“It ranks as the fourth biggest challenge for financial advice businesses, after regulatory disruption, personal indemnity renewal and the Financial Services Compensation Scheme levy.
Managing director at Moneyinfo, Tessa Lee, said the single biggest data security risk to adviser firms is simply emailing the wrong client with someone else’s personal data.
“You’d be forgiven for thinking that phishing attacks are the most common cyber-security risk,” she said.
“It’s so easy to send an email to the wrong person and you feel so stupid afterwards both having to apologise to your client and then disclosing the error to the Information Commissioner’s Office.”
It’s no safer to post, Lee said.
“Even if you avoid email and rely on the post to deliver your correspondence as you think it’s safer, you might want to consider that the second most common security breach reported to the ICO is posting or faxing a document to the wrong client.”
Some advisers have emailed FTAdviser, wishing to remain anonymous, saying it can be hard to get clients - particularly older ones - off email.
“The other side of the coin is the human courtesy advisers owe to our clients. In many cases my clients are elderly, and conquering email has in itself been a triumph for them. Adding on secure portals and passwords or passcodes can feel quite daunting,” one adviser said.
“For others of a younger generation, it is an annoyance – two-factor authentication and emails that don’t actually tell you anything but make you click a link are irritating, and can put people off a particular provider.
“As with all things security, we have to be careful not to alienate people in the name of layers dreamed up by boffins whose job is to create more IT technology, not necessarily user-friendliness.”
Technology providers would argue that email and post do not meet this basic test for Data Protection Act Article 25 (1), which states that firms must take into account the state of the art, implement appropriate technical and organisational measures to safeguard client’s personal data.
“Email and post don’t meet this basic test. Any adviser firm still sending data via email or post is not taking appropriate care with their client’s data,” said Lee.
ruby.hinchliffe@ft.com
