Preparing a security guide for clients is a best practice, says an IT expert
You’re used to reassuring clients about volatile markets, but what about soothing their cybersecurity concerns?
According to Edelman’s 2021 Trust Barometer, two thirds of Canadians said they were worried about cyberattacks — more than those who were worried about contracting Covid-19. With the Canadian government now warning businesses about Russian cyberattacks, those concerns can only increase.
You should be able to answer clients’ cybersecurity questions at any time, but you should also brief them on the topic during the onboarding process, said Ivo Wiens, senior manager for security solutions architecture with CDW Canada, an IT reseller and services company.Want more immediate, memorable insights? Listen to this Soundbites episode, featuring Morten Springborg of C Worldwide Asset Management.
This education process should include a client-friendly document that explains what security measures your practice is taking.
“Avoid technical jargon and use graphical examples of what a normal interaction will look like,” Wiens said. “The document should be clear and not lengthy.”
This security guide should set out a list of controls you’ll follow when interacting with clients, Wiens advised. These controls can help clients and advisors to avoid fraud in which criminals impersonate clients via email or phone, convincing advisors to release funds to fake accounts. Controls can also stop fraudsters from fooling clients into giving up their own details.
“Clearly outline what methods of communication will be used, what questions will be asked and what information you will never ask for via insecure communication channels like email,” Wiens said, adding that off-limits info should include passwords and social insurance numbers.
“Outline the type of questions your firm will and will not ask,” and tell clients to check the security guide when they feel uneasy about a transaction, he added.
Other guidelines include agreeing to a communications channel for verifying transaction requests from clients, said Alexander Poizner, co-founder and CEO of Toronto-based cybersecurity consulting company Parabellyx, which advises several hedge funds on data security. Calling clients at a specific number to confirm transactions is ideal, and that number shouldn’t be mentioned in other insecure channels like email.
The document should also include a number for clients to call if they’re worried about a recent interaction, Wiens added. Consider reminding your advisory team to refresh themselves on the document guidelines each quarter.
Be ready to address security concerns
Clients might also raise their own security concerns, and advisors should be ready to answer them.
One of the biggest concerns will be data loss from hackers and ransomware. Many clients might not trust a small advisory practice to manage data securely, Poizner warned. So the answer can be to let someone else do it.
“The best way to approach it is to say that a company specializing in this protects us, or that we do not store this information,” he suggested.
Poizner recommended cloud-based services for smaller advisors and wealth managers because the companies running them are well-versed in protecting data. This includes specialized services for advisors along with more generic productivity suites like Microsoft’s Office 365.
Clients — especially wealthy ones — might not want their data stored in another country where their governments might gain access. Check for Canada-based storage options, Poizner advised.
You can further boost client confidence by telling clients about extra measures you take to protect their online accounts, Poizner added. That could include using two-factor authentication (typically via an authentication app) to ward off phishing attacks and other password theft.
You should also have a business continuity plan to continue operating in the event of a cyberattack, Poizner said. While clients don’t need to know the details, they’ll be reassured by the fact that you have measures in place to continue operating if an attacker takes your practice offline temporarily.
Using digital services to make things more convenient for clients can gain you more business, but the savviest practices also reassure clients that their data is safe. As headlines about data breaches continue to emerge, a little upfront communication can go a long way.
Source: Investment Executive