Everyday tech — even printers — needs cybersecurity protection
As you layer up before venturing outside in frigid weather, you know it’s the base layer of protection closest to your skin that’s key to staying warm and dry. The same logic applies to managing and protecting your firm’s technology.
While many focus solely on their firms' fintech stack — the external-facing technology and core business applications used by advisors — far fewer realize that RIAs must also prioritize the everyday technology as well. The tech stack is the firm’s non-negotiable base layer. It’s comprised of the technology and hardware such as printers, personal computers, internet service provider and firewalls. It also encompasses certain software and core applications such as MS Word, PowerPoint, Excel and email technology, be it Office 365 or something else. It also may include some type of virtual environment, such as a cloud-based virtual desktop or virtual server.
When it comes to protecting their IT operations, RIAs typically gloss over their tech stack and focus on the core business applications in the fintech stack — including the custodian, the CRM, portfolio management, rebalancing and reporting tools, for example. But RIAs must protect access into every system they have control over. This means the base layer tech stack, not just the fintech stack. Without access controls for the tech stack, RIAs open up themselves and their clients to phishing scams, data breaches and so much more. They risk exposing their interactions to bad actors who will hack accounts and monitor firm transactions and client engagement.
Even if the third-party fintech provider is protecting its application through multifactor authentication (MFA), the RIA is still on the hook for protecting access, and to the client data being used and stored with that app. The firm needs cybersecurity policy and IT protocols that support a cohesive access management program.
Build an architected environment
An architected environment, versus a piecemeal, device-by-device or app-by-app approach, provides the RIA with a foundation from which to manage access to all of its disparate fintech applications and base layer tech systems.
Whereas putting everything in the cloud does not constitute management of anything, an architected environment is a thoughtfully structured framework that ensures access to all data and systems is managed, controlled and monitored — including access from unmanaged devices.
Consider: Most fintech providers use MFA, so even if a user accesses the application from an unprotected device, the data inside the application is protected. But client data are at risk and potentially exposed, and the RIA is liable, if that user downloads the information from the application to an unprotected — and hacked or infected — device or email system.
An architected environment removes this risk for the RIA by only allowing protected devices to access the systems.
Managing access when someone leaves
While it may be relatively easy to grant access, it is a more difficult task to take it away. Since RIAs use quite a number of core systems and applications, this is not as simple as flipping everything to the off switch. When an advisor or any employee leaves, the RIA should protect access to all the firm’s applications and portals by shutting down that individual’s access to the firm’s fintech stack immediately. It also include includes cutting off that person’s access to everything else.
But proper management of this process includes deploying pre-determined protocols for monitoring email and app access, archiving and storage so that operations can continue and the firm meets regulatory and client requirements.
And as RIAs grow — whether organically or through merger and acquisition — it is critical that there are IT management and cybersecurity protocols that are flexible enough to morph with every iteration of the firm’s operations. Here again, the architected environment offers RIAs that base layer of protection with flexibility for teams to function as independent units.
This includes access controls and protections that can take firms through growth phases and Day One of firm combinations resulting from M&A. Since integrations take time, merging firms need to be able to run their still-separate organizations autonomously while meeting the regulatory demands of what needs to be in place.
A fluid base layer of access protection
With more than just its fintech stack to protect, the RIA needs a foundation from which to managing access and oversight of the firm’s disparate fintech applications and tech systems. An architected environment gives firms fluid IT management and cybersecurity protection, starting with the base layer of technology and extending through to fintech apps, regardless of the type of device being used.