When investment advisers use the cloud, they are making a conscious, informed decision to outsource tasks to vendors who may have particular expertise or infrastructure in place to handle such tasks. From hosted email archiving to compliance reporting, and from hosted backups to client communication portals, moving data to the cloud can help many firms address business needs while enabling them to focus more on their core business – providing investment advice. However, the Securities and Exchange Commission has made it clear that while financial professionals can outsource processes, they cannot delegate the ultimate responsibility for the performance of those functions. After all, it is the investment adviser who is in the trusted position of a fiduciary with respect to the adviser’s clients. It is a mistaken assumption that if the cloud provider has a failure such as a data breach, outage, or failing to perform the contracted level of service, the cloud provider bears all the blame as well as all costs the adviser may suffer as a result of the vendor’s failure. During our initial conversations with firms within the investment community, we discover a misguided belief that their liability is eliminated when utilizing a cloud provider. This article addresses that misnomer and ways to protect your firm. From contractual arrangements pertaining to data breach expenses to encryption of data by cloud providers, and from written assurances to insurance, here are 10 tips to protecting and transferring risk.
1. Inventory and Classify Your Data
Know what data your firm collects, processes, and maintains. Does it contain personally identifiable information (PII) about your clients? Have you classified your data based on its contents (e.g. public, sensitive, or confidential)? In which states do your clients reside? State regulations may differ with respect to their definitions of PII.
2. Inventory Your Systems
Understand what computing systems you have, and where your data is stored on such systems. Which information is stored in which places?
3. Perform a Gap Analysis
Are your information safeguards for various systems commensurate with the level of protection required for the type of data stored on these systems? What do your policies and procedures require with respect to encryption and access controls? Are you complying with your stated procedures?
4. Identify the Business Need
If considering a third party service provider, establish a sound business case for the use of the vendor. Moving data to a hosted environment, for example, may save the firm money in terms of office space for server equipment and the need for in-house IT expertise to update and maintain the hardware. You may be considering the vendor to mitigate business continuity and disaster recovery risk because the vendor may have more resilient backup processes or be better positioned than your firm as an adviser to detect and respond to network intrusion events.
5. Know Your Risk Management Options
Risk assessments and gap analyses are useful in identifying the vulnerabilities and risks of your firm, and which can be addressed by implementing additional controls or outsourcing functions to a third party provider. Generally, risks can be addressed through four means: (1) avoiding the risk, (2) accepting the risk, (3) mitigating the risk, or (4) transferring the risk. Avoiding risk is difficult and generally involves abstaining from a line of business or practice associated with the risk. Third party service providers can assist in mitigating risk. Firms can also choose to transfer some risk to another party, such as through one or more insurance policies. Finally, firms may be forced to accept certain risks at the point when the cost of additional controls exceeds the expected liability for a security incident.
6. Map Data Flows and Information Sharing
Know what information you will be sharing with the third party service provider. Does it contain personally identifiable information (PII) about your clients? Does it contain sensitive intellectual property belonging to your firm? If a breach does occur, you will want to know the general nature of the information which was compromised in order to properly assess response strategies.
7. Do Your Due Diligence
Your clients entrust you with their information, and they expect you to safeguard it from misappropriation and misuse. It is therefore critical that you perform adequate due diligence on any third party service provider you are considering granting access to this information. Ask sufficient questions in order to obtain assurances that the service provider will safeguard the data, such as the following:
8. Review Service Level Agreements
It is imperative that you review Service Level Agreements (SLAs) carefully and ensure that you understand what the vendor is promising in terms of uptime, availability, and responsiveness. The contract negotiation stage is the best time to document in writing whether and how promptly the vendor will notify you in the event of a breach or incident impacting its systems, and which parties are liable for breaches and related expenses when the data is stored on the vendor’s systems.
9. Monitor Third Party Providers
Ongoing monitoring and due diligence is essential to obtain assurances that your vendors are adhering to their SLAs, and that any changes in the vendor’s business, operations, hiring practices, or financial condition do not adversely impact your firm’s ability to serve your clients. Periodically assess whether your vendors have experienced any data breaches or cybersecurity incidents.
10. Consider Transferring Risk
After your firm’s risks have been addressed through costeffective controls, what remains is called residual risk. If the residual risk is more than your firm is willing to accept as within its risk appetite, transferring some risk to another party through one or more insurance policies may be appropriate. You may have coverage for certain types of risks under Directors and Officers (D&O) policies, Errors and Omissions (E&O) policies, and general liability policies.
However, some specific risks such as cybersecurity breaches at your firm or at your third party vendors may fall outside the scope of coverage provided by these policies, and you may wish to consider a Cyber Liability Policy to offer protection to your firm.