I was recently on-boarding a client into our estate planning software program, when suddenly they mused, “Wow, if someone breaks into this system, they will know everything about me.”
While we certainly worry about digital assets and information — credit cards, bank information and even our investment accounts — all of these items are aggregated in someone’s estate plan. How can we protect our clients’ delicate personal information from the less scrupulous denizens of cyberspace?
My brother is a police officer in a major city, and he recently gave me some really good advice about safety and, more importantly, how to protect yourself. While it is easy for technology platforms to offer up canned responses with regard to cybersecurity, I thought I would share some wisdom from the law enforcement perspective:
First, consider that cyber-criminals are “complex simpletons”. This may sound nonsensical on the surface, but what it means is that while they are complex in the way they commit crimes, what they are really after is basic information and data that they can easily make money from. With that in mind, it is imperative for advisors to control the client information that they have access to.
Do not include anything criminals can easily make money from in your clients’ estate planning documents and information. No credit card information, bank routing numbers or social security numbers. If your client passes, trust me the credit card companies will come knocking on the family’s door to get paid. They will mail statements. The family won’t have to look for them. As far as bank accounts, the family will actually have to go to a branch to transfer an account. They won’t need a routing number to transfer the account. Social Security numbers are already with the institutions, the family will only need it for the hospital and for filling out documents later. A good rule of thumb is: Don’t store it if you don’t have to.
Second, play the criminal. Yes, role-play the bad guy and look at it from his point of view. How would they get information about your clients? Criminals love email. They love for you to open attachments. It is their favorite way to gain access to your computers. Simply don’t open anything you don’t recognize, especially attachments. Pick up the phone and call first; make sure it is legit. Don’t work accounts from email or provide valuable information in them. Criminals also like spam. Install basic security on your computer as it will help. Once they figure out a password, they are likely to try it on many accounts. Change it up regularly, make it strong and don’t use the same ones for all of your clients’ accounts.
Third, don’t become complacent. The moment you take something for granted is the moment it will come back to bite you. Be aware of your surroundings, and yes I mean the systems you are using. Check the security of the site. Does it use 256-bit encryption certificates? Is your data encrypted at rest? Does the site have have SOC or SSAE Audit Certificates for its security? If it doesn’t, you need to decide whether you trust that system to store your documents and information.
One of the most effective ways a service organization can communicate information about its controls is through a Service Organization Control (SOC) report. A SOC 1 report focuses on controls at the service organization that would be useful to user entities and their auditors for the purpose of planning a financial statement audit of the user entity and evaluating internal control over financial reporting at the user entity. The SOC 1 report contains the service organization's system description and an assertion from management. In addition, the independent service auditor (i.e., CPA firm) opinion or service auditor report is included.
As for the Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, user organizations (also referred to as "user entities") that obtain a Service Auditor's Report from their service organization(s) receive valuable information regarding the service organization's controls and the effectiveness of those controls. The user organization receives a detailed description of the service organization's controls and an independent assessment of whether the controls were placed in operation, suitably designed and operating effectively.
Bottom line: Only conduct business with those companies that have protection in place. If you are on top of things, you can eliminate the chance to become a victim or expose your clients, but the instant you fall asleep will be the moment those hackers grab their information. Also, constantly check your accounts and the activity. I suggest once a week or at least monthly. Remind your clients to do the same.
Lastly, read, educate yourself on latest trends security trends continuously. There are many good articles on cyber-crime and cybersecurity. Consistently educating yourself on the latest trends and security measures will keep you ahead of the game. Be smart and you can keep yourself and your clients safe. Pass these tips onto them and when they ask about the security you employ, make the response real — not canned.
Scott Huff is the CEO of Yourefolio and a practicing advisor.