Transcript | Cybersecurity

Sarah Widmeyer: Welcome to Conversations on Wealth, a podcast dedicated to helping Canadians navigate the complexities of wealth with a multi-dimensional approach to planning and wealth management. I'm Sarah Widmeyer, Director of Wealth Strategies at Richardson GMP. Joining me today is Scott Stennett, Chief Operating Officer and Director of Operations and Information Technology at Richardson GMP. Welcome, Scott.


Scott Stennett: Well, thank you for having me.


Sarah Widmeyer: What a long title.


Scott Stennett: I'm paid by the consonant!


Sarah Widmeyer: Thank you for joining us. So, today we're going to talk about cybersecurity. It's also a big word. For many the topic of cybersecurity can be very intimidating or even maybe frightening, especially when it comes to our financial affairs online. We put so much of our lives, our private information, online. As the financial services industry continues to evolve in the digital space, so too have the scale and sophistication of cyber threats. That's why being extremely diligent and proactive ourselves as leaders in wealth management, as well as helping our clients avoid cyber risk, among other types, is more important than ever. So, Scott, how do you define cybersecurity? And what are the key issues that our listeners should be aware of?


Scott Stennett: Well, as you said at the opening Sarah, it's a big word, and a wide and diverse topic. At a really high level, cybersecurity is the art of protecting against criminal or even just general unauthorized use of electronic data. It typically focuses on internet or related access points used by a company or an individual, along with all these things called endpoints. An endpoint is a device that's generally used to access information: computers, tablets, smarter mobile phones. In between the internet and the endpoint, one typically has a whole bunch of systems and stored data. And that data can include sensitive information like social insurance numbers. It also could include some less sensitive information like first names. The whole cyber topic generally is focused on personally identifiable information, or what's called PII. This can be used to steal identities and cause real personal harm. And individuals are not the only ones at risk. A company may also have intellectual property that is essential to their competitive advantage in the marketplace – we certainly do at our firm. And, just like home security systems are meant to dissuade people from unwanted break-ins and theft of family property, cybersecurity is in place to protect any personally identifiable information and intellectual property of an organization.


Sarah Widmeyer: So, it's an important topic as you're looking for an Advisor and you're interviewing a potential firm. It's something that we as consumers, as clients, should be really asking about: What are the ways and means to protect our information because with increasing regulations, and Know Your Client regulations, which are basically detailed questionnaires that the clients go through in order to set up an account, there's such a vast array of personal information that we share and get stored somewhere and we assume are safely kept somewhere. It is something that the average client probably isn't even aware of: What we're doing to safeguard our client's wealth. What does your team do across the firm to make sure that our client information is safeguarded?


Scott Stennett: Great question. And there's no doubt that as there is growing awareness in the marketplace – it’s hard to read a newspaper or a journal article that doesn't talk about some sort of vulnerability or compromise that happened – and it frankly can be quite scary and very intimidating to the lay person just reading all this information and starting to wonder how exposed are they. So, we do invest substantially in making sure we protect information. We have specific certifications for cybersecurity professionals on staff whose sole accountability is the betterment of our cyber hygiene. By the way, you can put the word cyber in front of almost any other word and it sounds really sophisticated and complicated. But cyber hygiene is this whole art of how we make sure that our environment, our ecosystem, as an organization, is as clean as it can be to eliminate or reduce risk that client information is compromised.


Sarah Widmeyer: So, hygiene really is the right word.


Scott Stennett: It is. It's very relevant in the marketplace today. And some of the key defenses that we deploy include things like advanced systems that proactively recognize questionable activity; things that don't look normal and attempt to access our infrastructure that we wouldn't expect at a weird time of day from a foreign jurisdiction perhaps would stand out as an example. These systems alert staff so that a review can be made and actions can be taken if and when required. As homeowners, we often install fences to keep unwanted guests off our property. And in IT, we rely on perimeter defenses just like firewalls to keep the criminals from breaking into digital environments. So, in today's marketplace, these systems are very sophisticated, and they're changing and evolving very quickly. You not only block unwanted traffic from entering our domain, these systems also recognize when unusual or suspicious attempts are made to access systems so that they can self-adjust and automatically take efforts to stop events. “Quarantine” is a common word in our sector. We “park” these attempts and we have some human beings take a look and see if it warrants additional attention.


Sarah Widmeyer: Interesting. There’s a lot going on that the average client would not be aware of that we're doing and probably a lot of infrastructure and expense going into that which is all part of being in this business. 


Scott Stennett: Correct. And, in fact, an awful lot of the industry analysis that goes on in measuring a firm’s maturity in the cybersecurity or information security space, measures progress against what percentage of your revenue line or what percentage of your expense line is being devoted to cybersecurity. And what you're seeing – and this is no surprise, I'm sure to many – is that expenditures are climbing and climbing fast. So, year-over-year, firms are investing substantially more in their infrastructure specifically for this protection of privacy and protection of client information.


Sarah Widmeyer: As a client, where would you find that information? In the annual report?


