Deciphering the use of encryption

The SEC doesn’t require that firms encrypt sensitive documents

EMUFPHZLRFAX. If that’s all Greek to you, then the encryption worked.

Those apparently random letters mean something, but no one’s been able to figure it out for 30 years. It’s part of the Kryptos, a famous sculpture at CIA headquarters in Langley, Virginia. An artist engraved his work with four encrypted messages. Three have been cracked. Have an attempt at the fourth, if you wish – but know some of the world’s leading cryptologists have failed so far.

The artwork reveals the power of encryption, and hints how useful the practice can be to protect your sensitive data from cyber bad guys. Advisers often employ encryption, but they do so in different ways.

Appleton Partners ($10 billion in AUM) in Boston will soon switch to a new encryption vendor. “We’re going to use two forms of encryption,” says CCO Michele Hubley. One piece will scan emails automatically and suggest to the sender when an e-mail should be encrypted.

“People get rushed. People get distracted,” she says. The automatic solution is another way of catching a message that should be scrambled and unlocked only by its intended recipient.

What your peers do

“Anything containing privileged or confidential information” must be encrypted according to the policies and procedures (P&Ps) at Sovereign Investment Advisors ($467 million in AUM) in Phoenix. The policy also applies to internal e-mails, says CCO April Lamb.

“Our policy says if the content of the e-mail contains personally identifiable information for a consumer, that it should be encrypted,” says Barry Greenberg, CCO at Cushing Asset Management ($2.7 billion in AUM) in Dallas. Internal emails need not be encrypted.

Like many advisory firms, Cushing turns to MS Outlook’s encryption option. The adviser used to use an encryption vendor “but it required you to log on through a separate website. It was just so difficult to use that people weren’t using it,” Greenberg recalls. Outlook’s is much easier, he believes.

Customer choice defines the options available from Cherry Bekaert Wealth Management ($515 million in AUM) in Richmond, Virginia. The spectrum runs from e-mailing a client a password protected PDF document and then calling the client to reveal the password to using e-mail encryption software to pointing clients to log in to the firm’s private portal, says CCO Chris Hill.

The CCO at a New York advisory firm has P&Ps that require e-mails with sensitive information to be encrypted, including language tied to new deals, transactions or employment matters. The firm also offers a secure portal for clients to pull down sensitive documents.

Signed advisory contracts at Laird Norton Wealth Management ($1.6 billion in AUM) in Seattle contain the right for the adviser to send clients e-mails. During tax time, the firm attempts to shoo client CPAs to its secure portal to download key documents but some resist because they don’t wish to fuss with passwords. In these cases, the adviser would encrypt emails to the CPAs that contain sensitive data, says CCO Robert Hille.

A look at the rules

The SEC doesn’t require that firms encrypt sensitive documents. The closest the agency neared to the topic was in a risk alert earlier this year when OCIE noted some firms fail to take advantage of third-party security features like encryption for cloud services (RCW, May 23, 2019). The risk alert did reference two relevant regulations, Regulation S-P and Regulation S-ID, but neither requires encryption, although both carry the expectation that you will protect client records.

Encryption “is a requirement from some clients,” notes James Markakis, security analyst/systems engineer at Campbell & Company ($286 million in AUM) in Baltimore. The adviser encrypts “anything that’s externally hosted,” plus mobile devices. The latter are protected by BlackBerry’s UEM solution. The firm relies upon its cloud service vendor’s encryption system and its e-mail archive vendor’s software.

Don’t promise to encrypt

It’s not advisable to pledge in your advisory contracts to encrypt key communications or documents, suggests Jeff Ziesman, a partner with Bryan Cave in Kansas City, Missouri. “Once you put that in a contract, you’re bound to do it,” he states. Instead, “you can just do it” on your own, he adds.

“You can’t simply turn on encryption and think that you’re protected,” counsels Jody Hair, data security technical specialist at Sirius in San Antonio, Texas. Begin by classifying your data and logging its locations.

You may label some data as public, confidential or restricted, and then set your encryption rules according to the data’s status, recommends Hair. Revisit your encryption policies once a quarter or at least twice a year “and anytime you’re expanding” your IT’s footprint, he adds. “You don’t want to get in the situation of your IT department being in that catch-up mode,” Hair warns.

Make sure you have “centralized key management” that restricts the number of persons who have access to the encryption keys, suggests Markakis. Carefully store the keys, back them up and give more than one person access to them, he adds.

Both Hair and Markakis recommend you extend your encryption activities beyond e-mails to databases, servers, cloud contents and even mobile devices.

Be sure to monitor user behavior, adds Markakis. Steven Felsenthal, general counsel/CCO at Millburn Ridgefield Corporation ($4.3 billion in AUM) in New York, looks for non-compliance with the adviser’s encryption rules during his e-mail reviews. “I try to find things that should have been password protected that were not. And I call people on it,” he says.

Contract advice

Markakis alerts you to consolidation in the encryption industry. “It’s made it more difficult to choose solutions for e-mail encryption,” he notes. Seek to insert in any contract you sign with a vendor the right to terminate the arrangement should the vendor merge or acquire a competitor, he recommends.

Also be aware that the vendors often try to make it difficult for you to switch partners. “You get stuck in them unfortunately” because the vendors charge high fees to export your data or get access to encryption keys, warns Markakis.