Your firm’s cybersecurity deserves more than a trusting handshake and a blind eye.
Trust is the foundation of any worthwhile relationship, and wealth management is no exception. So it may feel odd to implement stringent controls over user-access permissions to your firm’s operating system. Instead, view this as a valuable method of protecting people you care about. It could save your firm from costly cyber breaches, embarrassing reputational scandals and onerous regulatory pressure in the future.
When an RIA or broker-dealer migrates its operating system to a cloud-based platform, this frees employees to log on from various devices, whether inside the office or elsewhere. Likewise, a cloud platform allows clients to upload and download files relevant to their financial accounts from the comfort of their homes. These abilities offer great benefits to productivity, but they also come with a great responsibility.
As a general rule, the only information that individuals should have access to is the information that suits their role. When companies change their business models, the roles of staffers and the makeup of their clientele, firms may need to update their user-access permissions.
For example, some RIAs are adopting robo software to automate investment management of smaller clients. A human advisor at such a firm may stop overseeing smaller clients and start focusing on wealthier clients. Meanwhile the RIA may also have an in-house portfolio manager. It may be appropriate for the advisor to lose access to these smaller accounts, for the portfolio manager to retain access, and for the robo vendor to gain access to these client accounts.
Or consider the instance of an advisor who quits the firm, taking along a handful of clients. The advisor likely used the RIA’s customer relationship management, portfolio management and business administration software. From the moment the advisor departs, all access to these tools should end. Former clients also should lose access to any software that provides market research, thought leadership or subscriptions intended for paying clients.
In the case of the robo software, failure to change user-access permissions could result in the human advisor making decisions that affect holdings of the wrong clients. In the case of the departing advisor, failure to change permissions could lead to theft or destruction of company data. Either scenario risks lawsuits, disciplinary actions, negative publicity and lost clientele.
A great feature of controlling user-access over a cloud-based platform is the ability to customize the permissions by individuals, groups and devices. The marketing team can have different permissions than the portfolio management team. Users accessing the operating system from smartphones can have different permissions than users accessing the system from laptops. Specific devices can lose access entirely, which would prove essential if a firm’s office were ever broken into and computers were stolen.
Access can even be limited to certain days or times, like only Monday through Friday or only 7 a.m. to 7 p.m. And at any time of any day the permissions administrator could block a user from uploading or downloading files from applications, grant or revoke access to certain applications. That may be warranted if the firm notices unusual activity internally or suspects outsiders of hacking the system.
Just be careful about the hierarchy of permissions. If an individual is granted the ability to control the access of other users, then that individual could change permissions without the knowledge or consent of senior management. Conversely, if a team leader loses the ability to control the access of other users, then that individual cannot change permissions for their subordinates.
Perhaps the greatest advantage of permissions is that it allows the firm to track all activity on the operating system. When did the new assistant advisor log on last night? What applications did he open? How long did he access each application? Did he download or upload any files? What device did he use to access the system? And from where did he access the system? The firm can find the answers to all of these questions. Depending on the situation, it may result in a change of user-access permissions for this employee.
Chances are your firm will rarely fall prey to burglars or untrustworthy employees. It’s more likely that you will need to be aware of when employees and clients join and depart the firm. And even if your firm sticks with the same third-party vendors forever, regulations require firms to control vendor access to data. If you want to take the smart approach to cybersecurity, you want to implement user-access permissions through a cloud-based platform.