Scott Stennett: It varies by firm, some firms will bury it into a broader expense line, some firms will want to single it out and highlight it as a strategic advantage. So, it is different. One of the things that's really evolving in the marketplace is simply the lack of standards, which comes right down to the client's ability or inability to assess the various industries that they may do business with, the various firms that consist in and around them in their everyday lives. How do you know which firm is taking the right steps and which firm perhaps may be taking some calculated risks? Calculated risks are fine until the day they're not. And that's when they become the headline news.


Sarah Widmeyer: So again, and I know you've answered this, but to try and cut to the chase on it. So, as a client, how do I know that dealing with our firm, my information is safe?


Scott Stennett: Each country has in some cases at least unique laws and unique regulations that govern and support how information is protected. We have to rely on trust. Not so unlike our frontline business, giving wealth advice to our valued clientele. You have to trust that the organization is doing what it says it's doing. Over time, I'm going to suspect that you're going to see more regulated audits and more standards that will allow us to have a common yardstick to measure each firm's resilience against these evolving threats. But at this time, it's a bit of an evolving landscape. And I do think this will be one of the things that we'll see change and change quickly in the years ahead.


Sarah Widmeyer: That's really interesting. So, foresight as to where the marketplace is going is extremely important for you and your team. Where do you see things going with respect to cybersecurity or key technological advancements in this space over the next few years?


Scott Stennett: There's no question that with this degree of rapidity and change, the landscape is going through accelerated growth. At a really high level, we're focusing within the wealth sector specifically, and see that substantial inroads will be made with artificial intelligence. It's in its infancy, it's in the early stages; but artificial intelligence, or AI, is going to play a key role in both how clients conduct business within our sector, and also how we as an organization use it as a tool to protect their information. I don't see robots replacing the human touch anytime soon. But AI will definitely help improve operational efficiencies and will also streamline a variety of administrative functions that the clients and the Advisor teams utilize in their day-to-day interactions. We also see continued progress being made in protecting sensitive information through enhanced encryption. So even if your best lead defenses get compromised, you want to make sure that the bad guys can't utilize the information to their advantage. So, really good and capable encryption ensures that even if the information is stolen, it's worthless to the party that acquired it.


Sarah Widmeyer: And what is encryption?


Scott Stennett: Encryption is the ability to use digital means, mathematically derived means to make it such that people need a password or passphrase – often very long ones – as a key to unlock the information. Otherwise, it looks like jargon. It's non-sensical to anybody else but us. It's often found in military-grade operations, and it evolved into our sector.


Sarah Widmeyer: I immediately thought of World War II movies in terms of the secret messages sent.


Scott Stennett: It's very much the same thing. And it's continuously evolving and changing and, and it's becoming a profit center. As organizations find new ways to improve upon encryption, there's a market for it. And it's an expensive one at that. We even see improvements to how people access our systems, moving into biometrics, more and more. Many people who use a mobile phone today have already started to use fingerprint and facial recognition and we'll see that happening more. That will replace passwords, making it harder for bad guys to steal private information. And I think it's a bit further away but I think you'll see governments taking a lead role in establishing unique identifiers for people. It sounds very big brother-ish. However, it is in talks across various governments not just here in Canada, but the United States and overseas. And I think – and you touched on this earlier, Sarah – I think that through this whole digital evolution, our clients are going to become ever-more aware of what's going on and where they're vulnerable, and how to better protect themselves. And this is going to drive firms like ours to set a higher standard of care and make it harder for criminals to take advantage of our clients. In short, security of information is becoming a new strategic asset class that firms can offer to clients and the clients can demand of their firms.


Sarah Widmeyer: So cool. So, then tips for clients and safeguarding their information and making sure that things are secure: What would you tell people to do or make sure that they are doing or looking out for?


Scott Stennett: It is critical that clients know where their sensitive information is stored, both in their homes and across the firms that they do business with. You mentioned earlier, there is a wealth of information that clients share in order to become clients – that’s right across various banks, the wealth sector, even ordering food through various delivery tools – that requires you to give your name, address details, sometimes credit card information. So, this requires an active stance. You need to go on the offense in order to build and ensure you have the best defense. So, don't just assume it's all being done to a high standard. Within their own homes, clients should ensure that digital information is always encrypted, and we talked about what that means. Lock down your wireless access points, using passwords in all cases. Be careful when surfing the internet. Don't download content from a site you don't trust. Be careful when you're looking at emails and attachments. If in doubt, and you're not familiar with the person who sent it, delete it. When it's at all suspicious, the best exercise is to delete it. Definitely don't open an attachment or click on a link that wasn't expected or didn't come from somebody you know. 
And for the endpoints, we talked about computers, tablets and phones – things we carry around – make sure your screen lock is on. A lot of people get compromised because they lose these very small – and they're increasingly becoming smaller – devices. And if you don't have a password or some means to make it harder for people to get in, it's sometimes your entire information life. Every contact, every credit card number, every system and service you have a business account with, it's all on these little teeny devices now. It’s very easy to lose those and be harmed by other people's access to that information.
Another great example of something often we see when we talk to clients is using public WiFi hotspots. Any information you enter or share when you're using public WiFi hotspots is or could be visible to others. So, use that digital hygiene, cyber hygiene we talked about when using social media. Be careful about what you share about yourself online. Your family, your friends, even your whereabouts may be used in an attempt to harm you later. So, it's all about awareness.


