Advisers need to up their game on data security – providers should not obstruct them from doing so says F&TRC director Ian McKenna
Around half of the FCA’s 2019/20 business plan is focused on technology, with a particular focus on cyber security. This must make it inevitable that we will see new regulatory requirements soon.
Inevitably there will be a review of previous guidance to be sure it is being acted on. This could be an enormous problem for the pensions and financial advice markets.
As long ago as 2008 the then FSA published its Data Security in Financial Services report. This gave valuable guidance into both digital and physical security. In March 2019 the FCA published its own research paper, Cyber Security – Industry Insights. Both documents are essential reading for any advice business.
The 2008 report was clear: if a regulated business suffered a data breach they would expect the firm to take action to protect customers against any future loss. Back then the FSA identified that the average cost of rectifying a data breach was £55 for each customer record.
The same report highlighted that the regulator did not consider webmail such as Hotmail, Yahoo and Gmail suitably secure for client communications. Despite this, in my experience around one in five IFA firms still use such services for their standard email.
At the recent Empowering Advice Through Technology conference in London a poll of delegates found that only 13 per cent of firms sent all client communication as encrypted, while another 25 per cent only sent client communications via a secure client portal. A significant 62 per cent of delegates admitted their firms did neither. Given the audience was adviser firms specifically interested in getting the best out of technology, I suspect this actually overstates the situation on the ground.
During last month’s Technology Tools for Today conference in San Diego US fintech gurus Joel Bruckenstein and Bob Veres shared their own recent research that showed only 7 per cent of US advisers have ever engaged with an external cyber security expert. I suspect this would be a more accurate view of the UK too.
I have long been concerned about the extent of this issue but have mostly remained mute on the subject because there has not been a viable industry solution readily available to fix the problem. This is no longer the case.
At Empowering Advice Through Technology, Origo and Beyond Encryption, the specialist email security business established by industry stalwart Paul Holland, who was the original driving force behind the Webline protection system, announced a new joint-venture, Unipass Mailock. This is available free of charge to IFAs to encrypt their communications with life offices, pension providers and platforms, and for an additional £8.50 plus VAT per adviser employee per month this can be extended to all client communications. The system won a coveted “best in show“ award voted for by advisers and wealth managers at the event.
It is only fair to point out that this is not the only solution in the market. Filehaven, Secure The File and Qwil have all built solutions designed to address similar issues. Comparative analysis of each of these and other generic solutions can be found at www.advisersoftware.com/regulation-why-is-secure-communication-essential/.
What differentiates Unipass Mailock is that 45,000 advisers and their support staff already have Unipass IDs that can be upgraded to adopt the new system free of charge for their communications with insurers, pension providers and platforms.
Worryingly I am hearing that there are some pension providers and platforms that are refusing to accept any encrypted communication from advisers. This is putting both advice firms and their clients at considerable risk and is totally unacceptable behaviour. It is not a stretch to think that both the FCA and the ICO would take a very dim view of this. The companies involved should be thinking long and hard about the liabilities and fines they might be exposing themselves to as a result.
Unipass Mailock on its own will not address all the cyber security issues within an adviser firm, but it offers a level of security that should be firms’ standard for email communication with providers. Client communications should ideally be via an adviser firm’s own dedicated client portal, but there will always be some clients that don’t want to work this way so I see Mailock as an ideal backup solution for such situations. It should certainly be a key part of any adviser’s cyber security set up.