Experts have predicted the death of email for some time. But we all know how integral it is in today’s business environment whether we like it or not. For financial advisors, it’s an important channel of communication with clients but it also introduces important security concerns as we will discuss in this blog. For advisors making the switch and going independent, there are some basic things you will need to know and have in place to setup an email account and to make sure it’s compliant and secure.
This is the 2nd blog post in a 6 part series. In Part 1, we looked at the hardware you will need to run your independent practice. In this post, we will focus on setting up and securing your new email accounts.
Setting Up An Email Account
While we all enjoy the convenience of a free personal email account, for example, from Google or another provider, these are generally not acceptable for business use. Rather, you will need an account that leverages your practice’s own domain. Chances are you will also have a website that uses that domain. Choosing a domain name is closely tied to your overall brand development which won’t be covered in this blog except to recommend you work with a marketing professional to get this right as it impacts your practice in many ways. Working with a marketing firm that specializes in financial services is highly recommended as there are special compliance considerations of which they will be intimately aware. Also, their understanding of the industry will help you pinpoint what uniquely sets you apart from other advisors and planners.
Master of Your Domain
Now that you have your domain name picked out and secured via a site like Google Domains or GoDaddy (or your web hosting provider), you can begin to use it for both your website and your email accounts. Most hosting providers will give you access to both which simplifies things (for example, one neck to choke if things go wrong and one invoice to pay).
Consider registering additional domain variations if you think you will need them in the near future. For instance, you may want to grab MyNewFirm.com and MyNewFirm.org (note that domain names are not case sensitive – different cases are used in this example for emphasis only). While you may not use the .org variation, reserving it may prevent someone else from registering it and confusing your clients should they type the wrong domain in their browser or email message.
Remember, you will need to periodically renew your domain registration(s) so mark your calendar as you do not want someone squatting on your domain if your registration lapses. Chances are you can purchase it back but it will cost you (more).
Be aware that some broker dealers and/or RIAs may require you to host your email with them to ensure proper compliance which we will cover in the next section. No problem, they will help you set up your Domain Name System (DNS) records. These records are distributed throughout the Internet and tell email providers how to route your emails correctly. We do not recommend making these changes yourself as it is easy to get it wrong which could result in your emails not flowing properly. Consult a technology professional like Cloud PM.
As you well know, client communications of all types are highly regulated in financial services. And for good reason – these communications must be reviewed by your broker dealer’s and/or RIA’s compliance department to ensure regulations are being followed and communications are not inappropriate.
In order to provide your broker dealer and/or RIA with copies of your incoming and outgoing emails automatically, you will need to connect your account with an email journaling and archiving provider approved by your compliance department. Once configured, copies of all emails from or to your account will not only be sent/received to/from your client (and everyone else you communicate with using your shiny new email account), it will also be securely forwarded to your journaling provider and stored in an archive. This ensures all emails will be retained in a searchable database. Most likely, the compliance leadership will define a lexicon of keywords that will automatically flag certain emails for review. This allows them to review emails efficiently.
In short, these services provide the following features:
- Journaling – sending a copy of all incoming and outgoing email to an archive
- Archiving – storing all emails in a manner that is easy to discover and that retains the copies for some specified period of time
- Review – provides a user interface for your compliance department to easily review email communications
With the convenience of email communication comes a lot of risk. Most email systems
require only a simple password to access them meaning they can be easily shared or hacked. As a result, the person on the receiving end of an email may not be who you think they are. As a result there are a few things to consider when securing your email communications.
Phishing, Hacking and Spoofing
First let us consider the threats you will face and define some terms so you are clear on what you are securing against.
- Phishing – These are usually emails that contain a link that, when clicked, prompts the recipient to enter sensitive information. They are generally designed to look legitimate and may include logos, etc. from companies you do business with. Don’t click those links!
- Hacking – A hack occurs when an unauthorized person or system figures out your email password and sends emails from your account usually to people in your contact list. Once access is gained, emails are authentic in nature which makes them not look suspicious and recipients are more likely to click a link or follow some instructions. If your client’s email is hacked, for instance, you could receive a message asking for money to be wired to an account that is not your client’s. Always communicate in person or over the phone using a contact number on file before moving money for a client. Also, use a strong password that is hard for a computer (not a person) to guess – see Part 1 for some tips.
- Spoofing – This method of attack combines the two previous methods and underscores the crafty nature of the attackers and why diligence is so important with email security. Email spoofs will look like they are coming from a legitimate email address because the sender’s email has been forged. In fact, the sender’s email account hasn’t been hacked; the real sender simply altered the From address to look familiar to you. Again, don’t click the link and follow up with the person who is being spoofed to ensure the email is legitimate (or not).
Many of the emails you send to clients will be benign in nature – following up on a recent meeting or wishing them a happy birthday. Sometimes, however, you need to share sensitive information or file attachments. In these cases, it’s important to encrypt the message. Doing so ensures that if the message is intercepted it cannot be accessed without first being decrypted, usually by some sort of authentication.
Most encryption services work in one of two ways:
- Explicit – With this method, the sender includes a keyword either in the Subject or Body of the email to indicate to the email service that the entire message should be encrypted (including any attachments).
- Implicit – Some services can automatically recognize potentially sensitive information such as account or social security numbers and will encrypt the message without requiring a keyword. While this is more convenient, it’s not fool proof so always explicitly encrypt emails known to contain personally identifiable or otherwise sensitive information.
In both cases, the system will encrypt the email and send it to the recipient as a new message with a link to a secure portal. The recipient will need to establish a password and enter it correctly in order to decrypt the original message and its attachments. While this is a tad inconvenient and clients may complain about needing yet another password, they will also be encouraged by the importance you place on securing their data.
To Encrypt or Not To Encrypt
Sending emails within the same domain (for instance from Joe@MyNewFirm.com to Mary@MyNewFirm.com) never leaves the domain so is not generally encrypted because it can’t be intercepted by someone sniffing your external network traffic. However, emails sent to anyone outside your domain does travel the public Internet and should be encrypted.
For the immediate future, there is probably no way to avoid having an email address for your practice. Future clients of the millennial generation are certainly trending more toward instant messaging as a main source of electronic communication. For now, however, setting up compliant and secure email for your business is pretty straight forward. At Cloud PM, we can help you navigate the many vendors providing email and domain services. Contact us to find out more about how you can ensure you are protecting your clients’ data and providing a secure method of communication they can trust.
Follow our blog as we continue this series, Going Independent: Tech Series, which will cover topics such as document storage, CRM and much more.