Cloud computing is rewriting the rules for how advisors and other financial-services professionals deploy technology.
And as more RIAs are turning to a software-as-a-service model -- or SaaS -- where their IT applications are hosted and managed remotely, advisors face a host of new considerations when selecting a vendor, according to attorneys with Sutherland, a leading financial-services law firm.
"This is not a piece of software that you're putting on your system," Sutherland's Michael Steinig said during a recent online presentation. "This is an ongoing services relationship that you are now structuring when you have a SaaS product that you are using."
Steinig and other experts urge advisors, brokers and any other financial outfits mulling a move to the cloud to conduct careful due diligence when searching for a vendor. They should assess critical aspects of the service agreement, such as where their data will be stored, how it will be protected, and what contingency plans the provider offers in the event of a disaster.
It's not an abstract concern. Federal and state regulators have been talking loudly about the importance of cybersecurity and business continuity. Both FINRA and the SEC have named security as a top concern that examiners will be evaluating when they visit brokers and advisors. NASSA, the association of state securities regulators, is encouraging states to adopt a model rule that would require firms to have in place a formal business-continuity plan.
Outsourcing IT services, particularly cybersecurity, can be an attractive option for small firms that lack the resources or expertise to effectively manage the technology in-house.
But outsourcing arrangements bring their own set of challenges, including expanding access to sensitive company systems and information. Sutherland's attorneys suggest that firms evaluate the extent to which a SaaS vendor in turn relies on other third parties, and where the boundaries would be set for which employees would be able to access a firm's data.
Oversight of third-party vendors is "something that regulators of all sorts ... have taken a tremendous interest in," says Sutherland's Robert Pile.
Negotiating service agreements with cloud providers can be tricky, however. This industry, headlined by known names like Amazon and Salesforce, comprises a vast and growing number of smaller and specialty players. And these firms tend to favor prescribed terms of service and can be reluctant to make significant exceptions to accommodate a particular firm, in part because of what Steinig calls the "reason of necessity."
"They just can't have different rights for different customers," he explains. "Their business model would break."
However, there can be significant variances among vendors, and experts counsel that advisors opt for a provider that is aware of the distinct regulatory contours of the financial-services sector.
Sutherland's Mary Jane Wilson-Bilik stresses the importance of securing audit rights from a cloud provider, ensuring the ability for the practice to conduct its own testing -- or commission yet another outside firm -- to evaluate the security practices of the primary vendor.
"Regulators are looking for some way that you can document that the vendor is meeting the minimum requirements for cybersecurity management, whether it's by certification or third-party testing," Wilson-Bilik says. "You should have it in your contract."
Kenneth Corbin is a Financial Planning contributing writer in Washington and Boston.
- Got a Succession Plan? State Regulators May Soon Require It
- Planning Tool Moves to the Cloud -- An Improvement?
- SEC Warning: Small Firms Won't Get a 'Pass' on Cybersecurity