FundFire: Wells Fargo Data Leak Shows Risk Goes Beyond Hackers

(This article was originally posted on Fundfire)

By Danielle Verbrigghe July 31, 2017

Wells Fargo’s inadvertent release of sensitive client and advisor information last week illustrates the risks that financial firms can face from accidental data loss.

Cybersecurity has become a growing concern for the wealth and asset management industry, as regulators have put the issue in their crosshairs. But many firms are still focusing their cybersecurity policies around preventing external incursions, and may be giving too little attention to the risks of inadvertent, or intentional, data exposure by employees or vendors, consultants say.

In Wells’ case, it wasn’t malicious hackers that put the firm’s data at risk. A lawyer working for Wells Fargo inadvertently released a hoard of sensitive data on tens of thousands of its wealth management clients, including social security numbers and financial data, according to a report last week from The New York Times. The data, which was sent to the lawyer of a former employee suing the bank, also contained detailed information on advisors’ client lists and pay, according to the report.

One of the top things firms can do to protect themselves from data loss is limit the information to which employees and vendors have access, says Kurt Nuñez, compliance consultant with Core Compliance & Legal Services.

“The military has a term for this. It’s, ‘need to know,” Nuñez says.

Best practices include segregating data to make sure employees only have access to the files they need. Firms can take a similar approach with third parties which they share information, Nuñez says.

“They should only be giving their third-party vendors access to the data that they absolutely need,” Nuñez says. “They should certainly not give any vendor a free run into their network systems if it can be at all avoided.”

Wells Fargo’s recent data breach appears to have involved a third-party law firm and another external vendor.

As cited by the Times, a statement from the outside attorney hired by Wells Fargo who had sent the data, suggested that the error occurred after a “long process of a very large email review with an outside vendor with instructions on exclusion which was not checked.”

Wells Fargo subsequently took legal steps to seek the return of the data and to seek it being disseminated.

“We take the security and privacy of our customers’ information very seriously,” Wells Fargo said in an emailed statement last week. “We are continuing to thoroughly investigate this matter and will take all appropriate steps based upon the outcome of our investigation.”

Wells Fargo has already attracted regulatory scrutiny over the matter, according to a report from Bloomberg last week.

This isn’t the first time a firm in this industry has made headlines, or attracted regulatory attention, for improper handling of client data.

In another prominent example, Morgan Stanley last year paid $1 million to settle Securities and Exchange Commission charges that it failed to protect client data after account information downloaded by advisor Galen Marsh was deemed to have been likely hacked by third parties and offered for sale online.

In another example, in 2014, an outside contractor for Goldman Sachs accidentally emailed confidential client data to a Gmail account that appeared similar, but was unrelated to an internal Goldman Sachs email account, according to Reuters report. The firm sought emergency relief from a court to block access to the email.

Failing to safeguard client data can bring reputational as well as regulatory repercussions, says Craig Iskowitz, founder and CEO of the Ezra Group, which consults with industry firms on cyber security and other technology topics.

“The damage can be tremendous,” Iskowitz says.

And firms are still on the hook even if it is a vendor, rather than an employee, who mishandles their data.

“You can’t start blaming your vendors,” Iskowitz says. “Your clients have entrusted you with their money and their data. It’s up to you to safeguard your clients’ data as if it were your own.”

Yet one of the biggest cybersecurity gaps for financial firms is failing to adequately due diligence their vendors’ data security practices, Iskowitz says.

“Once you connect with a vendor, you are now giving the vendor access as though they were an employee,” Iskowitz says. “But most firms don’t vet the vendors as they do their employees. They don’t do even those simple checks for vendors. That I find opens a door to a lot of potential issues.”

“What we find is that firms don’t vet their vendors’ security measures,” Iskowitz says. “They just take them at their word. That’s one of the biggest problems that I’ve seen.”

A basic step every firm should take to mitigate the risk of data loss is to put in place a policy limiting who has access to sensitive data, Melinda McLellan, partner with BakerHostetler, in an email response to questions.

“It may sound basic, but one of the keys to data protection is access limitation,” McLellan says in the email. “Whether it’s employees or vendors or other third parties, access to sensitive data should be limited to only those individuals who require access, and both administrative and technical safeguards should be put in place to prevent inadvertent or unauthorized access.”

This can help prevent not only deliberate malfeasance, but also accidental data loss, McLellan says.

“Often when there’s a security incident we learn that an employee had far more access to certain systems or data than was necessary for their job functions. The employee may not even have been aware of this, and may never have tried to access the data herself,” McLellan says. “Nonetheless, the loose permissions create a host of unnecessary risks, enabling bad actors who gain control over one account to move laterally within a company’s systems and cause significantly greater damage.”