Robin Brown

How To Ensure Cloud-Based Tech Vendors Are Truly Secure Partners

Posted by In the News No Comments

View on

If your firm’s SaaS provider doesn’t follow state-of-the-art security measures, then you are placing your practice and your clients at serious risk.

In our digital age, most wealth management firms have embraced cloud-based — a.k.a. “software as a service” (SaaS) — technology solutions for their practices. But as SaaS applications and platforms continue to overtake traditional licensed software as the tools of choice for the wealth management industry, financial advisors looking to make the transition to the cloud should proceed carefully.

Given the significant repercussions that wealth management firms can face after a data breach, such as loss of clients, regulatory fines and permanent damage to their reputations, they need to perform extensive due diligence on potential SaaS vendors to make sure client data will not be compromised. If your firm’s SaaS provider doesn’t follow state-of-the-art security measures, or if the companies it contracts with are vulnerable, then you are placing your practice and your clients at serious risk.

Article from InvestmentNews

Cybersecurity looms as adviser business threat

Posted by In the News No Comments

View on InvestmentNews

U.S. officials have warned for many years that cybercrime is one of the greatest threats facing the nation, and now financial advisers have to face the reality that their businesses are also vulnerable to digital attacks.

News headlines regularly carry stories of broker-dealers and advisers increasingly being targeted by sophisticated hackers aiming for clients’ personal information and funds. Wealth managers also are getting more attention from regulators, which are fining financial firms that fail to be mindful of cybersecurity, including all the actions of their employees and third-party partners.

Colorado Raises the Bar in Buyside Cybersecurity

Posted by In the News No Comments

View in FinOps Report

Banks might not be the only financial institutions needing dedicated chief information security officers (CISOs) to oversee and enforce a cybersecurity program.

As FinOps Report goes to press, the  Colorado Division of Securities is set to finalize rules which, as of July 15, will make the state the first in the US to require fund managers and broker-dealers to follow a required list of procedures to mitigate the potential for a data breach. Even if the appointment of a CISO is not mandated, fund managers and broker-dealers would have to follow some of the same requirements recently imposed by New York State for banks. Therefore, they would need to pick someone to handle the same responsibilities.

How Wealth Managers Can Identify the Right Cloud Technology

Posted by In the News Think Advisor No Comments

View on Think Advisor

Although cloud computing is fast becoming the norm in IT, many people still have trouble defining “the cloud.” Even among IT experts, the term “cloud” can refer to a wide variety of different technologies that are only connected in a general sense.

This confusion makes it hard for wealth managers to know whether the cloud is secure enough to support their firms’ critical information and workflows. The answer to this question isn’t so much “yes” as “yes, it can be.” Not all clouds are created equal, especially when it comes to management and infrastructure. In order to experience the full benefits of the cloud, wealth managers need to understand which type of cloud solution is the right fit for their practice before they begin the transition process.

Not all Clouds are Equal: Demystifying the ‘Public Vs. Private’ Debate

Posted by Asset Managers Audience Broker-Dealers Family Offices Registered Investment Advisors White Papers No Comments

Is the Cloud Secure Enough to Support a Wealth Management Firm’s Critical Company Information?

Different clouds do different things. As such, choosing the right approach to the cloud can have a significant impact, both short- and long-term on a wealth management firm’s business.

Ask a wealth management colleague to define “the cloud” and you are likely to get a vague response. Even among IT experts the term “the cloud” can have different meanings. And despite the fact that cloud computing has become the IT norm, questions remain about its security remain.  The truth is not all clouds are equal in infrastructure and in management.  This white paper is for wealth management professionals who seek to understand “the cloud” and how these technologies can support their overall business goals.

