Every new digital tool a financial adviser adopts increases the firm's vulnerability to a cybersecurity attack, and many advisers aren't doing enough to ensure the third-party vendors they work with meet the highest security standards.
About
63% of data breaches begin from a third-party vendor's vulnerability, according to Bart McDonough, founder and CEO of cybersecurity firm
Agio. For example,
Redtail Technology's recent data leak exposed the personal information of potentially thousands of clients, and
LPL's breach in November traced back to a third-party file sharing system.
Yet
only 52% of firms have formal security standards for third-party vendors, Mr. McDonough said.
"An adviser may work with dozens of different vendors — all of which have varying degrees of cyber-hygiene and present different degrees of risk, depending on what data they have access to," Mr. McDonough said.
What exactly should advisers be looking for with technology vendors?
A good first step is making sure every piece of software the firm licenses has a mechanism for alerting relevant parties of any strange behavior, something cybersecurity experts call "indications of compromise." For instance, an IOC that can shut down a system and alert the adviser if there are too many failed logins to a client portal.
(
More:
State regulators release model cybersecurity rule)
Advisers also should be making security standards and certifications a requirement of any technology they use, said Josh Moats, chief information officer of TIAA-owned adviser fintech firm
MyVest.
System and organizational controls (SOC) certifications developed by the American Institute of Certified Public Accountants provide a validation of an organization's administrative, technical and physical controls. The National Institute of Standards and Technology (NIST) Cybersecurity Framework also provides standards, guidelines and industry best practices.
Adopting the NIST framework and looking for SOC certifications will help build a good foundation of security, but Mr. Moats added some other key areas that advisers should bring up with each vendor.
"I have a core set of security topics that I hold us to, that I ask our partners, and that I expect wealth management buyers to ask us," Mr. Moats said.
He recommends advisers ensure technology vendors maintain fully separate hosted environments across multiple data centers, employ strong encryption and data masking, and can demonstrate that they regularly test and audit against security best practices.
Advisers should ask about the physical security controls of a tech company's offices or data centers. Is there 24/7 security and video surveillance? Are there backup power generators? Are data centers complying with standards like Tier IV, SOC 2 or ISO 27001?
(
More: Cybersecurity poses strain between plan sponsors, record keepers)
"No matter the level of confidence in your data security, always plan for the worst," Mr. Moats said. "Taking network security to the next level means going beyond standard firewalls."
Mr. Moats also recommended asking how fintech companies are developing new products and features. Firms should be using a segregated environment for testing where no customer data is at risk of being made public, which has
caused problems at firms like Voya and
Blackrock.
For Mr. McDonough, this security due diligence of technology vendors is important not just for protecting client data, but also for shielding advisers from liability.
"In work with clients in the financial services sector, we've seen vendors try to pass the buck back to the client more times than I can count," Mr. McDonough said. "Considering the pronounced risk they present, it's critical that advisers categorize vendors accurately based on their risk profile and, in turn, apply an appropriate level of scrutiny to each merchant."
