By now, RIA-owners have had time to absorb the main cautionary bullet point from Capital One’s data privacy breach: namely, using any type of cloud-based platform — even one hosted by Amazon Web Services — is by no means a cybersecurity panacea.
Lesson learned.
But, if you are an RIA without the technology budget or in-house expertise of large corporate entities like a Capital One, acting on that knowledge can be more than challenging. Especially when it means getting in the weeds to provide oversight to
One solution, however, is to put the usually unappealing emotion of schadenfreude — pleasure derived from others misfortunes — to productive use. Cyber breach headlines can be used as catalysts for running practice drills with vendors, thereby keeping on top of your own firm’s data breach prevention and management procedures. RIA owners can use these events as table-top exercises for their own cybersecurity policies and procedures.
A vendor may have all the right capabilities and policies to protect the firm’s data,
Owners can start by working through their incidence response plans with their cybersecurity teams as if the in-the-news breach had actually happened at the firm: Could this happen here? Why not? If so, why and what steps would we take to remedy it? RIAs should ask their vendors to show their own due diligence and reviews as part of these exercises. Together with their vendors, the RIA’s cybersecurity team should be able to document why this either is an issue, is no longer an issue, or could become an issue.
As you proceed with your vendor, here are three sometimes overlooked issues and potential solutions to focus on:
USE ENCRYPTION AND ACCESS CONTROLS LIBERALLY
Using encryption is a key part of cybersecurity management sharing client data outside of the firm’s systems. CRM systems and others offer advisors the ability to encrypt data on their platforms, and there have been tomes written about the virtues of encrypted email. But encryption does not help a firm if the breach is instigated with credentials that have been compromised.
Enter access controls. These enable the RIA to limit who has access to its data and, very importantly, what they can do with it. Tight controls give RIAs the ability to monitor who is accessing what data and how frequently, and to raise red flags on anomalies.
Clients won't accept complacency when a vendor is hacked. Acting quickly is key.
KEEP VENDOR CONTRACTS CURRENT
It is to the RIA’s benefit to conduct due diligence on vendors with some regularity, if not annually.
Like any other organization, vendors change their underlying capabilities and infrastructure over time. What was true last year might not be true this year, and this may impact the RIA’s service agreement or raise additional questions — i.e., are firewalls set up and being used properly? Is additional training needed? What does the hiring process for vendor employees or contractors look like?
Cybersecurity threats to the cloud-based environments we operate in continually change. It is imperative for RIAs to have agreements in place that address the current realities.
CONSIDER CYBER INSURANCE
I’ve said it before
Two meta takeaways are that it's up to RIAs to put the onus their vendors to prove that they are doing everything they purport to do for the firm in their policies and agreements or risk losing your business.
And, keep abreast of the headlines. Learning from others’ missteps is a great way to prevent them from potentially happening to your firm.
