In our digital age, most wealth management firms have embraced cloud-based — a.k.a. “software as a service” (SaaS) — technology solutions for their practices. But as SaaS applications and platforms continue to overtake traditional licensed software as the tools of choice for the wealth management industry, financial advisors looking to make the transition to the cloud should proceed carefully.
Given the significant repercussions that wealth management firms can face after a data breach, such as loss of clients, regulatory fines and permanent damage to their reputations, they need to perform extensive due diligence on potential SaaS vendors to make sure client data will not be compromised. If your firm’s SaaS provider doesn’t follow state-of-the-art security measures, or if the companies it contracts with are vulnerable, then you are placing your practice and your clients at serious risk.
When evaluating potential SaaS vendors, wealth managers should carefully review security practices in four areas — application, data, personnel, and process.
Unauthorized employees at a hypothetical custodial institution shouldn’t be able to access RIAs’ or broker/dealers’ networks from their own custodial platforms and view client-level data. They certainly shouldn’t be able to do so without entering their own user credentials.
To prevent such a scenario, wealth managers should make sure that a provider of SaaS software requires two-factor authentication and robust authorization for accessing any cloud application connected with their firms. Authentication ensures that only those who have valid credentials can access a firm’s applications, and fortunately, most enterprise-level SaaS applications available today enable the use of two-factor authentication, which adds an extra layer of protection by requiring users to enter a regular password as well as one-time passwords that can’t be used again.
In addition, not every authorized employee should have access to all sensitive financial information. To reduce the risk of a confidential data leak, SaaS vendors should be able to implement security controls that allow authorized users to only access data they absolutely need in order to perform their job responsibilities. SaaS providers can further control access to client information by restricting, or preventing altogether, the downloading, copying, printing and forwarding of data.
One of the key advantages of SaaS applications is that the SaaS provider stores wealth management firms’ data in its own data center, as opposed to a server on a local network. While a data center is a more secure option, the information stored there could come from multiple firms across many industries.
Wealth managers should check that any SaaS provider conducts rigorous security checks to ensure its data center is secure from any kind of breach. In order to make sure their software is fully compliance-ready, firms should select SaaS vendors that offer enterprise-level backup, retention, logging and secondary site replication, as well as multiple levels of disaster recovery. Best-in-class SaaS providers regularly check that all their operations (not just their data centers), including availability, incident response and intrusion detection systems, meet the requirements for SSAE-16 Type II and other industry security certifications.
SaaS vendors don’t just rely on their software to run their businesses — like all companies, their success depends on their people. This is why RIAs, b/ds and other wealth management firms need to inquire about SaaS providers’ hiring and training policies during the due diligence process.
After all, if a hypothetical provider of cloud-based account aggregation software employs a data analyst who was previously terminated from another company for misconduct or negligence, the vendor is putting all wealth management firms it works with, and their clients, at risk.
Wealth managers should make sure the SaaS vendor they choose utilizes administrative controls to limit employee access to client information, and ensure authorized SaaS employees can only access what they need to complete the tasks they are assigned to perform.
Advisors should also ask a prospective SaaS vendor if it conducts mandatory background checks on all employees, and requires them to sign confidentiality agreements. Ideally, SaaS employees who have access to sensitive information are tested and/or certified, and provided with ongoing training to keep their skills and knowledge current.
The SaaS provider your wealth management firm chooses must have detailed, written policies and procedures in place to prevent cyber breaches. Wealth managers should verify whether or not a prospective SaaS vendor invests heavily in developing and maintaining security controls for every aspect of their service before any contracts are signed.
If SaaS vendors have earned the SSAE-16 Type II certification, then they have been able to demonstrate that they have strong security and risk management policies in place, and can keep the wealth management firms that work with them compliant with necessary regulations. The certification requires SaaS vendors to pass a careful examination, by a third party, of their capabilities to keep data safe.
In addition to checking for the SSAE-16 Type II certification, wealth managers should ask if SaaS providers submit their systems and/or applications to virus protection, data encryption, program coding, business recovery, resilience tests and how frequently they do so.
Vigilance is Key
Even after a firm selects and begins working with one or multiple SaaS providers, the advisors need to monitor the vendor(s) to ensure they continue to adhere to high security standards. Like any organization or investment portfolio, SaaS vendors can change over time due to internal and external circumstances. To ensure their client information remains safe and secure, wealth managers should closely monitor the status of their SaaS providers’ data security certifications, and require those vendors to share regular risk assessment reports.
Cloud-hosted solutions offer wealth management practices tremendous benefits, but security controls among the providers of cloud-based software vary significantly. In order to make sure their client data is properly protected, wealth managers must proactively evaluate SaaS vendors’ security policies and procedures — before and after they transition to the vendors’ software.
Justin Kapahi is Vice President of Solutions and Security at External IT, which provides the workplace wealth_ solution, a secure digital hub designed to help financial services organizations operate more efficiently and manage all their compliance and cybersecurity needs as they grow.