Cyber threat to high net worth individuals is growing (Part 2)

Trustees, wealth managers, investment advisers and the like ( collectively "wealth managers") have a fiduciary duty to protect their clients' assets or risk being faced with personal liability.

Wealth managers have two primary fiduciary responsibilities, namely, (1) a duty of loyalty to put the interest of their clients ahead of others, and (2) the duty to carefully and prudently manage and secure their clients' assets, which include personal data.

While most wealth managers have various policies and procedures to handle their clients' financial assets, many are still lacking policies and procedures that address steps to protect their clients' personal data, which is a valuable asset that is vulnerable to privacy and security breaches. Wealth managers who do not take a proactive role in protecting data assets may be found negligent, which may further lead to a risk of personal liability. The first of this two-part series outlined why personal data of high net worth individuals (HNWis) is particularly vulnerable to privacy and security breaches, putting wealth managers of HNWis at risk of cyberattacks, including spear phishing.

Mitigating risk of fiduciary negligence

According to Statistics Canada, one-fifth of Canadian businesses experienced a cyber breach. The rise in cyberattacks and privacy breaches have arguably developed a duty for wealth managers and board of directors to take proactive measures to protect HNWis' data, which is an extension of their duty to act with diligence and care. Wealth managers who fail to take a proactive approach to cyber resilience may be found to have a conscious disregard of their responsibility to protect assets leading to a finding of negligence.

As a first step, wealth managers need to retain experts in privacy and security to identify and mitigate risks. The following steps, although not exhaustive, are important actions to take in an effort to reduce the risk of personal liability:

Board oversight

In the past few years, there has been an increase in privacy and cyber claims against boards of directors suggesting that privacy and security are part of their risk management responsibility and oversight. It is necessary to educate the board on the privacy and security landscape in general, within the industry and of course within the business so that the board can make informed and sound decisions relating to resources and budget.

Directors should be well informed of policies designed to mitigate privacy and security breaches. While the board is not required to make or know technical details, it should have awareness and be involved in taking proactive measures to reduce the risk of a breach. Stakeholders responsible for reporting to the board should outline the status of the company's compliance with privacy and security regulations and standards, the risks that remain (including breaches experienced), and the necessary measures required to mitigate those risks including the budget necessary to mature the company's privacy and security posture.

Policies and procedures

Wealth managers who lack proper privacy and security policies and procedures to protect HNWl's data will be unable to demonstrate accountability in managing and protecting data.

Wealth managers should develop a compliance plan to mitigate privacy and security risks. The plan should include the development of and compliance with privacy and security policies and procedures including: (1) internal privacy policy, (2) information security policy, (3) information management policy, (4) retention policy/ schedule and (5) breach management policy.

The rigorous implementation of these privacy and security practices is necessary and also acts as a due diligence defence when companies need to demonstrate accountability after a breach.

Training and confidentiality agreement

Staff negligence and inadvertent disclosure is the most common reason for a breach. Wealth managers must ensure their staff understand the role they play in maintaining client confidentiality. In doing so, staff should become familiar with the threat landscape and ways in which they may fall prey to social engineering scams, which often go unnoticed for months at a time, leading to significant exposure and liability. In addition to understanding the current threats, staff need to be trained on the company's internal policies and procedures which were designed to protect HNWis' personal information.

It is also necessary to obtain signed confidentiality agreements from all staff upon onboarding and on an annual basis as a reminder and attestation of the staff's commitment to protecting HNWis' personal data.

Cyber insurance

Despite planning and taking a proactive approach to privacy and security risks, HNWis' data will always be at risk of a breach. Wealth managers need to get cyber insurance which will cover the cost of a defence, fund damages arising as a result of litigation and retain experts in cyber and privacy to remediate gaps in the company's infrastructure to prevent future claims from arising.

Taking a proactive approach to protecting HNWis' data assets will have a significant return on investment. Wealth managers will not only demonstrate to their valuable clients that they are being protective, but will also stand out in the market and have a competitive advantage thereby gaining the trust of more HNWI clients.

This is part two of a two-part series. Read part one: Cyber threat to high net worth individuals growing.

This article was originally published on the Lawyer’s Daily.