Your clients trust you with their money, but do they trust you with their personal information?

Written on Mar 21, 2017

By Jason Guyler

You work hard your entire life to build a business and career with a loyal client base. One of the key traits in building that client base is a relationship based on trust. Convincing someone to trust you to provide a service for them, such as manage their money or to have access to their financial information to prepare their taxes, takes a lot of continued effort.

You must build trust by respecting the information you receive and being disciplined in how the information is used and with whom it is shared. Clients assume you are putting every effort into protecting their data as a part of the service you provide. You must treat your client’s information with care and implement appropriate controls. This care starts with internal controls; due diligence must also be extended to vendor oversight; from your janitorial service to your IT service company.

Image this scenario: What if you learned your landlord let someone into your office space when you were away? And that person photocopied many of the files from your file cabinet. The situation is nearly the same if your company is breached through a cyber-attack. Information must be kept confidential at all costs. Your company’s reputation is at risk if the information you have been trusted to protect is leaked. Without an appropriate plan in place to protect your assets, your clients’ trust and your business are all at risk.

The Financial Planning Association’s Research and Practice Institute recently stated only 4 in 10 financial advisors understand the issues and risks associated with cyber security; but 81% of them stated that it is a major concern. This reflects a significant disconnect between the importance companies put on protecting data and the implementation of a program to protect the data.

The same report states only 53% of companies have completed a ‘Governance and Risk Assessment,’ the first step toward compliance and understanding your businesses' overall risk profile. With your business at risk, can you afford not to explore your company’s cyber risk preparedness? How would you know if you are not sufficiently protected?

Maintaining client trust and business reputation are not all an organization should be concerned about when it comes to cyber risks; regulatory compliance is another significant issue. Financial institutions, including tax preparers, are required to follow the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. GLBA, was enacted in 1999 for the purpose of implementing adequate security controls and processes to protect the privacy of consumer’s Personally Identifiable Financial Information.

Although financial institutions and tax preparers need to follow these governances; many are unaware they exist, much less understand how to comply. The penalties for lack of compliance are high and include fines up to $100,000 for each violation, with a maximum fine being $1.5M. Also, officers and directors can be fined up to $10,000 for each violation and could include imprisonment for up to five years!

Information security has traditionally been delegated to the technical IT staff with little executive management oversight or involvement, however this approach is no longer considered adequate by cyber security professionals to provide an effective cyber risk management process for CPAs.

Executive management needs to build a risk averse culture where all employees are aware of threat vectors and policies and practices are in place to be compliant. An effective risk management process requires much more than technical solutions. As cyber criminals evolve and use new tricks like ransomware (up 300% this year) and phishing to extract money and information from companies, a new framework needs to be implemented to protect a company’s assets.

So now the need for an effective risk management program has been established, how is such a program implemented? Guidelines for compliance with FTC’s GLBA safeguards include establishing an effective risk management program based on the following core components:

•Conduct an annual risk assessment
•Prepare an annual security risk management work plan
•Assign responsibility for risk management functions
•Develop a written information security policy
•Create a security incident response plan
•Implement security awareness training
•Build a vendor oversight management program Performing an annual risk analysis based on National Institute of Standards and Technology guidelines is the cornerstone of an effective risk management program!

Implementing an effective risk management program can be a lot of work; however, can you really afford to ignore risks? A Gartner study shows 94% of companies do not survive two years after a major loss of company records. The reasons for the demise of these companies are varied but come down to one key thing, client trust. If a client does not trust you with their personal information, they will not trust you with their business.

Clients and potential clients are becoming more and more savvy about who they trust with their information. People are tired of being victims of cyber-crime and are demanding their information be kept safe. Implementing appropriate safeguards are mandated by government regulations and assurances requested by your customers.

More and more clients are asking questions about what safeguards are in place to protect their information and when they leave a business, they are asking about the destruction of their information both physically and electronically. As clients, they want to know where their data is being stored, who has access to it and how is it being protected? These are important questions you should be asking businesses as a customer, but it is also imperative you know your company’s own risk profile as well as any gaps in your cyber risk management controls.

Jason Guyler is a business development partner at CyberRisk Management.

Leave a comment