Information Security for Financial Advisers

Just imagine for one moment that you are a financial adviser (IFA).  
Things this year have been tough.  The Retail Distribution Review (RDR) has turned your business model on its head and reduced your industry by 25% in 3 months.  You are having to sit exams and pass them to stay qualified.  You are now having to justify your fee to the client rather than having it embedded in the product they buy.  Compliance around Know Your Customer (KYC) and Anti Money Laundering (AML) has been much enhanced.  You’re having to target new clients just to keep the show on the road. It’s a nightmare.

If you are running an Adviser you need to keep your records in order to satisfy compliance, potentially your umbrella network and ultimately your regulator the Financial Conduct Authority (FCA).  

The answer is automation so you’re investing in laptops for the staff, large file servers, digital archiving at head office, specific industry applications for pricing products, writing suitability letters, lifetime cash flow forecasting.  All computerised records in databases, offsite backup and disaster recovery set-ups.

You probably have user names & passwords on everything, the IT dept have insisted on a firewall and antivirus software so you’re safe right?  Right?

http://www.ifaonline.co.uk/ifaonline/opinion/2296922/is-cyber-crime-the-next-big-threat-to-ifas

Let’s think what a bad guy wants today.  He wants identities, sure stealing 5,000 credit cards from a database seems lucrative but usually only 75% of the cards work, the average take before the card is shutdown is around £200 and you lose between 25-40% getting the cash off the cards and into your bitcoin account.  That’s still £450,000 which is a lot of money.

However, according to moneywise, the average mortgage amount in the UK is £95,883.  Let’s say that the loss of en-cashing that is 40%.  To make the £450,000 you would need 8 fraudulent mortgages.

How to get a fraudulent mortgage….steal an identity!

Financial Advisers have, by their very nature laptops and systems full of identities, with comprehensive documentation, copies of passport, financial histories, maybe house deeds, trading positions.  This is thanks largely to AML & KYC checks and the drive to digitise everything.

This is not a good thing.  

A close family members last interaction with an IFA involved the Adviser taking a digital picture of their passport, driving licence, utility bill & bank statement to re confirm the Advisers internal KYC records.  He attached to my family members wi-fi to send the information to the office in email form.  In general chatter he said he was field based and spent a good deal of time in coffee shops using their wi-fi between appointments. 

The Field Based Adviser
There are several attack vectors to compromise the Information Security of the system right there:

  • Steal the Laptop
  • email the IFA a bit of malware embedded in a PDF or jpeg & hack the pc/laptop
  • Subvert a Pubic Wi-Fi hotspot & wait & then steal the passwords or hack the laptop
  • Subvert a Home Wi-Fi and wait & then steal the passwords or hack the laptop

Take your choice, whichever one you do take you will end up with some identities to steal.  It would be great to embed yourself in the system and have identities on tap so you may choose to use the laptop as a trojan horse.

The Back Office Systems
Many of the systems that support the Adviser industry proudly boast of the encryption they use in the database back ends they supply to offer industry leading Information Security.  If you’re a hacker it may well give you a small pause to break 128 bit encryption but not that much.  Humans have a habit of not understanding encrypted information  so the systems decrypt it for them to use.  That operation could be to download it all onto a USB pen or email it to an outsider.  With a small web search it’s trivial to discover how to hide that sort of information from automated detection systems.  So the information security is removed so that humans can work on it and then they nick it.  Hopefully there is some monitoring in place but probably not.

It’s not just a whole identity that can be stolen.  An individual IFA may be thinking of a move from platform A to platform B, better basic, more perks, whatever.  To increase his value to the new franchise he is going to want to take as much as he can with him.  Again whilst a client’s data is encrypted so that a hacker may be put off, for the IFA to work with it the system helpfully decrypts it for him and probably updates his Outlook client with it.

In Summary?
Information protection is so much in the news with Edward Snowden, Bradley/Hillary Manning etc that IFA’s and Advisers should make a much bigger play around the security of client data.  That involves business process as much as IT solutions and it costs real money.
Most importantly I think the regulator (FCA) should mandate Penetration Tests for IFA’s with the results being made publicly available.  The best disinfectant is a dose of sunlight.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.