Carte Blanche

“How banks & funds could stop daily data breaches?”

Retour au dossier


Come on guys, let’s be honest. None of us will admit it in public, but even the most sophisticated companies including the biggest financial service organisations still distribute highly sensitive documents and information by email.

Last week, I talked to a managing director of a systemic relevant bank and I was shocked to learn that most sensitive information between the bank, its clients and business partners were still exchanged by email until today. 

Even in a simple scenario where one email is sent from one sender to one recipient, where each party uses a single device, that’s four copies of the same message on various sending, relaying and receiving computers. Each of those computers is vulnerable to attack, misuse, or in the case of mobile devices, they may be stolen or lost. The IT department of this bank lost control over that data the moment it got send by email.

Email was created almost 50 years ago for the fast, easy distribution of information, but it was not developed with today’s security and compliance needs in mind. 

Christopher KnabeChristopher Knabe, Managing director (Loomion)

Now, consider that it is still common practice for most companies to distribute documents of most sensitive information to their board of directors by email. During a recently performed roadshow in Luxembourg, I was able to talk to almost 20 financial industry companies. With almost no exception, they “confessed” using emails to distribute board meeting binders, fund management reports, credit committee proposals, M&A strategy papers and what else by email.

A recently conducted survey amongst 250 IT specialists of financial institutions reveals that close to 84% answered that they believe sensitive information gets distributed by email and unauthorised file sharing.

Christopher KnabeChristopher Knabe, Managing director (Loomion)

Almost all of them mentioned they would prefer a paperless solution where they stay in control of the documents at all times, where they could just choose the mandate for a fund or a client they deal with in a secure app and have every past, current and future needed documents accessible inside and outside the company’s network.

Every third reader of this article works for a financial services organisation involved in such reckless behaviour and every 50 reader works for a company that suffered data breaches through the use of emails already.

Christopher KnabeChristopher Knabe, Managing director (Loomion)

Considering the fact that the very nature of financial institutions involves safeguarding highly sensitive data, a data breach will shake the associated trust of its customer’s base at its bedrock foundation. That’s why the cybersecurity departments of these enterprises allocate their entire firepower to ensure sensitive data stays on the inside of their firewalls.

The chosen approaches of these IT departments always come with the fatal consequence that their own employees cannot access any data from the outside anymore, let alone a secure communication with clients like UHNWI (Ultra High Net Worth Individuals) who are not on the company’s network at all. 

Distributing a confidential or sensitive document by email (even with the company’s official email system) is to be considered a data breach per se. Thus said, data breaches happen by the minute. 

Christopher KnabeChristopher Knabe, Managing director (Loomion)

This aforementioned consequence triggers creativity galore amongst their own employees. When it is difficult for employees to access business relevant information or other applications because they are off the corporate network, they are more likely to turn to web-based email and/or file-sharing applications.  

The US Cloud Act enacted on 17 March 2018 orders every US controlled cloud provider to hand over client information without a warrant or due process no matter where the server physically is located in the world.

Christopher KnabeChristopher Knabe, Managing director (Loomion)

With the recently, in the USA, enacted Cloud Act (Clarifying Lawful Overseas Use of Data Act), such behaviour has even more severe consequences. This new law orders every cloud provider like Dropbox, Microsoft or cloud-based email provider like Gmail or Outlook, or any other provider dominated by US shareholders or being established on US soil to hand over client information without a warrant or due process no matter where the server is physically located in the world.

In other words, the Cloud Act trumps local GDPR law of any other jurisdiction and all data stored with one of the US providers is subject to the 17 US intelligence agencies without any chance of recourse by the information owner. 

What could be the ideal solution?

Let’s take the fund management industry in Luxembourg for example. Management companies usually represent a multitude of funds. The management company employee just chooses the right fund mandate in its secure app and has all of the documents of past, current and even future meetings digitally at their disposal including fund statutes, bylaws, P&E reports and balance sheets.

Every document can be annotated with personal remarks and would be full text searchable… All meetings in the app always synchronise with its Outlook calendar. Past resolutions, tasks and meeting minutes are always available for reference. No need to carry a hard copy of past meeting minutes or documents around town, let alone P&E reports or balance sheets of past years.

Fund meetings could even be held decentralised and still every participant could vote on resolutions and/or tasks in real time. 

The same features could be used for any bank to communicate with their UHNWI customer and the assigned advising team of the bank. They have their secure place for communication and exchange of documents. 

Now, where should such a solution be hosted? The more sensitive the information at stake is and in consideration of the US Cloud Act, the number of options gets reduced to one: on-premise. Loomion’s directors portal is based on the SharePoint technology of Microsoft and allows a multitude of quick wins when it comes to integration into existing in-house document management systems. 

However, if someone does not operate a SharePoint farm yet and wants to host the solution with a private cloud provider, the options in Luxembourg also get reduced to one: EBRC. EBRC is one of the very few data hosters that are PSF compliant. Loomion and EBRC share a history in highly secure data hosting with clients like Banque de Luxembourg or Post Luxembourg for years already.

It becomes very clear that there is an enterprise-grade solution for the secure, efficient and compliant distribution of sensitive information in 2019. The increase in efficiency, security and compliance makes the investment in the solution a steel. Data breaches can be stopped today.