The cloud is quickly weaving its way into the fabric of financial planners’ technology infrastructure. Subscribing to services delivered exclusively through the Internet can yield a variety of benefits, but many planners remain concerned about the security of information stored in the cloud. If due diligence isn’t performed on a cloud provider’s security practices, private and confidential information about clients, planners, or even the firm itself may be compromised and exploited by intruders. By asking providers upfront questions on their security policies and procedures, planners can identify vendors committed to protecting sensitive information on behalf of the firm’s customers in addition to offering cost-effective business solutions.
Who Is Responsible?
One can reasonably identify individuals responsible for the security of computers, servers, and software applications physically located in a financial planning firm, including the data and information stored within them. Usually it is the IT administrators, whether they are on-site employees or third-party contractors, who are charged with protecting devices from unauthorized access and maintaining the latest security updates and patches.
But when servers and software are provisioned through a cloud service provider, planners cannot assume that the provider will be responsible for the security and protection of data stored on their systems. A study published in April by the Ponemon Institute revealed that the majority of cloud providers (69 percent) believe they are not responsible for cloud security, but that it is their customer’s responsibility to secure the cloud.1
With such uncertainty over who is responsible for cloud security, planners must take it upon themselves to learn about security policies employed by providers in order to decide whether they are reasonably designed to safeguard confidential information. I emphasize the phrase “reasonably designed,” as that is the principles-based language used to establish the standard of care registered investment advisers must follow to protect clients’ privacy and information as stated in SEC Rule 206(4)-7.2
There are general practices all planners can follow to reasonably protect information that is transmitted over the Internet, including exchanges with cloud service providers.
“Whenever possible, use Secure Sockets Layer [SSL] and HTTPS connections for web-based tools,” advises Brad Burgess, director of software development for Orion Advisor Services LLC, a back-office portfolio service bureau for financial planners. HTTPS, or Hypertext Transfer Protocol Secure, encrypts Internet communication sent from a web browser to a website and identifies secure websites based on digital certificates signed by a trusted third-party authority. Well-known certificate authorities include VeriSign, TrustWave, and Comodo.
Most modern web browsers display the https:// portion of a website’s URL in the address bar, indicating a secure connection is present. One can then typically click on the https:// to view certificate information, including the certificate issuer, date of expiration, and type of encryption implemented.
Before planners start storing clients’ personal information on cloud services, Burgess advises that planners request and review a provider’s corporate security documents.
“The corporate security documents should identify how the service provider secures their infrastructure, such as server hardening to reduce access points, implementing recognized industry security standards, and encrypting data both in transit and at rest,” says Burgess.
According to Wes Stillman, founder of Right Size Solutions, a private cloud infrastructure provider to financial services organizations, there is no current industry standard for the contents of corporate security documents. However, Stillman recommends that planners request information on 10 key elements regarding a provider’s security protocols. (See the “10 Key Elements of Cloud Security” sidebar.)
“Public corporate security documents won’t expose the full details of a provider’s security infrastructure in order to prevent that information from falling into the wrong hands,” says Stillman, “but they should adequately identify security measures in place across a number of key areas.”
For example, Stillman recommends planners request a cloud provider’s history of vulnerability testing. Planners should be wary of providers who do not have documentation of vulnerability testing. For those that do, Stillman advises planners look for past instances of critical vulnerabilities and what steps, if any, were taken by the provider to correct the issues.
Burgess agrees, adding, “Reputable providers will publish incidents of past security breaches, usually over a period of the last 12 months.” Such reports should outline the nature of the exploit, severity of the breach, and changes made to policies and procedures to prevent security breaches in the future.
Burgess also says this type of information may already be included in corporate security documents, but some providers don’t always include it, so planners will need to specifically request it. As a best practice, any records and research gathered from cloud service providers should be saved to the planner’s compliance files so they are available in the event a regulator or auditor brings up the issue of data security.
Unfortunately, no system, policy, or security measure can guarantee 100 percent protection against attacks and unauthorized access of either local devices or cloud-based providers. But by following practical guidelines of safe Internet use and selecting cloud providers with robust security policies, planners are less likely to be the target of an attack. New threats and vulnerabilities are discovered daily, so it is critical that planners continually update their due diligence of cloud providers in addition to their own policies and procedures that are reasonably designed to safeguard the digital assets of the business and its clients.
Ponemon Institute. 2011. Security of Cloud Computing Providers Study (April). www.ca.com/~/media/Files/IndustryResearch/security-of-cloud-computing-providers-final-april-2011.pdf.
Securities and Exchange Comission. February 5, 2004. Final Rule: Compliance Programs of Investment Companies and Investment Advisers. www.sec.gov/rules/final/ia-2204.htm.