A pointillist image of an unlocked lock, with each point being a person (Image: Shutterstock)

There’s a lot more advisors could be doing to ensure their client data is protected in the wake of the recent massive security breach involving SolarWinds software, according to industry experts. And this applies to advisors who are and who aren’t customers of SolarWinds, according to fintech specialists.

“Many firms in the industry have some sort of SolarWinds product that either they are using directly, or that a vendor is using as part of their ‘cyber’ package,” Joel Bruckenstein, head of Technology Tools for Today (T3), recently told ThinkAdvisor.

“Every advisory firm should be asking their vendors about this, but few if any are so far,” he said.

While the hacked software isn’t heavily promoted by advisory and fintech firms, SolarWinds is “widely used” in the industry, according to Tommy Marshall, executive director of Georgia FinTech Academy.

Marshall, though, isn’t overly concerned about the SolarWinds breach in terms of advisors, because “experts have [emphasized] that the attack was an espionage effort with [a] primary focus on defense and other government entities,” he explained.

Still, “cybersecurity awareness is certainly important for both advisors and their clients” over all today, Marshall explained. This is because right now, “the greatest threat continues to be from phishing attacks that are best prevented through education.”

Thus, he added: “Advisors should take steps to maintain awareness for them and their teams. Also, advisors should encourage clients to be cautious and remind clients about what steps the advisor takes to protect them.”

Due Diligence

Scott Lamont, a senior manager at F2 Strategy, agrees that the SolarWinds breach seemed to have been driven by the aim of gaining access to government entities and their data.

But the former Brown Brothers Harriman wealthtech executive noted, “I would still be concerned and do my due diligence. I would tend to use every one of these events as a learning opportunity and strive to make my data more secure.”

1. Ask these questions.

Advisors should be asking themselves several key questions, Lamont said: “If this type of supply chain attack can occur with SolarWinds, can it also occur with software that I leverage (if I’m not a SolarWinds customer). And is there anything more I can be doing to protect our clients and their data?”

If an advisor is a SolarWinds client, “I want to understand what potential exposure I might have (even if financial services firms weren’t the primary target), whether I’m still vulnerable and what they’ve done to resolve and prevent future attacks,” according to Lamont.

Heading into 2021, “We’re seeing (and advocating) a much higher level of vendor due diligence as a client priority” and “understanding what the practices are that the vendors you rely on is as critical as understanding your own best practices, the consultant explained.

After all, he noted: “You rely on their technology, and they are a part of your organization when you integrate their code into yours, so knowing how they are protecting themselves is as important as understanding the functionality they provide.”

2. Review, improve cybersecurity.

Lamont also advised advisors to “double down” on their security.

“SolarWinds was a sophisticated attack, and while focusing on how it happened and how to prevent a similar attack in the future from impacting us is important, don’t lose sight of the less sophisticated attacks that can expose your clients date,” he said.

“Educating your employees about phishing attacks and taking measures to shore up your own cybersecurity protocols will help reduce the chance you expose client date to the malicious attack,” the consultant added.

3. Scrutinize client information.

It is also imperative to “know your data,” Lamont explained. “Understanding where your client data is stored, how it’s being used and where it’s being sent gives you an advantage in protecting it.”

The consultant added, “If only the necessary data elements are being shared across applications, you reduce the chance of exposing that data to an attack against a specific application.”

Bruckenstein has warned advisors who fail to secure their data that they could face the wrath of regulators, who have been “cracking down on” financial firms.

The Office of the Comptroller of the Currency recently levied a $60 million civil money penalty against Morgan Stanley Bank and Morgan Stanley Private Bank for 2016 data breaches in two Wealth Management business data centers in the U.S.

Unclear Industry Use

Lamont said he didn’t know how many advisory firms use SolarWinds software. “But my sense would be that it would be larger firms that are doing more of their network monitoring and application development in-house (as opposed to leveraging third parties and vendor hosted solutions), given what SolarWinds is used for,” he said.

SolarWinds did not immediately respond to a request for comment about its financial services clients and whether any may have been impacted by the breach.

The company said in 2018 that a “major financial services company” with 4,000 employees had turned to SolarWinds for an “enterprise-grade, unified IT monitoring solution.”

“Schwab’s use of the SolarWinds Orion product” involved in the breach “was retired in 2017,” a Charles Schwab spokesperson said Tuesday.

“Our security teams have scanned our environment for any related risks and have found none so far. We will continue to actively monitor our systems. We are also proactively evaluating any potential risks associated with any third-party vendors,” the firm added.