Choosing a cybersecurity vendor after the Equifax and Yahoo breaches
Many advisory firms, particularly smaller ones, have awoken to the fact that they can’t realistically protect their systems and sensitive client information from cyber threats on their own.
They need help from an outside vendor, but vetting a security provider in a crowded and highly technical field can be a daunting prospect.
"I think that when you're a small firm it's a challenge to even have the sophistication to evaluate those vendors," says Jon Meyer, chief technology officer at CAPTRUST, a large RIA headquartered in Raleigh, North Carolina. "I do think it's very challenging for small firms to know if you're getting a valuable service."
But following the massive Equifax breach and word that the attack against Yahoo was more extensive than originally reported, and as regulators focus on how firms are protecting their businesses from cyber intrusions, RIAs are feeling like they have no choice.
And they might need more than one service provider.
Security and day-to-day information technology operations, such as network maintenance, should be treated as separate functions, and more often than not, they should be assigned to different vendors, Meyer says.
"I think it's possible for some of the vendors to handle your needs soup to nuts. But our experience is firms are specialized, and a firm that might be excellent at the IT function might not have the security focus," Meyer says.
Indeed, most of the smaller RIAs that use TD Ameritrade as their custodian have an outside vendor to assist with their security needs, for a simple reason.
"They're not running a technology shop," says Bryan Baas, director of risk oversight and control at TD Ameritrade Institutional.
In sorting through the prospective vendors, he suggests an old-fashioned approach to what can be a highly technical challenge.
"The best place to start from our perspective is check with your peers in the industry," Baas says. "Word of mouth is huge, so if you can find some peers who have some vendors they've been using, that's a plus."
The stakes are so high in cybersecurity that it's essential for firms to vet prospective security providers thoroughly, which might mean paying a little more for their services, Baas says.
"Don't hit the easy-cheap button right out of the gate," he says.
RIAs can help their cause by enlisting a consulting firm to assist with the screening process for hiring a security vendor, Meyer says.
He also suggests that advisors commission a public auditing company to perform what is known as a service organization controls audit to scrutinize the provider's internal controls.
"These are critical business decisions," Meyer says. "The SOC audits are invaluable as a starting point for conducting due diligence from vendors."
Meyer and Baas agree that it can be tremendously beneficial to partner with a security firm with experience working in the financial services sector, which therefore has some familiarity with the regulatory environment in which advisors operate.
"They obviously don't have to be licensed and registered in the advisor space, but it helps if you can get a technology firm that does business with other financial and advisory firms," Baas says.
He also recommends that members of the RIA make a site visit to engage with the service provider, bringing with them a clear picture of the specific risks they are looking to address. In the process, they will have a chance to assess the culture of the security provider and gauge whether it is a good match.
"You've got to go prepared with what are your concerns about your business. You need to come with real-life scenarios," Baas says.
"If you've got a technology vendor who's speaking nothing but tech speak and you don't understand it, that might not fit well,” he says.