10 questions financial firms should ask when using software-as-a-service.
If your firm is like most modern wealth management firms, you use software from several different vendors. Portfolio managers, custodians, business administration and cloud computing providers, just to name a few.
So how confident are you that your client data is safe in the hands of all those other companies? All it takes is one cyber breach at a vendor – or a company the vendor contracts with – to put your firm at risk.
“Software as a Service,” or SaaS, is fast becoming a standard model for RIAs and broker-dealers. There are vast advantages to allowing a vendor to host an application for customers to access through the Internet. Speed, scale and cost-effectiveness are among the greatest benefits of SaaS.
On the other hand, vendors vary wildly in resources and reliability. In the age of rampant cyber crime, wealth management firms must exert vigorous due diligence on all vendors. Here are 10 questions to ask when shopping around.
1: What are the risks of exposing your firm to vendor software?
Your firm faces multiple risks whenever it interacts with a SaaS provider. The primary risk is that the vendor could compromise your firm’s client data. That in turn could lead to material losses for clients, lawsuits and court settlements against your firm, additional regulatory fines and disciplinary action, as well as irreparable damage to your firm’s reputation. Secondary risks include losing business-sensitive data, suffering damage to your firm’s software and unexpectedly diverting precious resources to your firm’s IT system.
2: What data should vendors have access to regarding your firm?
The answer to this question depends on the nature of your business and your firm’s level of comfort with third parties. The more confidential the data, the higher the risk when vendors receive access. Clients’ personally identifiable information (PII) like their names, Social Security Numbers, phone numbers, homes addresses, email addresses and bank account numbers pose the greatest risks. If hackers and identity thieves gain access to such info, your clients could fall prey to all kinds of scams. If vendors have access to the same type of information for employees of your firm, the fallout could be just as devastating – if not more so.
3: What is the vendor’s reputation in the industry?
Before allowing a SaaS provider to access your firm’s systems, research its reputation in the industry for cybersecurity. Ask executives at other wealth management firms what they think of the vendor. Other vendors your firm does business with may be able to offer even better insights about the provider. And don’t hesitate to ask the vendor in question for a list of clients who can vouch for its track record. Remember, you’re looking for more than just evidence of data breaches. You’re also looking for questionable business practices.
4: How strong are the vendor’s internal risk controls?
This may be the most important question to ask. The vendor will apply its current procedures to your firm’s data. Therefore it should have state-of-the-art cloud computing, virus protection, data encryption, program coding, business recovery practices and resilience tests. Vendors also need stringent limits on who can access their systems, and they should be able to maintain operations if disasters such as floods or fires damage their servers. Any vendor’s internal controls should be at least as strong as your own firm’s, and its internal controls should be exceptionally strong at protecting the types of data your firm shares with it.
5: How does the vendor share data with other vendors?
Even if the vendor has airtight internal controls, some other vendor they share data with may be less responsible. Your firm has a right to know which other SaaS providers the vendor uses as a subcontractor. If that subcontractor triggers a data breach at the vendor your firm uses, your firm could experience a data breach too.
6: How does the vendor coordinate its own clients’ access to internal systems?
Although rare, SaaS providers have been known to accidentally grant clients access to the wrong parts of its internal systems. Even rarer, though still possible, is to accidentally grant one client access to other clients’ data. Since your wealth management rivals might use the same vendor, either of these mishaps could hurt your firm’s competitive advantage.
7: Who has access to the vendor’s software and hardware?
Large vendors can have thousands of employees spread out in dozens of offices. Only a select few of those people should have access to your firm’s data or be able to gain physical entry to servers housing that data. Moreover, those with access should be relevant to the services you’ve hired the vendor to perform.
8: What should the vendor do with your firm’s data once the contract ends?
Upon the expiration of a service contract, the vendor probably will still have access to some of your firm’s data. It’s often safest for that access to end immediately, but in certain situations the vendor will have to hold onto data a while for operational or regulatory purposes. In any case, your firm should know beforehand how and when it will regain control over all client and employee data.
9: How should your firm conduct ongoing due diligence of vendors?
Checking up on SaaS providers every so often is a best practice, because circumstances change over time. The vendor may have experienced big changes in key personnel. Hackers may have developed new types of malware. Your firm’s business model may have evolved. Or regulators may have imposed new cybersecurity rules. Make sure vendors provide you with periodic reports answering risk assessment questions that satisfy your concerns. And ask to audit the vendor’s premises, particularly locations with servers housing your firm’s data.
10: What should be in your firm’s contract with vendors?
When hiring a vendor, the contract should satisfy your firm’s needs and provide you with the comfort to share confidential data. However, large vendors are unlikely to customize each of their contracts to suit every client. At the very least the contract should include a confidentiality agreement, stipulate how your firm’s data is stored and transmitted, require the vendor to notify your firm of any data breaches, and reveal any subcontractors that will have access to your firm’s data.
Carefully choosing vendors is a critical step all firms should undergo to minimize their cyber risk. At External IT we treat our clients’ security with utmost priority and partner with our clients to help evaluate their SaaS firms. We under that software as a service is the future of wealth management, and that vendor security will only grow in importance. This is why it is so important to have an IT Partner that with specific knowledge and experience in the financial sector.
For a detailed, graded analysis of your firms IT Infrastructure and IT Security practices including Vendor Analysis and Risk Assessment click here for a FREE Security Assessment from External IT. You will receive a graded report on key areas as outlined by OCIE along with recommendations for remediating areas of concern.