Close Close

Retirement Planning > Social Security

Need to Vet a Vendor for Cybersecurity? You’ve Got Help

Your article was successfully shared with the contacts you provided.

You know you need to secure your computer hardware and software at your firm, including all the apps your team uses every day, like email. That’s especially the case due to the rise of sharing data over the cloud between you and your vendor partners.

Keeping client data safe isn’t just a “nice to have” feature; it’s required by regulators like the SEC and FINRA and the states. If you don’t have the resources to do it yourself you can use an outside vendor, such as an MSS (managed security service) provider. But how do you choose an MSS? What questions should you ask all your vendors about how they secure your data? How can you achieve peace of mind when it comes to cybersecurity?

If you’re a member of the cleverDome cyber security co-op, you’ve now got the support you need to vet your vendors, perhaps the trickiest link in the cyber security chain.

On May 31, cleverDome and 3PAS Global, a third-party credentialing and risk assessment service, announced a partnership under which the co-op’s members will be given 3PAS’ vendor security risk assessment services. Effective immediately and for no extra charge to members, those services will include 3PAS’ basic due diligence for vendors—which complies with the international ISO standard—but also cleverDome’s broader due diligence standards that meet federal and state regulatory requirements.

CleverDome is the co-op that provides a software-defined perimeter (SDP) network technology to its members using software called NetFoundry that secures companies’ important data off the public internet and ‘under the Dome.’

In a previous ThinkAdvisor article about independent broker-dealer Geneos’ decision to join cleverDome, Geneos CTO Dean Rager noted that most cyberattacks “come in from a third-party back door.” To slam shut that door, Geneos decided to join cleverDome since its NetFoundry technology creates “for lack of a better term…our own dark web” which frustrates hackers.

Regarding the deal with 3PAS, co-founder and chief risk officer Bridget Gaughan said in a June 7 interview that it will help deliver “the key value of cleverDome—a community-based platform for vendor due diligence.” CEO and cofounder Aaron Spradlin of cleverDome said in the same interview that the deal with 3PAS “provides a level of vendor risk transparency that is truly revolutionary.”

Spradlin and Gaughan realized they needed an efficient, automated way to conduct due diligence on vendors when they served together at the advisor network United Planners—he as chief information officer and she as chief information security, risk and legal officer. “All the vendors were in the cloud,” Spradlin recalls, and “regulators clearly let us know that they had a concern” about the safety of client data. They realized that the solution for United Planners and similar organization—and for individual advisors and even vendors—would be to solve the problem “as a community” which would make it financially more feasible.

“We needed secure devices, end points” Spradlin says, along with “fast private networking, at scale” and some kind of a common due diligence standard.”

Thus, cleverDome’s standards, and the 3PAS vendor assessments that ensures all member vendors under the Dome (such as Orion, Redtail and Riskalyze) are hewing to the same standards Gaughan puts the problem that needed to be solved this way. “How do you get the vendors to come to a common standard, or any standard, since they’re not regulated?” Doing so “gives them a compelling reason to be under the Dome” by showing they’re willing to meet a voluntary standard. “Some will choose not to meet the standard,” but Gaughan suggests that perhaps those vendors “shouldn’t be handling sensitive client data.”

All the co-op’s members have access to those vendor assessments, allowing them to manage their own data security risks.

There’s another big benefit for advisors from those common vendor standards: compliance. Gaughan said “when you need to show a regulator that you’ve done your due diligence” on protecting client data sitting at third parties, with cleverDome “you can demonstrate you’ve done so.”

Looking ahead, Spradlin said that clients will be the ultimate beneficiary of the cleverDome community, and client expectations will drive adoption of common standards. They’ll ask, he says, “’What are you doing to protect my data?’” And advisors can respond, “’Under the dome, here’s what I’m doing to protect your data.’”

“Spradlin says that the Holy Grail of security is “to take consumer information off the Internet; that’s the key risk mitigation effort that cleverDome is doing.”


© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.