that only 13% of firms sent all client communication as encrypted, while another 25% only sent client communications via a secure client portal.

A significant 62% of delegates admitted that their firms did neither. Given the audience was adviser firms specifically interested in getting the best out of technology, I suspect this overstates the situation on the ground.

During last month’s Technology Tools for Today conference in San Diego, US fintech experts Joel Bruckenstein and Bob Veres shared their recent research showing that only 7% of US advisers have ever engaged with an external cybersecurity expert. I suspect this would be a more accurate view of the UK too.

I have long been concerned about the extent of this issue but have mostly remained quiet on the subject because there has not been an industry solution readily available to fix the problem. This is no longer the case.

At Empowering Advice Through Technology, Origo and Beyond Encryption, the specialist email security business established by industry stalwart Paul Holland (the original driving force behind the Webline protection system) announced a new joint venture, Mailock With Unipass.

Mailock With Unipass is available free of charge to IFAs to encrypt their communications with life offices, pension providers, and platforms, and for an additional £8.50 per adviser employee per month, this can be extended to all client communications. The system won a coveted 'best in show' award, voted for by advisers and wealth managers at the event.

It is only fair to point out that this is not the only solution in the market. Filehaven, Secure the File, and Qwil have all built solutions designed to address similar issues, with comparative analysis of each of these and other generic solutions already being undertaken.

What differentiates Mailock is that 45,000 advisers and their support staff already have Unipass IDs that can be upgraded to adopt the new system free of charge for their communications with insurers, pension providers, and platforms.

Worryingly, I am hearing that some pension providers and platforms are refusing to accept any encrypted communication from advisers. This is putting both advisory firms and their clients at considerable risk and is totally unacceptable behaviour.

It is not a stretch to think that both the FCA and the ICO would take a very dim view of this. The companies involved should be thinking long and hard about the liabilities and fines they might be exposing themselves to as a result.

Mailock on its own will not address all cyber security issues within an adviser firm but offers strong outbound security for email communication with providers.

References:

Regulation: Why is Secure Communication Essential, AdviserSoftware, 2020

Reviewed By:

Sabrina McClune, 05.06.24

Sam Kendall, 05.06.24