Download White Paper Here

White Paper ‘Demystifies’ the Cloud for Wealth Managers

Posted by Press Releases No Comments

External IT’s Latest White Paper Identifies Management & Oversight Best Practices for Implementing Cloud-Based Solutions

NEW YORK—April 4, 2017—External IT has published a new white paper, “Not All Clouds are Equal—Demystifying the ‘Public vs. Private’ Debate,” to educate wealth management professionals about cloud computing, and how to identify the most secure and efficient cloud-based technology solution for their businesses.

The white paper can be downloaded from the External IT website:

“Cloud computing has fast become the ‘new normal’ in IT, but many professionals in wealth management have only a vague idea of what ‘the cloud’ actually is, and how the cloud can be leveraged across their organizations,” said Sam Attias, Managing Director at External IT. “The cloud can help wealth managers secure their firms’ critical information and workflows, as well as optimize business processes for servicing clients. However, in a highly regulated industry like financial services, the use of the cloud requires robust management and oversight—and not all clouds are created equal in terms of how they are managed and delivered. We drafted this white paper to help wealth managers understand what is necessary to operate in the cloud, and how to identify the right approach before making the transition.”

The white paper analyzes the potential advantages, and drawbacks, of public and private cloud platforms for wealth management firms, as well as hybrid cloud solutions that seek to combine the cost-efficiency of public clouds with the customization, and greater security and compliance controls, of private clouds. The white paper also discusses the criteria that wealth managers should use to evaluate potential cloud service providers, including:

  • Industry & Technical Expertise
  • Security & Compliance Requirements
  • Third-Party Validation & Accreditation
  • Established Customer Base & References
  • Support


3 Tips for Enhancing Your Firm’s Cybersecurity Readiness

Posted by In the News No Comments

View on

After witnessing massive cybersecurity breaches at companies such as Adobe, Target, Home Depot, Sony, Experian and JPMorgan over the past four years, wealth management firms, like members of many other industries, have ramped up efforts to protect sensitive client information from hackers.

I work with financial advisors, family offices, broker-dealers and asset managers across the U.S. to create cybersecurity and IT solutions that meet their business and compliance needs, and based on what I have seen, many wealth managers do have solid cybersecurity measures in place.

The problem isn’t that they don’t have a cybersecurity plan—the problem is that not every staff member follows all the steps in the cybersecurity plan, or even knows to do so. This is important, because during SEC regulatory audits, the examiner doesn’t just want to see that you have all the necessary tools to protect sensitive financial information. They also want to make sure you and all your team members actually know how to use them, and regularly test them.

Below are three tips on best practices for enhancing your firm’s cybersecurity readiness to protect your clients’ sensitive financial data as the threat of cyber-attacks continues to increase.

1. Universal Adherence is Key
In this day and age, all it takes for your firm to experience a reputation-damaging and costly data breach is one employee losing a company mobile device that isn’t password-protected. To truly protect your clients and your firm, all cybersecurity procedures must be followed by every employee.

I can’t tell you how many times I’ve heard an advisory firm’s chief compliance officer or chief IT officer say, “Well, we tell people to do something, but so and so is a managing director and he doesn’t want to do it, and we can’t force him to do it.”

This excuse won’t pacify investors when their personal information is stolen by hackers. It won’t pacify SEC examiners during audits either.

Unfortunately, I’ve seen more than a few 40-person advisory firms where 38 employees utilize two-factor authentication to protect their devices. More often than not, the two holdouts who refuse to use two-factor authentication are senior advisors who wind up putting the entire company, and all its clients, in jeopardy, because they have access to everything in the system.

Cybersecurity processes need to be universally followed across your organization in order to be effective. Your cybersecurity protocols are rendered ineffective if even one person ignores them.

Hacked? Proposed Bill Would Allow Firms to Hack Back

Posted by In the News Think Advisor No Comments

View on Think Advisor

House proposes bill amendment that would allow retaliatory hacking

Rep. Tom Graves, R-Ga., introduced a bill as a discussion draft that would allow a victim of a cyberattack to access the attacker’s computer in order to gather information about the attack to share with law enforcement or to stop the hacker from continuing to access their network.

