Firms, Technology Vendors Mobilize on Security Standards

Article citing Brian Edelman, Financial Computer CEO.
Link to the article: InvestmentNews.

Cybersecurity is a major concern for vendors, firms and advisers.

Software companies, consultants and financial institutions are mobilizing to create a cybersecurity consortium to forge higher industry standards to avoid hacking attacks.

The group of about a dozen entities is discussing ways to secure the communications between firms and vendors, as well as vendors with vendors, so that client data is more securely protected. There is currently no accepted standard for the industry. The process of choosing, vetting and integrating with third-party companies is long-winded, and needs to be stronger, those involved said.

“There’s no real rhyme or reason,” said Joel Bruckenstein, co-founder of the Technology Tools for Today conferences and one of the three members leading the consortium’s efforts. “Everyone has their own way and own procedure. Everyone has their own vetting process.”

Aaron Spradlin, chief information officer at United Planners Financial Services, and Bridget Gaughan, general counsel and chief information security officer at United Planners Financial Services, also are orchestrating the project. After United Planners saw an incident with a third-party vendor involving its clients, though not a breach, the firm realized there was a lack of rules surrounding the relationship between firms and third-party service providers.

“What we learned from that experience is we could wait and see, or we could be more proactive,” Ms. Gaughan said.

Cybersecurity is a major concern for the financial services industry, considering institutions house such sensitive information. Breaches happen often to firms, not just internally by employees, but externally through weak passwords and hacked emails. The Securities and Exchange Commission last year urged advisers to create cybersecurity plans.

But a major threat comes from ill-maintained third-party vendors, which was cited as the top challenge for financial services companies, according to a 2016 PricewaterhouseCoopers “Global State of Information Security” survey. More than half of the respondents said they would boost their spending on monitoring these platforms in the next year.

Developing a set of rules by which the entire industry must follow will not be easy. Aside from getting everyone to agree, challenges will be in defining the roles and responsibilities for data integrity and protecting confidential information, Ms. Gaughan said.

Instituting a standard that is effective but not overly intrusive for advisers, or adds extra work for them and their clients, will be another obstacle, said Tony Leal, chief technology officer of PIEtech, the creator of financial planning software MoneyGuidePro, who has listened in on consortium calls.

The industry never had a standard because it’s just too hard, consortium members agreed. Though there are protocols for other aspects of maintaining technology, there’s never been any general guidance on these issues, said Brad Burgess, chief technology officer at NorthStar Financial Services and Orion Advisor Services. His company is also involved in consortium talks.

“There’s no overarching authority that would dictate how things in our industry should behave,” Mr. Burgess said. For those listening in on these consortium talks, “we all agreed among ourselves that we do need to come up with a common standard.”

The benefits can be substantial, though, Mr. Bruckenstein said, including reducing paperwork, cost and time for vendors and firms, which eventually trickles down to the adviser.

“Most other industries have some common standards and this industry has been resisting it for many, many years,” Mr. Bruckenstein said. “It is not viable anymore.”

The consortium is also discussing a virtual private network that vendors potentially could be included in once vetted. Unlike each vendor doing their own due diligence, they would have the backing of this network to verify they are secure.

Details are still being discussed, as to who will be managing the network, how it would be paid for and the ways in which vendors would be accepted.

“[The consortium has] identified a methodology that ultimately will provide the industry with a shortcut to be at least secure from the outside world,” said Brian Edelman, chief executive of Financial Computer Services, a company that specializes in cybersecurity. “What the consortium is looking to do is eliminate all external threats.”

Such a network would be most beneficial for small technology vendors that are pushing the industry forward with their innovations but do not have the resources to implement proper cybersecurity measures, he said.

There are no standards specifically for how vendors choose to work with one another, said Brian McLaughlin, chief executive of client relationship management software provider Redtail Technology, which has been in talks about the consortium. Incorporating an industry-wide standard to act as a seal of approval could quell adviser concerns over their vendors’ security measures.