Working with Risk and Security Departments to Innovate in Wealth Management


Brought to you by WBR Insights

Data has become a critical element of almost every business operation. It's rare to find a brand in any industry which is not using it in one way or another. Wealth management is no exception, but with this increased usage of data comes a massive responsibility to ensure it's protected and treated with the respect it deserves.

In the first six months of 2019, data breaches exposed 4.1 billion records, with 71% of breaches being financially motivated and 25% motivated by espionage. Security breaches have increased by 11% since 2018, and hackers attack every 39 seconds, on average 2,244 times a day. Worldwide spending on cybersecurity is forecasted to reach $133.7 billion in 2022, which all goes to show the true extent of the problem.

Obviously, the world of wealth management deals with financial information — possibly the most valuable data type that exists — which means it must treat data security as a foremost priority.


When the European Union put its new General Data Protection Regulation (GDPR) into effect back in 2018, it forever transformed the landscape of how companies deal with customer data.

GDPR applies to all organizations, businesses, and entity types doing work with EU clients. This means it applies to both those organizations located physically within the EU's 28 (soon to be 27 once the UK finally completes its laborious Brexit process) countries and those outside of them doing business in EU countries.

For the wealth management industry, GDPR seeks to standardize network testing and risk-identification measures. These facets of wealth management can quickly become outdated within financial firms, potentially leaving them vulnerable. It provides formal and informal infrastructure requirements that are necessary to address data breaches, network security, and the related effects on clientele trust, as well as bringing the industry up to date regarding its treatment of sensitive data and transparency practices. The regulation also seeks to establish improved, two-way communication between wealth management entities and their constituents, bolstering the kinds of relationships that are the foundation of a thriving firm.

Wealth management brands are basically data controllers — those entities which set the procedural and practical uses of collected data. Data controllers are responsible for determining the purpose of data collection, the nature of the data, who it's collected from, and how it is used. However, they are responsible for reporting breaches or attacks to affected individuals and regulatory bodies in good time, or risk facing significant fines.

Data processors are people, agencies, or departments responsible for processing individual data on behalf of the data controller. Think of processors as the technical side of the equation, whereas controllers are the tactical side. Processors manage the IT storage systems as well as data security measures, testing, transfers, and any necessary data deletions.

It's likely your wealth management organization contains elements of both these definitions and it's important to work with these departments to make sure each understands their role, definition, and responsibilities under the regulations. It could be — and is increasingly likely in the modern business world — that you outsource some elements of this infrastructure. If so, you must carefully vet any third-party companies you work with to ensure they are also meeting regulatory requirements.

GDPR may have been around for a while now, but it's alarming how many companies are still failing to take its regulations seriously. Many organizations have received significant fines (In January 2019, Google paid a EUR50 million fine to French authorities for its lack of transparency in the collection and use of personal data for ad targeting) and, while a massive brand or government body may be able to absorb such a penalty without much detriment, it could mean the end of the road for a small to medium-sized business.

GDPR is merely the trailblazer as well. The California Consumer Privacy Act came into force on January first, 2020 and is very similar to its European predecessor. Once again, the legislation affects any company doing business with California people or entities, whether they themselves are based in the Sunshine State — or even the US. Currently making its way through the US's various statehouses is the New York (SHIELD Act) which will copy and paste much of the CCPA for the east coast state, and it seems likely that even more of these will be upon us soon.

Final Thoughts

Now is the time, therefore, to work with your risk and security departments and make sure your brand is treating data protection with the seriousness and urgency it deserves. Your customers are precious, and a single data breach could see them withdrawing from your brand and seeking more responsible investment managers.

Data security is sure to be a hot topic at Digital Wealth 2020, being held in May at The Ritz-Carlton Fort Lauderdale, FL.

Download the agenda today for more information and insights.

WBR Insights is the custom research division of Worldwide Business Research (WBR). Our mission is to help inform and educate key stakeholders with research-based whitepapers, webinars, digital summits, and other thought-leadership assets while achieving our clients' strategic goals.

Return to Blog