3 questions advisors should ask their tech vendors
By now, RIA-owners have had time to absorb the main cautionary bullet point from Capital One’s data privacy breach: namely, using any type of cloud-based platform — even one hosted by Amazon Web Services — is by no means a cybersecurity panacea.
But, if you are an RIA without the technology budget or in-house expertise of large corporate entities like a Capital One, acting on that knowledge can be more than challenging. Especially when it means getting in the weeds to provide oversight to ensure said vendor has taken appropriate steps to protect the firm’s client data.
One solution, however, is to put the usually unappealing emotion of schadenfreude — pleasure derived from others misfortunes — to productive use. Cyber breach headlines can be used as catalysts for running practice drills with vendors, thereby keeping on top of your own firm’s data breach prevention and management procedures. RIA owners can use these events as table-top exercises for their own cybersecurity policies and procedures.
A vendor may have all the right capabilities and policies to protect the firm’s data, but if they fall short on implementation, there may be a cybersecurity event or data breach just waiting to happen. Involve the technology vendors by asking: could this happen to us? And ask them to prove it.
Owners can start by working through their incidence response plans with their cybersecurity teams as if the in-the-news breach had actually happened at the firm: Could this happen here? Why not? If so, why and what steps would we take to remedy it? RIAs should ask their vendors to show their own due diligence and reviews as part of these exercises. Together with their vendors, the RIA’s cybersecurity team should be able to document why this either is an issue, is no longer an issue, or could become an issue.
As you proceed with your vendor, here are three sometimes overlooked issues and potential solutions to focus on:
USE ENCRYPTION AND ACCESS CONTROLS LIBERALLY
Using encryption is a key part of cybersecurity management sharing client data outside of the firm’s systems. CRM systems and others offer advisors the ability to encrypt data on their platforms, and there have been tomes written about the virtues of encrypted email. But encryption does not help a firm if the breach is instigated with credentials that have been compromised.
Enter access controls. These enable the RIA to limit who has access to its data and, very importantly, what they can do with it. Tight controls give RIAs the ability to monitor who is accessing what data and how frequently, and to raise red flags on anomalies.
KEEP VENDOR CONTRACTS CURRENT
It is to the RIA’s benefit to conduct due diligence on vendors with some regularity, if not annually.
Like any other organization, vendors change their underlying capabilities and infrastructure over time. What was true last year might not be true this year, and this may impact the RIA’s service agreement or raise additional questions — i.e., are firewalls set up and being used properly? Is additional training needed? What does the hiring process for vendor employees or contractors look like?
Cybersecurity threats to the cloud-based environments we operate in continually change. It is imperative for RIAs to have agreements in place that address the current realities.
CONSIDER CYBER INSURANCE
I’ve said it before in these pages, but it’s worth repeating: there are some things that are beyond the control of even the most ironclad policies and implementation. RIA owners may want to investigate cybersecurity insurance, which can help with some of the fallout from a breach — i.e., liability costs, forensics, credit monitoring notification, business interruption.
Two meta takeaways are that it's up to RIAs to put the onus their vendors to prove that they are doing everything they purport to do for the firm in their policies and agreements or risk losing your business.
And, keep abreast of the headlines. Learning from others’ missteps is a great way to prevent them from potentially happening to your firm.