Think Your Data is Secure? Make Sure Your Tech Follows These 5 Rules

Did you know that statistically speaking, at least some of your online data or login credentials were probably stolen last year?

The compromised passwords might no longer be in use, and your data might be incomplete, but at the rate that data breaches occur, it’s more likely than ever that some part of your numerical identity is floating in the dark recesses of the web.

In the months of April, May, and June alone in 2018, 765 million people were included in data breaches and cyber attacks.

As a financial advisor, part of your responsibility to your clients is to make sure that the data you keep for them in your various advisor technology applications is safe from prying eyes.

Here are five ways to know if your technology partners are doing all they can to keep your client data secure.

Auditing and Certifying Internal Processes

It’s not good enough for a technology provider to say “We keep your data secure. Trust us.”

Every provider that stores any part of your clients’ data should be vetted by third-party firms outside of their own control to ensure they’re storing and treating information with the care it deserves.

If you don’t know where to begin, ask your provider if they carry these two certifications:

  • ISO 27001 Certified
    The international standard for maintaining specifications of an information security management system.
  • SSAE Type II Audited
    The auditing standard for service organizations demonstrates effective internal controls for financial reporting.

In layman’s terms, these certifications mean that your provider’s internal employees follow strict rules about how to handle sensitive information, and their IT team has a written plan for how to deal with cyber-related events of any kind.

If your provider doesn’t carry these, you need to perform more rigorous follow-up to ensure that their procedures are acceptable.

Offering Multi-Factor Authentication for Online Logins

One simple way to protect against physical security breaches is by requiring multi-factor (sometimes known as two-factor) authentication.

Multi-factor authentication relies on multiple physical devices for a user to log in to a website. For instance, after entering credentials on a website, the user may receive a text to their phone with an additional one-time security code to complete the login.

Multi-factor authentication is considered standard practice for most software applications, and that’s especially true for any that contain sensitive financial data.

If your provider doesn’t offer this type of security, ask to see if it’s on the development roadmap.

Ensuring Data Encryption and Data Redundancy

When most people think of data encryption, they might think about developer-speak terms like algorithms and ciphers and keys that they’ve heard in movies—but these don’t mean much to the average advisor.

Let’s get some perspective on the meaning behind some of the technical terms you might hear your technology provider use.

A few encryption protocols to know are 128-bit AES and RSA-2048 bit or equivalent. What you need to know about these practices is that they help obscure data as it’s stored, rather than storing information as an easily readable plain text file, so it’s more difficult to decipher.

But there’s more to encryption than how files are stored. When secure files are passed from your technology provider to your firm, those files should be encrypted with file protection by a vendor like Vera.

Passing unencrypted files over the Internet? Always a bad idea.

In addition to encrypting data that are stored, check to ensure your tech provider backs that data up. A cybersecurity attack isn’t always about stealing information; sometimes, it only seeks to knock systems offline.

Your provider needs to have a plan for data redundancy so they can keep running and provide you with access to your data if an issue hits their main systems.

Supporting You If the SEC Comes Calling

It often goes overlooked, but when the SEC sends an audit letter your way, your technology providers should be at the front line of helping you create a quick response.

All the important client data you need is stored in the tech systems you use every day. Ask if your provider offers more than an exported file.

The differentiator here is live support from real people on their service team.

Future-Forward Cybersecurity Measures

Innovation in fintech is ongoing and adapting each day. One of the more recent innovations is by cleverDome, which has created a closed environment that’s not part of the open Internet for advisor technology firms to send data back and forth through more secure channels.

cleverDome uses military-grade, end-to-end encryption for critical data, and right now the service is used by Redtail, TD Ameritrade Institutional, Riskalyze, United Planners, FCI, Geneos, and Orion Advisor Services.

The lesson here? Check in with your technology vendors to see what they’re doing to stay on the cutting-edge of cybersecurity initiatives.

Using these five areas as a guide, you can determine whether your technology providers are satisfying the bare minimum in security for your clients, or if they’re leading the way in protecting your firm.

Joel Hurst
Joel Hurst
Orion Advisor Services, LLC (Orion) is a portfolio accounting service provider for advisors. The firm's technology solutions empower more than 1,300 firms, have $600+ billion in AUA and over 2 million accounts. Joel Hurst, Orion's VP of Business Development for the Southeast, serves advisors located east of the Mississippi. Joel is an avid cyclist, kayaker, snowboarder and enjoys outdoor activities in general.

Comments are closed.