Advisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
As a virtual chief information security officer for multiple RIAs, I’ve worked with plenty of IT firms.
Unfortunately, I’ve been impressed by only a few.
Why? Many of them don’t understand the unique risks facing financial advisors and give RIAs the same services as all their other clients.
Below are five interview questions that you should ask when looking for an IT provider. And guess what – if you have IT help, ask them these questions too!
Good IT is critical: Your business is at risk!
Stanford University found that a whopping 85% of data breaches are caused by human error, which includes IT people. My own data supports this. When I review client systems (all of whom have an IT firm in place), my security analysts find 50-75% of the security settings are set up incorrectly.
This should scare you.
Hackers are targeting both wealth management firms and – increasingly – your clients. They know that gaining access could mean a big payday. Small businesses are also targeted by hackers more than large companies.
If your IT company makes a mistake, it’s your problem. It’s your clients, your data and your reputation. It’s no longer enough to assume that your IT is “taking care of it.” Their job is to keep you up and running, and not necessarily to make you secure and compliant with the SEC’s cybersecurity standards.
Building your shortlist of potential IT providers
The easiest way to build a shortlist is to look for firms with experience with your size of company and experience supporting your technology stack. For example, a firm that supports Microsoft 365 and Windows is going to be completely different from a firm that supports Google Workspace and Macs.
Once you have your shortlist, here are five interview questions that will help you separate great vendors from ordinary ones.
1. RIA expertise
“What do you do differently for RIAs versus your clients in other industries?”
A good answer will show an understanding of unique compliance requirements, like email, social media, website archiving, encrypting data, managing mobile devices, data loss prevention, etc.
A bad answer would be either vague or filled with technobabble.
“What standards do you follow to ensure Microsoft 365 <or insert your preferred email program here> is properly configured?”
Email programs, and Microsoft 365 specifically, can be very complex to administer correctly. The SEC published a risk alert specifically about secure configuration of cloud services in 2019.
Determine if the IT company has specific processes and standards for securing cloud services like Microsoft 365, Google Workspace, Box.com, etc.
A good answer will detail specific standards like the following: enforce MFA, limit document sharing, monitor for risky sign-ins, and services that protect you from phishing and spam.
A bad answer would be a list of features that could be deployed – this means they are counting on you to figure it out. If they’ve worked with companies in highly regulated industries (like financial advisors, government contractors or healthcare companies), they should know the basic cybersecurity regulations and recommendations.
“What antivirus product will you install on our computers? Do you provide an endpoint detection and response (EDR) product, and if so, which one?”
If an IT firm is not providing you with both antivirus and EDR, look elsewhere.
Look up the antivirus and EDR product on independent review sites to make sure they are effective and also to make sure the IT firm isn’t just selling you products based on where they make the most money.
4. Software updates
“How will you ensure software is kept up to date on our company devices?”
A good answer will explain their use of a vulnerability scanner, which is a very clear SEC requirement.
A bad answer would be a vague response about using the patch management software built into their remote monitoring and management (RMM). These programs are unreliable at detecting vulnerabilities.
5. Mobile devices
“Please tell me about a client where you securely manage their smartphones and tablets.”
Mobile device management is non-negotiable. Make sure client data is protected if a device is lost or stolen.
If an IT firm says “well, we could install MDM” – walk away. You do not want to be the guinea pig in their MDM experiment.
A good IT firm will give you specifics: “We recently installed this for 200 users for one of our other clients. We used Microsoft Device Manager, and if a phone is lost or stolen, we can wipe their corporate email from the phone automatically.”
Press them for specifics. Listen to your gut if they’re being vague or burying you in technobabble.
6. The IT company’s security
Be concerned about how well the IT company manages its security. They have the keys to your kingdom. Here are a few questions to ask:
- Do you have a security policy, and can I see a copy of it?
- Did you work with an expert to write the policy?
- Are 100% of your systems protected by multi-factor authentication (MFA)?
- Do you do background checks on employees before they access client data?
Trust your gut. Vague answers are bad.
What happens if you choose the wrong provider?
I’d like to share an example of what happens if you choose the wrong provider.
The CEO of one of my clients had their email hacked by Nigerians. The CEO’s email was used to send thousands of clients and partners a phishing message.
The root cause? Their IT team made a mistake that “temporarily” disabled multi-factor authentication (MFA) and were not notified that MFA was turned off. This allowed hackers to access the CEO’s email with just a password.
This was not a simple ”oops.” This RIA had to call every client, vendor, and partner and tell them that their information was breached.
My firm is helping this client move to a more careful IT provider. Unfortunately, this came after spending massive amounts of time and money in dealing with the breach.
Bad IT can be disastrous for your company. Don’t delay in looking for a reputable IT provider who can handle the unique needs of a financial advisor firm. Your company deserves it, and so do your clients. Use the five questions in this article to narrow down your search.
Josh Ablett is the founder and chief information security officer of Adelia Risk, which provides cybersecurity and compliance leadership through Virtual CISO services for RIAs. If you need to pass audits, stay safe, and manage your IT, you'll love what we do.
More Special Needs Financial Planning Topics >