Naming and shaming

Anyone who reads or watches news will be aware of what a big and growing problem cybercrime is. In fact you would be forgiven for being very paranoid about most things hat you do online.

One of the problems is that the easier, more automatic and connected we make everything in our lives the more entry points and routes to our data we give criminals.

So you would think that the financial services industry would be watertight, after all they control our money, but you would be wrong. On a weekly basis we at Altor come across poor security practice amongst the firms that we have to interact with.

The worst example we have had is Vitality who are a protection provider. This was the only protection company that required copies of our partners’ passports to do business with them. Not a problem in itself but they wanted them scanned and emailed or faxed to them with no password protection. Given the ID theft risk we declined to deal with them.

Email is one of the biggest problems we have with other Financial Services firms. Routinely we are offered or asked for client data over unsecured email. We recently declined to send a clients name, date of birth, address, provider, policy number and scanned signature to a provider via email. When we asked for a secure method to transmit the information we were told that they couldn’t even accept a password protected PDF as they had no way of getting the password from us. Again we declined to do this bearing in mind that here was enough information here to empty a client’s account.

The problem with email is that although it is more secure than it used to be it still depends on the servers and networks it passes across. Copies of the message are created and left at various waypoints on the journey to the other person’s inbox. In addition once received there is little to stop the information being passed on via email to others.

The government’s guidance on email is actually very useful and readable. They recommend TLS (Transport Layer Security) for emails and this is what we have in place with the main business that we communicate with on behalf of clients.

To minimise the general risk we try to limit our communication with clients to secure messaging via our secure portal. This is a more secure method of communication but still seems to be rare amongst advisers in the U.K.

So in terms of financial firms the worst culprits seem to be the legacy life assurance monster firms (investment bonds and pensions) out there. Better practice seems to be in place with the more modern asset management companies (ISAs and platforms). This maybe a product of size or age of firm but either way it is worrying. 

Leave a Reply