Public interest in wealth management and estate planning has remained at an all-time high following the Panama and Paradise Papers which saw confidential financial documents revealed to the public on front page headlines around the world.
The risk of appearing in the press for the wrong reasons remains high, according to John Kelly, a litigation partner at Harbottle & Lewis, who specialise in reputation protection, privacy and defamation. “There are still a number of misunderstandings and misconceptions of what the wealth management industry does and coupled with the media and public interest in wider business stories concerning tax, there is so much more potential for stories to be reported in the press and for journalists to get it wrong”.
Whistleblowing and ‘leaks’ from internal sources are also a recent development for companies. A YouGov survey of British millennials, which appeared in the FT recently, found that among their top eight heroes were three official spillers: Edward Snowden, Julian Assange and Chelsea Manning. These ‘heroes’ demonstrate the shift in millennial conscience from former generations. Their weapon is the leak.
These risks coupled with the heightened number of cyber-attacks generally, has meant that it’s never been so important for the industry to employ new tactics to protect itself and its clients. As Rebecca Toman, a media law partner at Carter-Ruck, said: “From a reputation perspective it was a no brainer: tighten up global risk management and focus on transparency. Banks and private wealth institutions have international offices operating under different legislation. For them we have seen an increase in the implementation of data security systems, data privacy training and internal procedures including crisis communication. The result is much greater awareness of the risks and how to mitigate them, no matter where problems occur.”
Third party suppliers need to step up
“Pre-empting crisis, for example leaks by disgruntled ex-employees, is hard”, explained Alexandra Whiston-Dew, Managing Associate in Mishcon de Reya’s reputation protection team. “There will typically be a journalist willing to listen and publish, seeking to rely on the right to freedom of speech and the ‘public interest’ in revealing a client’s source of wealth and other financial details. If that information does enter the public domain, it can cause significant and lasting damage to clients’ reputations and privacy.”
It’s therefore no surprise that cyber security is hot on the agenda. “Cyber security is up there on the agenda of CEOs as companies are realising the importance of protecting personal data and being in a position to react swiftly to any emerging threat. Corporates are also looking to their suppliers and counterparties to ensure they are taking appropriate steps”, said Nicola Cain, a media and data protection partner at law firm RPC.
“Rather than incident response plans gathering dust, they are being re-examined to check whether they are fit for purpose. We’re also conducting vulnerability assessments, checking whether sites are prone to malware or phishing attacks, and rehearsing incident responses with clients. This can involve using ethical hackers to run real-time scenarios”, said Magnus Boyd, a partner at reputation and privacy law firm Schillings. But he cautions, “while things are improving there is still a disjoint between individuals having a heightened awareness about the risks and them collectively adopting behavioural change”.
Other steps include encryption and software updates. Interestingly, “none of the emails leaked from the Panama Papers were encrypted. Had they been, Mossack Fonseca may still be in business, albeit with some reputational rebuilding”, said Toman.
Time is up
“Yet, sometimes no matter the protection put in place there might still be a hack or an internal leak which leads to the threat of disclosure. For those companies finding themselves in this situation, the best-case scenario is that they get wind of the threatened disclosure in advance. If the information is confidential and has not yet been leaked into the public domain there may be the opportunity to apply for an injunction to prevent the disclosure”, explained Boyd.
If the media storm hits..
At other times, there is no advance warning prior to publication. In this instance, “The best approach is to get lawyers involved to assess the information and whether what’s being reported is accurate or inaccurate. If it’s inaccurate, there are legal steps to get it removed”, explained Boyd.
Unfortunately, it’s a matter of when not if, a company will be targeted by hackers and its worth remembering: “the value of proactive crisis management planning only becomes apparent in the aftermath of a crisis” said Toman.