For independent advisers and broker-dealers alike, using third-party vendors to work on clients' portfolios is the new normal. While seamless integration may be the hottest technology trend in the industry, monitoring and reinforcing the security measures of the third-party vendors that work within advisers' practices are even more important.
If not maintained properly, a vendor or system with weak cybersecurity could cause serious consequences for a firm, such as a
breach of personal client data.
"Advisory firms need to go through their own audits and checklist just to understand where their vulnerabilities are," said Sam Attias, vice president of External IT.
Brian Edelman, the chief executive of Financial Computer Services, a company that works primarily in cybersecurity, said that advisers need to consider what companies they are working with and how they are working with them.
Some factors that wealth management professionals should be aware of include:
•
How a program is downloaded: Sometimes advisers aren't aware they are giving full access to their computer when installing software.
•
The price of the program: Paying a fee is better than any free service because it changes an adviser's status to customer, therefore forcing companies to take on special liabilities and responsibilities.
•
Unbiased online reviews: Advisers should always search the web for reviews of the program and ask people they know who have used the software rather than reach out to users that a vendor may suggest.
•
Approved policy: It's important to ensure compliance with any company or enterprise policies that states the type of vendors allowed by their broker-dealers or custodians.
"Integration creates such great efficiency that is so necessary for advisers to compete with robo-advisers," Mr. Edelman said.
However, he added that cybersecurity wasn't always taken as seriously across the industry. Now, with so many high-profile data breaches and more firms placing a high priority on
integration, it is finally on more executives' radar screens.
Sid Yenamandra, the chief executive of Entreda, a cybersecurity and risk management company, said hiring a technology expert can help advisers in auditing their software, such as determining if a program has superadministrative access to an adviser's servers and how the firm's systems are configured. Finding an independent technology consultant other than the one who set up an adviser's system is also crucial, he said.
Even the Securities and Exchange Commission and the Financial Industry Regulatory Authority Inc.
have stepped in to ensure the security of the programs that advisers use. Earlier this year, the regulators urged advisers to come up with
a cybersecurity plan. They drew up the guidance from cybersecurity exams that both regulators conduct each year.
"The SEC and Finra recommend that every adviser take an active log of all vendors and applications they may be using to run their practices," Mr. Yenamandra said. "This should be done not once a year or once in six months, but more frequently than that — maybe once a week even."
The cybersecurity experts agreed that industry-specific companies know the importance of security, as well as the rules and regulations of the financial services field.
Brian McLaughlin, the chief executive of the client relationship management system provider Redtail, said that advisers should check with the broker-dealers, clearinghouses and other partners they work with about which service providers they have vetted, but also consult their own employees.
"The most important [initiative] is security awareness training for staff," Mr. McLaughlin said. "Establishing basic security practices and policies such as strong passwords and acceptable Internet usage will go a long way towards protecting a firm's data."
John Michel, chief executive of CircleBlack, a portfolio-analysis program for advisers, said that his company encrypts data so that not even internal staff can change passwords for clients. CircleBlack only takes the data that it needs, thereby excluding sensitive information such as Social Security numbers.
His advice for advisers is to ask all vendors about their security measures.
"It appears very quickly what their attitude is toward security and how they handle it," Mr. Michel said.
Mr. Attias added that advisers should have a checklist of questions to ask vendors, including what recovery plans there are in the event of a breach, whether there is a data center or secondary site, and if so, what security measures are in place there, as well as what certifications there are for the programs.
"You want to make sure you see access points — some firms lock everything down, some firms don't," Mr. Attias said. "Make sure you have visibility and security settings in place along all entry points."
