Vet tech vendors carefully when moving to the cloud
Cloud computing is rewriting the rules for how financial advisors and other financial services professionals deploy technology.
And as more registered investment advisors turn to a software-as-a-service model where their information technology applications are hosted and managed remotely, they face a host of new considerations when selecting a vendor, according to attorneys with financial services law firm Sutherland Asbill & Brennan LLP.
“This is not a piece of software that you’re putting on your system,” Sutherland Asbill partner Michael Steinig said during an online presentation. “This is an ongoing services relationship that you are now structuring when you have a SaaS product that you are using.”
Steinig and other experts urge advisors, brokers and any other financial outfits mulling a move to the cloud to conduct careful due diligence when searching for a vendor.
They should assess critical aspects of the service agreement, such as where their data will be stored, how it will be protected, and what contingency plans the provider offers in the event of a disaster.
It isn’t an abstract concern. Federal and state regulators have been talking loudly about the importance of cybersecurity and business continuity.
Both the Financial Industry Regulatory Authority Inc. and the Securities and Exchange Commission have named security as a top concern that examiners will evaluate when they visit brokers and advisors.
The North American Securities Administrators Association is encouraging states to adopt a model rule that would require firms to have in place a formal business continuity plan.
Outsourcing IT services, particularly cybersecurity, can be an attractive option for small firms that lack the resources or expertise to effectively manage the technology in-house.
But outsourcing arrangements bring their own set of challenges, including expanding access to sensitive company systems and information.
Sutherland Asbill attorneys suggest that firms evaluate the extent to which a SaaS vendor in turn relies on other third parties and where the boundaries would be set for which employees would be able to access a firm’s data.
Oversight of third-party vendors is “something that regulators of all sorts ... have taken a tremendous interest in,” says Sutherland partner Robert J. Pile.
Negotiating service agreements with cloud providers can be tricky, however.
This industry, headlined by known names such as Amazon and Salesforce, comprises a vast and growing number of smaller and specialty players.
And these firms tend to favor prescribed terms of service and can be reluctant to make significant exceptions to accommodate a particular firm, in part because of what Steinig calls the “reason of necessity.”
“They just can't have different rights for different customers,” he says. “Their business model would break.”
However, there can be significant variances among vendors, and experts counsel that advisors opt for a provider that is aware of the distinct regulatory contours of the financial services sector.
Sutherland Asbill partner Mary Jane Wilson-Bilik stresses the importance of securing audit rights from a cloud provider, ensuring the ability for the practice to conduct its own testing or commission yet another outside firm to evaluate the security practices of the primary vendor.
“Regulators are looking for some way that you can document that the vendor is meeting the minimum requirements for cybersecurity management, whether it’s by certification or third-party testing,” Wilson-Bilik says. “You should have it in your contract.”
Kenneth Corbin is a Financial Planning contributing writer in Washington and Boston.
This story is part of a 30-day series on leading tech trends for advisors. It was originally published on July 31, 2015.