Protecting your client data held on third-party services and apps

From

Julian Plummer

The human resources software provider PageUp, which provides services to the likes of Zurich and the Reserve Bank of Australia, recently flagged that it had detected “unauthorized activity” on its system.

Security breaches are happening at an increasing rate around the globe, some affecting billions of people, but the recent PageUp hack is a lot closer to Aussies, because many major Australian organisations use it as their HR platform.

Software-as-a-service (SaaS) products are great because they significantly reduce the cost of maintenance, including infrastructure, product updates and security.

Additionally, in the case of SaaS, the software service provider is responsible for the security of clients’ data. The benefit of software security providers is that they have access to greater security resources (often world-class), but the cost is that you don’t have much of a say in how those resources are deployed.

What then, are your responsibilities, as a financial planner, to ensure that your data in the cloud is safe? Well, as anyone in security will tell you, there is no 100 per cent safety.

But you can manage the risk and bring it down to an acceptable level. In other words, you will need to do your due diligence in order to protect your customers’ data.

As a buyer, when selecting a SaaS provider, you should ask the following questions –

  • Does the SaaS provider comply with information security standards such as ISO27001?
  • Does the SaaS provider have an information security policy?
  • Does the SaaS provider carry out regular security assessments?
  • What security protection mechanism is installed, such as firewalls, anti-virus, intrusion detection system?
  • Where is the data stored?

The cloud provider (and this includes financial planning applications) should be able to answer these queries without hesitation.

Some of the questions can get technical very quickly. If in doubt, it’s a great idea to engage a security expert to help make the decision. If possible, you should consider carrying out your own technical security assessment against the SaaS provider.

Many cloud providers are open to this, but some are still reluctant, in which case you should ask to see the full security assessment (a.k.a. penetration test) report from an independent service provider. Midwinter, as an example is very open to potential clients asking security-minded questions as part of their due diligence – it’s expected.

Now, what if you are a small business? A user of a cloud storage provider is a bit like being a bullet train passenger, while keeping all your data in-house is like driving your own car – you’re in the driver’s seat, you are in control, but you must now take full responsibility of your risks.

When you take a bullet train, you are saving cost (compared to driving the car all the way), you are gaining performance (getting there faster), but you are putting someone in control of your life.

In this case, you are not in the bullet train driver’s seat, and you don’t really have a say in how the bullet train company runs their trains, even if you know what questions to ask. This is the same when you sign up to something like Office 365 or Google Suite.

These are instances where you should look for contractual protection and what compensations are there for you in case their security is compromised.

You could also look out for past history of security incidents – albeit this is often moot because in information security, the past is not necessarily always a good indication of the future.

To give an example, you know a company takes security seriously when it has its own team of ethical hackers and is open to bug bounty programs (a bug bounty program is where everyone is invited to hack their products).

If you looked even closer, you will also see these companies typically respond to security vulnerability reports quickly and responsibly.

Last, but not least, prepare a communications plan with for your clients, should an incident like this happens.

Be prepared to be open and frank about what happened, what you are currently doing, and keeping the clients up to date.  Contact the SaaS provider and ask for details of the incident. Consult with your information security expert on how to handle the issue, and how your clients should be best informed to protect their data.

Individual financial planners may not in a position to be influential enough to get many SaaS providers to be responding to security questions – but their licensee should be. Licensees should be reviewing cloud-based software on behalf on their advisers.

Additionally, it is the licensee that is on the hook for much of this.

According to ASIC’s RG 109.30, the licensee must ensure they have “enough technological resources to enable you to: (a) comply with all of your obligations under the law; (b) maintain client records and data integrity; (c) protect confidential and other information; and (d) meet your current and anticipated future operational needs.”

So, any licensee whose advisers used PageUp should be re-reading that particular paragraph with interest. Luckily, I can’t see much client data being caught up in this breach, so it is a good early warning indicator of what is to come.

What I see happening in the future is that licensee and practices will end up having an approved list of applications that have passed security tests, much like products on APLs must pass research tests.

We are just starting to see this begin to take place – and this is even more important with the rise of the API and practices wanting to “build their own stack” of tech applications.

It’s also worth considering the damage done to all advisers in this royal commission.

Sure, you may have a completely compliant business, but the royal commission will have some sort of impact on you.

When I first saw the news of this breach, the attached graphic to the headline was a picture of the RBA building.

My first though was that the RBA had been hacked – and that assumption would have continued had I not read further. So now, in some minds, RBA’s brand has been tarnished.

That considered – the message is, you trade on trust. Make sure you treat your clients’ data with the care it deserves. Additionally, licensees must start doing due diligence on the applications that advisers under their AFSL use. If there is one thing worth protecting in our industry – it’s data.

By Julian Plummer, Managing Director

You must be logged in to post or view comments.