This article is part of several items we have published examining cybersecurity issues. Such security has become even more critical at a time when so many wealth management professionals work from home, a trend that has been going on for some time and accelerated by the pandemic.
(The article first appeared yesterday on WealthBriefing, sister news service to this one. The subject-matter has global relevance, so we hope readers find it of value.)
Continuing our focus on the cybersecurity and data protection challenges exacerbated by COVID-19, we now turn to the boom in biometric authentication.
Part 1 of this feature unpicks the compelling business case for verifying the identity of staff and clients using this technology; Part 2 will dig deeper into the technological choices and hidden risks wealth managers need to be aware of.
One potentially significant upside to the COVID-19 crisis is a massive acceleration of the wealth management sector’s digitization - necessity being the mother of invention or, more accurately here, adoption. Barriers are being swept away as circumstances compel firms to implement solutions that many would argue should already be in place. The impetuses behind the rollout of enhanced performance reporting, client communication portals, video conferencing and instant messaging have suddenly become very strong indeed.
This is particularly true of biometric authentication, technology which verifies an individual’s identity through biological or behavioral characteristics. The concept may not be particularly novel in financial services as over the years institutions have variously implemented, or at least piloted, dactyloscopy (fingerprint identification), face recognition, voice patterning, iris/retina scans and even electrocardiograms to boost security. What is new - technology vendors tell us - is the rocket-fueled take-up of this technology in the financial services sector, now that business is being carried out almost exclusively in the digital sphere, and outside institutions’ walls.
As this publication has recently explored, in itself the home working environment may be far from ideal from a cybersecurity and data protection perspective. At the same time, cybercriminals have all too predictably moved to exploit the disruption by massively ramping up their efforts to steal information and identities. The pandemic has created an acute need to beef up security to protect systems, devices and data. As a result, these are boom times for biometrics across sectors, but particularly in tightly regulated ones dealing with valuable and often very sensitive data, as wealth managers most assuredly are (it may often fall under the GDPR’s Article 9 definition of “special category” data).
The weakest link
Single-factor authentication via a password or phrase has long been regarded as antediluvian by security experts; at best, these should only form part of Multi-Factor Authentication (MFA) methodologies. “Brute force” attacks are easier than ever with cracking technology, but it is well acknowledged that human beings are the weakest link in the security chain. Even with training, people are all too vulnerable to increasingly sophisticated “social engineering” tricks like phishing emails aimed at eliciting key information, along with other lapses like writing verification details down. The sheer volume of what we have to remember means that the average internet user has to reset a password almost once a week.
Nonetheless the scale - and escalation - of the problem may still surprise. “Passwords are responsible for over 80 per cent of data breaches, and there has been a 667 per cent increase in funded cyberattacks on them since February,” notes James Stickland, CEO of Veridium.
The costs arising from data breaches are several and serious. Under the General Data Protection Regulation, supervisory authorities are empowered to issue fines of up to €20 million or 4 per cent of annual global turnover for the most egregious data protection breaches, but there is also provision for individuals to seek redress through the courts for material and non-material damage under Article 79. Reputational risk is naturally also a huge concern in the private client space.