Firms, technology vendors mobilize on security standards

Cybersecurity is a major concern for vendors, firms and advisers

Aug 17, 2016 @ 12:01 pm

By Alessandra Malito

Software companies, consultants and financial institutions are mobilizing to create a cybersecurity consortium to forge higher industry standards to avoid hacking attacks.

The group of about a dozen entities is discussing ways to secure the communications between firms and vendors, as well as vendors with vendors, so that client data is more securely protected. There is currently no accepted standard for the industry. The process of choosing, vetting and integrating with third-party companies is long-winded, and needs to be stronger, those involved said.

"There's no real rhyme or reason," said Joel Bruckenstein, co-founder of the Technology Tools for Today conferences and one of the three members leading the consortium's efforts. "Everyone has their own way and own procedure. Everyone has their own vetting process."

Aaron Spradlin, chief information officer at United Planners Financial Services, and Bridget Gaughan, general counsel and chief information security officer at United Planners Financial Services, also are orchestrating the project. After United Planners saw an incident with a third-party vendor involving its clients, though not a breach, the firm realized there was a lack of rules surrounding the relationship between firms and third-party service providers.

"What we learned from that experience is we could wait and see, or we could be more proactive," Ms. Gaughan said.

Cybersecurity is a major concern for the financial services industry, considering institutions house such sensitive information. Breaches happen often to firms, not just internally by employees, but externally through weak passwords and hacked emails. The Securities and Exchange Commission last year urged advisers to create cybersecurity plans.

But a major threat comes from ill-maintained third-party vendors, which was cited as the top challenge for financial services companies, according to a 2016 PricewaterhouseCoopers "Global State of Information Security" survey. More than half of the respondents said they would boost their spending on monitoring these platforms in the next year.

Developing a set of rules by which the entire industry must follow will not be easy. Aside from getting everyone to agree, challenges will be in defining the roles and responsibilities for data integrity and protecting confidential information, Ms. Gaughan said.

Instituting a standard that is effective but not overly intrusive for advisers, or adds extra work for them and their clients, will be another obstacle, said Tony Leal, chief technology officer of PIEtech, the creator of financial planning software MoneyGuidePro, who has listened in on consortium calls.

The industry never had a standard because it's just too hard, consortium members agreed. Though there are protocols for other aspects of maintaining technology, there's never been any general guidance on these issues, said Brad Burgess, chief technology officer at NorthStar Financial Services and Orion Advisor Services. His company is also involved in consortium talks.

"There's no overarching authority that would dictate how things in our industry should behave," Mr. Burgess said. For those listening in on these consortium talks, "we all agreed among ourselves that we do need to come up with a common standard."

The benefits can be substantial, though, Mr. Bruckenstein said, including reducing paperwork, cost and time for vendors and firms, which eventually trickles down to the adviser.

"Most other industries have some common standards and this industry has been resisting it for many, many years," Mr. Bruckenstein said. "It is not viable anymore."

The consortium is also discussing a virtual private network that vendors potentially could be included in once vetted. Unlike each vendor doing their own due diligence, they would have the backing of this network to verify they are secure.

Details are still being discussed, as to who will be managing the network, how it would be paid for and the ways in which vendors would be accepted.

"[The consortium has] identified a methodology that ultimately will provide the industry with a shortcut to be at least secure from the outside world," said Brian Edelman, chief executive of Financial Computer Services, a company that specializes in cybersecurity. "What the consortium is looking to do is eliminate all external threats."

Such a network would be most beneficial for small technology vendors that are pushing the industry forward with their innovations but do not have the resources to implement proper cybersecurity measures, he said.

There are no standards specifically for how vendors choose to work with one another, said Brian McLaughlin, chief executive of client relationship management software provider Redtail Technology, which has been in talks about the consortium. Incorporating an industry-wide standard to act as a seal of approval could quell adviser concerns over their vendors' security measures.


What do you think?

View comments

Recommended for you

Sponsored financial news

Upcoming Event

Apr 26


Cracking the Code: Making Sense of Alternative Investments

InvestmentNews Research estimates that $150 billion in alternative assets could be added to client portfolios among independent advisers over the next three years. Roughly 85% of all clients are now expressing interest in learning more... Learn more

Accepted for 1 CE Credit by the CFP Board. Pending by Investments & Wealth Institute for 1 credit towards the CIMA® and CPWA® certifications.

Featured video


Why broker-dealers are on a roll

Deputy editor Bob Hordt and senior columnist Bruce Kelly discuss last year's bounce-back for IBDs.

Latest news & opinion

Things are looking up: IBDs soared in 2017

With revenue up, interest rates rising and regulation easing, IBDs are soaring.

SEC advice rule may give RIAs leg up over broker-dealers

Experts say advisers will be able to point to their role as fiduciaries as a differentiator in the advice market.

Brokers accept proposed SEC rule on who can call themselves an adviser

Some say the rule will clear up investor confusion, but others say the SEC didn't go far enough.

SEC advice rule: Here's what you need to know

We sifted through the nearly 1,000-page proposal and picked out some of the most important points.

Cadaret Grant acquired by private-equity-backed Atria

75-year-old owner Arthur Grant positions the IBD for the 'next 33 years.'


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print