In this article, David Alexander, co-founder and executive chairman of My Wealth Cloud, outlines some lessons learned from the recent Panama Papers saga.

Whilst security has always been a vital aspect in financial services and investment industries, with the issue of protecting sensitive data of particular importance, it is undeniable that the leak of the Panama Papers earlier this year has raised new concerns.

Without the guarantee that both personal and corporate information is stored securely, away from potential threats, a wealth management company has little to reassure a prospective client. After all, what incentive is there to invest, trade or deal with an organization that does not regard the safety of information as crucial?

Following the Panama leak, wealth managers find themselves under increasing pressure to alleviate such privacy concerns, striving to restore the confidence of clients that has understandably been somewhat eroded.

The Panama Papers story has proved what has always been known but optimistically overlooked: no data is 100 per cent safe. Whilst safeguards can be put in place, hacking attempts remain ongoing and thus why it is necessary to remain up to date with cybersecurity.

So what can you do to avert such a crisis?

There are some essential steps that can be taken to mitigate security concerns and avoid many of the issues that could ultimately lead to a privacy breach. Gone are the days of simply sending clients information by email: these can be intercepted or accessed by anyone who can acquire a the recipient’s username and password - minimal effort for hackers with today’s tools at their disposal. Email was never designed to be a secure communication channel and so even encrypted email is a patch on top of an inherently insecure system.

And although sending encrypted emails is a step up from regular emails, it is still far from the highest level of security available to wealth managers, namely one-to-one communication with clients hosted on a highly secure, private cloud, with sensitive data encrypted at rest and in transit.

This form of communication provides a system that continuously manages access rights and adjusts authentication levels with consistency and immediacy. It is better equipped to resist Trojans, viruses or malware, thanks to robust threat detection and prevention measures.

Wherever you decide to hold your data, it is essential to consider a number of key factors to ensure the highest form of security.

Some of these factors include:

-    How is the data centre accessed, physically and virtually? Is it controlled by passwords, fingerprint or iris biometrics? Often the weakest points of any system are user accounts with passwords that are easily guessed, or an account that is accidentally left active when it should have been disabled. So check if your provider uses Active Directory or something similar to revoke a users access.

-    How is the information backed up? What would happen in the event of a fire, flood, earthquake, war or any event that causes the power to fail? You can’t put all your eggs in one basket. Make sure your files will be stored at least in triplicate at several geographically dispersed data centers, with copies synchronized automatically and instantaneously.

-    Who else is the service provider storing data for? What is the highest accreditation of data they are protecting? Do they hold ISO 27001 certification? Certifications are issued today for virtually every aspect of information handling - from the data center itself to information protection practices. Ask your data hosting company whether they are certified for compliance with ISO 27001. It’s voluntary, so if a provider has taken the time to get it they clearly care about your security and it is best practice.

The Panama Papers debacle was unarguably an eye opener not only for wealth managers, but also for anyone involved in information security or data protection. Choosing to overlook asking your cloud provider how they are going to ensure the security of your client’s data could leave your business vulnerable to the threat of an anonymous leak or a similar reputational crisis that may be unrecoverable.