Sirius Portal Security: Defending Against Man-in-the-Middle Attacks
How do you reconcile the apparent conflicting demands of ‘battening down the hatches’ to secure yourself against cybersecurity risks, whilst providing your clients with easy, secure online access to their financial records?
This is the question a lot of our wealth management contacts have been asking themselves.
We believe we are at a key inflexion point in the way wealth management providers use technology to power their businesses. Traditionally technology has been used to maintain books and records of client structures. These first-generation trust and corporate services administration systems were very good at managing client structures, across different jurisdictions, with multi-currency charts of accounts and investments. It is testament to the quality of many of the systems that originated around the turn of the century (post Y2K) that they are still around today and being actively used by some of the top providers. In recent years, however, many wealth management providers have been investing in new or upgraded systems with workflow capabilities and enhanced automation and are seeking to leverage the benefits of this.
Based on first hand discussions with our clients, partners and other FinTech providers, one of the next big challenges to face wealth management firms is how to provide more real-time access to client data without opening themselves up to an unacceptable level of cybersecurity risk.
Client expectations are changing
The next generation of wealth management clients will have much higher expectations than current clients. They will expect to self-service their requirements: to communicate electronically, access details of their structures online / via an app, and be able to produce their own reports.
Unlike today where structures are often bookkept on an infrequent basis, the clients of tomorrow will expect to have access to accurate near real-time positions of their assets and liabilities. In addition, they will expect to be able to see statutory information regarding their investment structures with information that will assist them in making investment and restructuring decisions. This is going to place significant pressures on wealth management firms who will no longer be able to rely on manual processes and emailed reports at the end of a period.
The response to this requirement is to provide access to your clients’ data using a client portal. Typically, this will be web based and/or accessible via a mobile app. The functionality available in portals can range from a simple shared document repository right through to providing secure access to the wealth management back office systems.
Providing such open access to your client records not only provides a security challenge, but may also require a significant change in business processes to ensure that back office systems are always kept in a position that you are happy for your clients to see.
What to consider when creating a Secure Web Portal
It goes without saying that if you are intending to provide your clients with access to the data you hold on their behalf, it must be done securely. The data needs to be protected from an integrity perspective as well as being protected from hackers and other illegitimate users. You need to consider if you are providing access to real-time data or data as at a specific point in time, which could be the end of the previous month, or close of business the previous working day.
The security within the portal itself must have banking level security and should be regularly penetration tested against known threats such as brute force, key logging and SQL injection attacks. Our Sirius Wealth Management Portal has its roots in financial services internet facing systems and we have many years of experience in this area.
Another area to be concerned about, particularly with respect to the EU GDPR is data governance. The impact of the GDPR is likely to be significant for most wealth management providers, who will need to assess how they collect and record personal data and whether explicit consent has been obtained. Communicating personal information via unsecure means, such as email, could become an issue, particularly with respect to where the personal data is physically stored during the communication process. Our Secure Messaging Module seeks to address this.
Many of the new comers to the portal market are cloud based and have not come from a financial services background. This means they may not have as much concern for the location of your client data as a wealth management provider has. Even now that tax transparency is a given, there are still lots of reasons for your clients to know where their personal and financial data is held and to base their choice of provider on these factors.
Digital governance
The cybersecurity, data governance and client access issues discussed here are just one aspect of a wealth management providers’ digital strategy. This is why it is essential that wealth management firms in particular have robust digital governance in place.
Most wealth management firms are taking cybersecurity very seriously but the individual approaches are different. If you want to ensure that your business is fit for the next generation of wealth management clients then you can’t have a digital strategy that is solely based on boundary defences and securing your client data from the outside world. Investing in a secure web portal based technology will give you the capability to provide the right access to client data to the right people – with confidence and control.
Related posts