Sarah Widmeyer: So, don’t use hotspots?


Scott Stennett: Hotspots – I say absolutely use them. It's just about being more aware and conscious about what you're doing while you're using them.


Sarah Widmeyer: So, don't pay your bills [via certain hotspots]?


Scott Stennett: I would not go and log into my bank account using a public WiFi hotspot. I would not go into a transactional account that I might have where I could order and access things like Amazon if I had a public WiFi hotspot for fear that somebody might steal my credentials and then use it to make purchases without my being aware.


Sarah Widmeyer: Right. So, go back to pen and paper?


Scott Stennett: Pen and paper, carrier pigeons. There are lots and lots of great things we can do and it's an amazing space to be operating within as technology's evolving fast. It's not all about fear tactics and worry and concern. It's just about being more sensitive and aware of what you're doing. And with that will come great use of great tools with less to no risk on your personal well-being.


Sarah Widmeyer: So, at our firm, as you know, we pride ourselves on being at the leading edge of innovation. I'd like to leave listeners on a slightly brighter note because I think I've got them all scared now – carrier pigeons, as you said, and paper and pen! Can you expand on how we're making clients’ lives easier through innovative technological advancements?


Scott Stennett: Yeah, this this is one of the most exciting themes in my opinion for the firm today. We offer great advice. And now we're getting an opportunity to offer that advice alongside some of the best tools in the industry. We're fully embracing this ongoing digital evolution. We believe it's going to enhance the client experience. We're on a journey to make this firm the easiest place for our clients and our advisors to do business. Our strategic roadmap includes continuous enhancements of our secure client portal. We believe clients should be able to monitor their financial progress across our entire firm, when they want, how they want, on their terms. So, our portal is going to be our digital ecosystem. And I believe this is going to be where we're going to see continuous growth for the years ahead, from updating an address, from requesting a withdrawal, to reviewing your latest performance, to even updating a family life goal. I think we're obligated to believe it's the best practice to acquire a signature on a document, but we look forward to offering our clients the ability to use a digital signature which avoids any need for paper or good old-fashioned traditional snail mail. And all the while, we want to continue to ensure we protect our clients’ sensitive information and their privacy.


Sarah Widmeyer: So, it's kind of like a filing cabinet of our clients’ information, and it's their specific file folder.


Scott Stennett: A digital vault.


Sarah Widmeyer: A digital vault – and so they log in, and they have access to all of their secure information, their account information – ultimately, their financial plan and any adjustments that might need to be made to that financial plan. It's all there in their filing drawer in their file folder in our filing cabinet.


Scott Stennett: Exactly. When I think back over the last three to five years, a lot of the conversations with our sector, other firms that work in our sector, aligned around trying to move clients away from paper and onto these electronic or digital forums. What's interesting in that whole dynamic is that the driving force was mostly about cost and reducing the expense of postage in the mailing itself. I believe that is certainly relevant on the one hand, but is far less important than the fact that going digital is safer.
I chuckle almost today to think of what my children are going to do years ahead when they have their own homes. And they're going to look at me and say, Daddy, I can't believe you used to leave all of these sensitive documents in this little box that used to hang outside of our house called a mailbox. And it would sit there for eight to 10 hours before you got home, and you took it, and it was accessible to anybody who just walked by the house. And we thought that was acceptable and an okay way to share information, versus being able to securely, under these encrypted domains that we talked about, go in and get the information when you want it, wherever you are, even if you're not at your home, and know that nobody else can see it. It's not about the money and the expense as much anymore, as it is about just better protecting yourself and making it more efficient. If you lose that piece of paper, you generally have to call someone to get it resent. In our environment, if you need it again, even if you're on a vacation, you just grab your mobile phone and you get it.


Sarah Widmeyer: But not in the hotspot.


Scott Stennett: Apparently not on a WiFi hotspot.


Sarah Widmeyer: Okay, so before we close out our conversation, what are key takeaways for clients? What would you leave them with?


Scott Stennett: At a very high level, a proper and effective wealth plan requires client engagement and investment of time and effort. The same goes for protecting your privacy. Be sure to devote time to assessing your situation, identifying your vulnerabilities, and know that it can be confusing. So, don't be shy and ask for or even hire help when needed. In doing so, you'll ensure that you've got the necessary peace of mind.


Sarah Widmeyer: Great advice. We appreciate the trust that our clients have placed in our firm and we continue to improve our networks so ultimately you can sleep easy at night knowing your assets and your information are safe. If you have any questions regarding cybersecurity, please reach out to your Advisor.

Conversations on Wealth is available wherever you get your podcasts. Remember to follow us on LinkedIn for the latest on wealth strategies. Thank you all for listening.

Thank you, Scott, and join me next time.


The opinions expressed are the opinions of the author and readers should not assume they reflect the opinions or recommendations of Richardson GMP Limited or its affiliates. Past performance may not be repeated. Richardson GMP Limited is a member of Canadian Investor Protection Fund. Richardson and GMP are registered trademarks of their respective owners used under license by Richardson GMP Limited.