The Active Cyber Defense Certainty Act would not allow cyberattack victims to destroy any information on their attacker’s network or to otherwise cause a threat to public safety. The proposed amendment has not been formally introduced yet.

“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” Graves said in a statement on Friday announcing the proposal. “While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”

Conversation is all that Justin Kapahi, vice president of solutions and security for External IT, expects to come from the proposed bill. He told ThinkAdvisor on Wednesday that the proposal was likely “meant to provoke discussion” rather than to actually become law.

“It’s good to create a discussion around ‘why do we have to play defense? Why can’t we play offense?’” he said. Ultimately, though, he said advisors could take the proposal as “entertainment,” and to continue focusing their cybersecurity efforts on what regulators are looking for now.

He pointed out that most breaches are from users inadvertently giving their passwords to hackers. He recommended financial firms strengthen their cybersecurity programs with training and two-factor authentication.

Read more at Think Advisor


First State-Mandated Cybersecurity Law Goes Into Effect In New York

Posted by In the News No Comments

View on

Unlike guidelines from the SEC and FINRA, New York details specific actions and names a hard deadline for compliance. 

The first state-mandated cybersecurity regulations in the nation went into effect Wednesday in New York State, requiring a wide range of financial services, banks and insurance firms to adopt measures aimed at protecting client data.

The rules, which the New York Department of Financial Services proposed in September and finalized Feb. 20, contain 23 sections detailing specific actions firms must have in place, including data encryption, appointing a chief information security officer, training employees in security, multi-factor authentication, and annual evaluations from a senior officer. The rules affect any companies regulated by New York DFS, as well as any third party vendor that has access to the data.

“New York is the financial capital of the world and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Governor Andrew Cuomo said on finalizing the rules last week.

Firms have six months to comply with the rules and could face significant penalties and sanctions if they fail to do so.

Justin Kapahi, vice president of solutions and security at External IT, said nothing in New York’s mandate should surprise firms already following industry best practices, in addition to the guidelines already issued by the Securities and Exchange Commission and the Financial Industry Regulatory Authority. However, the federal guidelines lack specifics. For example, the SEC requires firms to implement “reasonable safeguards to protect a client’s nonpublic information,” but doesn’t define what those reasonable safeguards are, according to The Wall Street Journal. Nor does the SEC stipulate what firms must do after a breach occurs, how it will enforce rules or penalize noncompliance.

“[New York is] taking what the SEC and FINRA have put out there and created a much more detailed and prescriptive version,” Kapahi said. “In here, you see a lot of detailed descriptions for what needs to be done.”


Cybersecurity: How to prevent ‘insider accidents’

Posted by In the News No Comments

As cyberattacks have become a serious threat to the wealth management industry, many financial advisory firms have developed strong policies to prevent client data from being hacked.

However, some firms haven’t exerted the same amount of effort into training their employees or vendors to make sure these policies are correctly implemented. As a result, money spent goes down the drain, said H2L Solutions CEO Jonathan Hard during an exclusive Financial Planning webinar on cybersecurity.

According to an OCIE survey of broker-dealers and advisers, 88% of BDs and 74% of advisers have experienced cyber-related incidents, the majority of which are related to malware and fraudulent emails. Also, 25% of the BDs who suffered loss blame it on employees not following policies, which led to security compromises.

It’s important to note that not all cybersecurity breaches are external. An “insider accident” could compromise a firm’s security, Hard said. “If your employees are not properly trained — no matter what technical solution you have in place to eliminate that risk, no matter how much money you spend — you’ll still be compromised,” Hard said.

In fact, over 90% of hacks come from an unintentional inside job, said Justin Kapahi, vice preesident of solutions and security at External IT, a technology services provider for advisory firms. “All employees have the keys to the security you built up. If they hand the keys to random strangers on the street, that’s not secure,” he said.

Read more at Financial Planning