When an advisory firm is seeking a tech vendor or vetting an existing one, the most common request is to see its SOC 2 report — a widely used compliance report that shows how that vendor manages customer data. But when tech CEOs and consultants were asked how advisors can determine which provider offers the best data protection when everyone has the same report, the responses rang loud and clear:
"The SOC 2 reports are a pile of crap. They mean nothing," said John O'Connell, founder and CEO of The Oasis Group, a tech consultant for advisory firms. "If you look at every cybersecurity breach that we've had, every one of them had a SOC 2."
He pointed to recent breaches including one involving Ticketmaster's parent, LiveNation, which confirmed a data hack that compromised information from 560 million customers in May. That same month, cloud platform Snowflake also reported a data breach that impacted users like telecommunications giant AT&T. All of these companies were SOC 2 compliant.
"It is absolutely useless. And I think that advisors specifically hang way too much on a SOC 2 report," he said. "That is not going to protect you one iota when they get breached. They're just not asking the right questions."
The questions advisors should ask current and potential vendors or third-party partners center specifically on the
"It's like less than 5%. We get them occasionally," said John Mackowiak, chief revenue officer of Advyzon, a fully integrated wealthtech platform.
READ MORE:
Mackowiak said Advyzon created a security policy that it will also send to potential clients. But O'Connell, who attended a
"You're probably better than most," O'Connell told Mackowiak at the roundtable discussion. "I can't even tell you how many technology firms that I go to and ask, 'Can we get a copy of your privacy policy?' And they say, 'I have a SOC 2.' No, that's not what I am asking."
The roundtable on Sept. 6 also included executives at Advyzon Investment Management, digital analytics provider Kwanti and software engineering firm Softlab 360.
The data questions advisors should be asking tech providers
Every tech provider might handle data differently in terms of whether or not it stores data on its own database versus solely with the advisory firm; whether it shares that data with third parties; and where it stores data, such as in a cloud service or a private API (application programming interface), for example.
At the roundtable, the experts said advisors should ask vendors whose database houses the data, where the data moves (if moving between databases), how data is shared and with what parties.
These questions are even more critical with the growing popularity of AI and large language models like ChatGPT that operate on OpenAI. Meaning, the AI is learning in an open, public model based on the data that users input when they're engaging ChatGPT.
READ MORE:
For advisors, something as simple as using an AI notetaker or dictation service during meetings can be a greater risk if that model is open versus closed.
"If an advisor is working with a vendor, ask, 'Will my data be used to train your model?' And get that question answered, because that's critical," said Christophe Gauthron, CEO of Kwanti, a digital portfolio analytics provider based in San Francisco. "During a meeting, some information can be transcribed — Social Security numbers, very personal things. Where does it go? Once it's inside the model, you can't take it out."
Gauthron said advisors should ask tech providers for an AI policy and determine whether the data will be used to train the provider's model or a third-party model.
"Get this in writing," he added.
Henry Zelikovsky, CEO of Softlab 360, went even further. If an advisor is in a meeting in which someone has uploaded their AI-based dictation service, they should ask who they will be sharing those notes with after the meeting, he said. They should also determine whether the AI notetaker needs to be removed from the meeting, depending on the information that will be discussed. This is particularly important as the notes may then be uploaded to a firm's CRM system, in which regulators have the ability to see and assess as hard data.
"I'm hypothetically saying that the person who joined their AI notetaker is going to responsibly take the notes. I don't know where it's going, right? And then I find out that they send it to their people in their company who did not make the meeting," he said. "So this becomes an implicit, trustworthy document."
Strong cybersecurity measures start from the top
Advisors can also gauge the cybersecurity level of a third-party provider by whether or not the top executives of that firm clearly place it as a strategic priority.
"It's going to flow down from the top [of the] company. If the top level considers cyber security as a side reason, then it's not going to be implemented properly," Gauthron said. "It's hard to measure that, but it's going to move from the top."
READ MORE:
While there are data security concerns with emerging AI tools, Mackowiak added that the tech providers who want to grow a successful business will
"What happens if we have a major data breach? The company could be gone. And so I think smart companies that are sustainable take this very seriously, because it can all go like that," said Mackowiak with a snap of his fingers.