As FINRA and the SEC establish new IT mandates, security is more critical than ever
by Steven J. RoyMr. Roy is Chief Operations Officer of Steven Roy Management and Chief Operations and Compliance Officer for Cambyses Financial Advisors, LLC.
COVID-19 spotlighted how disjointed file-to-file transfer systems could be, especially with everyone working on different systems and many investment and insurance agencies lacking needed IT support.
Within the finance sector, security is critical and FINRA and the SEC both mandate that firms develop and maintain procedures to ensure data security for internal and external communications.
Fundamental to that mandate is:
Protecting data while it is at rest,
Protecting data while it is in motion,
Knowing where that data is at all times,
Knowing who has access to it,
And robust and, relatively, simple implementation.
Weakest Link Is Also The Most Frequent
For small and mid-sized Registered Investment Advisors (RIA) and their representatives, the weakest link in this process is, ironically, the most frequently used: the connection between the representative and the client.
Firms that have only minimal technical support or who outsource system security often adopt cloud-based solutions for their frequent or large file transfers. This solution employs a cloud-resident “mailbox,” into which communications are deposited for later download, review, and discussion between the representative and the client.
If files are too large to transfer by e-mail or through cloud based systems, firms adopt some variation of File Transfer Protocol (FTP) or its somewhat more secure variants: Secure File Transfer Protocols, SFTP, FTPS, or (shudder) Secure Sockets approaches.
Most of these solutions handle authentication adequately: employing a two-factor authentication system and/or Knowledge Based access controls. Unfortunately, they seldom address the remaining criteria:
- FTP and cloud-based transfer protocols require extensive system modifications – including port reassignment and configuration to bypass protections in the firm’s, the representative’s, and the client’s Virtual Private Networks (VPNs) and firewalls. These machinations are not trivial – thus requiring extensive technical support. (Good luck getting your IT department to open ports for this! Even better luck walking your clients through an implementation.)
- Logistics are often problematic when you employ FTP (or some variation of it) for large-file transfers. Keep your fingers crossed that you do not lose internet or network access in the upload or download process because if you do, you must start all over again.
- Further, there is little or no way to enforce security protocols on client communications: Show of hands – how many of us receive unsecured PDF attachments containing sensitive data and PPI on a daily basis from clients via standard Email?
- Cloud based solutions “park” your data in on-line servers that may-or-may-not provide adequate security. Unless your storage needs are minimal, you “rent” cloud space (inevitably more and more space at increasing rates). For this dubious privilege, you sacrifice virtually any controls over database security and database location. You become entirely dependent on the vendor (and their marketing policies) to control access and distribution.
- Unfortunately, vendor protections are unreliable. Cloud data storage systems are beset by security breaches, data leaks and risks that expose confidential information or result in a total file loss. File transfers via cloud-based tools, rely on a vulnerable third party to pass your data along. One researcher, estimates that, since 2018, data breaches as a result of cloud misconfigurations have cost organizations $5 trillion to remedy.
So, How Does An RIA Or Representative Deal With These Tech Issues?
The answer is simple. By offering a file transfer system that requires no cloud, encryption, one in which any client can simply drag and drop data into an email and press send.
By deploying a protocol that requires no encryption or conversion, files, even large ones, can be sent and opened seamlessly end to end. That’s an advantage, why? How would someone in a small- or -mid-size investment firm or insurance agency benefit from this type of technology?
There are cloud-free options such as shayre, a file transfer protocol that provides several appealing answers — cloud-free operation, end-to-end AES 256-bit encryption and simple-secure implementation at both the representative and client ends.
When looking for file transfer options, you will want to ensure it allows unlimited files and file sizes to be transferred between as many devices, without the need to upload or download to the cloud, like shayre offers.
“The idea behind shayre was that existing solutions had file size limitations and were not effective in securely transferring files from one point to another. Onerous uploading and downloading paradigms constantly failed,” said Chris Monte, CEO and Co-Founder of shayre. “With all of the hackings and middleman attacks, storing data in the cloud was not an option from a security perspective.
From a user standpoint, an application like shayre addresses primary issues amongst financial firms and institutions like it did for us at Cambyses Financial Advisors LLC. When choosing an application for file transferring, ensure you keep these four elements in mind:
- Implementation– you will want no more than a five-minute process once the parties are all on-line. Whatever platform you choose, make sure it doesn’t require much from you and your team. Consider technical assistance, reconfiguration, or port reassignment.
- Effortless logistics. File exchange should be as simple as a drag-and-drop from the source machine directly to folders on the destination machine. The connection should be bi-directional so clients can securely transfer files from their machine to the Representative with no need for intermediary encryption. You want to also ensure there are no file-size restrictions.
- Trust between machines. Ensure transfers are fully secure and encrypted with AES 256-bit encryption, the same encryption used by major banks and e-commerce sites. For example, data that shayre moves is never “at rest” in the cloud, encryption is “up-front” at the source machine. Data never travels or rests in the cloud. There is no need for additional pre-transmission encryption steps, which aids file transfer speed and ensures process uniformity.
- Cloud free. Data cannot be compromised by either interlopers or your vendors. By keeping files in the cloud.
The connections between RIAs and their representatives are key in today’s remote business environment so you want to ensure the file transfers can be done securely, efficiently, and effectively.