There’s a lot more advisors could be doing to ensure their client data is protected in the wake of the recent massive security breach involving SolarWinds software, according to industry experts. And this applies to advisors who are and who aren’t customers of SolarWinds, according to fintech specialists.
“Many firms in the industry have some sort of SolarWinds product that either they are using directly, or that a vendor is using as part of their ‘cyber’ package,” Joel Bruckenstein, head of Technology Tools for Today (T3), recently told ThinkAdvisor.
“Every advisory firm should be asking their vendors about this, but few if any are so far,” he said.
While the hacked software isn’t heavily promoted by advisory and fintech firms, SolarWinds is “widely used” in the industry, according to Tommy Marshall, executive director of Georgia FinTech Academy.
Marshall, though, isn’t overly concerned about the SolarWinds breach in terms of advisors, because “experts have [emphasized] that the attack was an espionage effort with [a] primary focus on defense and other government entities,” he explained.
Still, “cybersecurity awareness is certainly important for both advisors and their clients” over all today, Marshall explained. This is because right now, “the greatest threat continues to be from phishing attacks that are best prevented through education.”
Thus, he added: “Advisors should take steps to maintain awareness for them and their teams. Also, advisors should encourage clients to be cautious and remind clients about what steps the advisor takes to protect them.”
Scott Lamont, a senior manager at F2 Strategy, agrees that the SolarWinds breach seemed to have been driven by the aim of gaining access to government entities and their data.
But the former Brown Brothers Harriman wealthtech executive noted, “I would still be concerned and do my due diligence. I would tend to use every one of these events as a learning opportunity and strive to make my data more secure.”
1. Ask these questions.
Advisors should be asking themselves several key questions, Lamont said: “If this type of supply chain attack can occur with SolarWinds, can it also occur with software that I leverage (if I’m not a SolarWinds customer). And is there anything more I can be doing to protect our clients and their data?”
If an advisor is a SolarWinds client, “I want to understand what potential exposure I might have (even if financial services firms weren’t the primary target), whether I’m still vulnerable and what they’ve done to resolve and prevent future attacks,” according to Lamont.
Heading into 2021, “We’re seeing (and advocating) a much higher level of vendor due diligence as a client priority” and “understanding what the practices are that the vendors you rely on is as critical as understanding your own best practices, the consultant explained.
After all, he noted: “You rely on their technology, and they are a part of your organization when you integrate their code into yours, so knowing how they are protecting themselves is as important as understanding the functionality they provide.”