At BGL Corporate Solutions, Australia’s leading supplier of SMSF administration and ASIC corporate compliance software solutions, we take security and privacy seriously. With the recent introduction of Multi-Factor Authentication in CAS 360 and Simple Fund 360, we are continuously working to ensure our clients data is safe. Follow the links below to learn more about:
Here are the questions you need to be asking your software providers
I hacked together my first computer game at 12 years old. The game I wanted didn’t exactly exist on the obscure 8-bit computer my father gave me, so I pieced one together – one built just for me, just the way I wanted it to be.
Bringing that memory up may sound a little silly, but it’s not so different to what is happening in the financial advice industry at the moment.
The idea of building your own tech-stack is becoming more and more appealing to financial advisers.
The fintech landscape is broadening with unbridled enthusiasm and the new kids on the block are unashamedly opening up their APIs and happily locking lips with each other, allowing planners to architecturally design the way their systems speak to each other.
A one-size-fits-all approach just doesn’t cut it in today’s advice climate. A more tailored advice process means a more individualised service and you and your clients will be better off for it.
But before you start slicing your tech stack together and shooting data back and forth through multiple applications, there are a few important questions you should be asking each and every technology provider who is going to make up your pie.
In the past, I’ve stated that not all cloud computing partners are equal, and in a world where cyber breaches are more common than ever before, it’s imperative to be vigilant when choosing the various software for your business.
Question 1 – Where and how do the vendor store their data?
It may come as a surprise, but it actually doesn’t make a vendor’s solution more or less secure because they run in the cloud. Regardless of where the data is stored, the same security principles apply. The question to ask is how is the data stored and protected? How much control does the service provider have over the infrastructure? Look out for areas where they have no control, in which case, be aware that you may now have another third party to deal with.
Question 2 – Does the vendor have basic network security measures such as firewalls, intrusion prevention systems and anti-virus solutions implemented?
This may seem like an obvious question but don’t be afraid to drill a little deeper. Ask if the vendor’s security defence is actively managed – i.e. have they merely implemented them and forgotten about them or is someone actively monitoring and managing them on a day-to-day basis? If their network security measures are actively monitored, this increases the likelihood that potential cyber attacks and breaches will be detected and mitigated.
Question 3 – How does the software manage the various level of access?
Each software provider will have a model of how varying levels of user access are managed. A good question to ask is: how are different levels of user access controlled, and how is access is granted?
Cloud providers tend to offer a “multitenant” application, where your data is stored alongside everyone else’s data (and client data is separated is by a “strong logical hierarchy” as opposed to a being on different servers as is the case with legacy “managed hosted” (non-cloud) applications). So, ask your cloud provider how they separate your client data so other advisers cannot see it!
Question 4 – How does the vendor encrypts your data?
This is an important question and here’s why:
You will want your data to be encrypted in at least two areas: when it is stored in the database, and when it travels to and from the database and your computer. Ask the vendor if and how the data is encrypted and if they use the latest industry standard. Ideally, no one should be able to access your data when it is sitting in the database and when it is in transit. Only you and the vendor’s system should be able to view it.
Question 5 – how often do they deploy updates and how are these updates communicated to users?
Software updates, including security patches are vital to the integrity of the system. Ask for their patch cycle especially pertaining to the underlying infrastructure such as the operating system. Ideally systems should be updated as soon as they are available. Expect no less than an update each month (even though the process might be invisible to you as a user).
Question 6 – Does the vendor have access to your data? If so, which employees do and how does the vendor make sure there is no unauthorised access to your data.
Depending on the data and your requirements, you may not want your data to be accessible by anyone else at all, including the vendor. Ask how, and under what conditions the vendor will provide access to your data to anyone, and ask how the vendor is able to identify unauthorised access.
Question 7 – How often does the vendor carry out security tests?
Security testing should be carried out as part of the development lifecycle. It is wise to ask how and when the vendor performs security testing, and what percentage is their staff is trained in or dedicated to software security. Also ask if a third party has performed regular penetration tests, and if so, can you get a copy of the latest results?
Question 8 – Has the vendor got plans for disaster recovery?
To trust a software provider with your data you should be reassured that data is safe in case of a disaster, such as a power loss or a hard drive failure. It’s imperative to know how often your data is backed up and where the backup is kept, and what guarantees there are to ensure a backup is always available (even in the case of a zombie apocalypse).
Question 9 – Are they able to provide certificates on applicable compliance standards?
Having the relevant compliance certificates is a good indication that formal policies and processes have been put in place. If the software provider is storing credit card information, they will need to be compliant with PCI/DSS. ISO27001 is another popular accreditation to show that the provider has taken security into consideration.
Take this checklist and tack it to your desk. Don’t be afraid to ask the big questions. This is your business, your clients and your livelihood. And with businesses so heavily based on technology, one crumbling brick can bring the whole house down.
You owe it to your clients, you owe it to yourselves and when it all boils down to it, tech providers owe it to you to answer these questions.
Julian Plummer, Managing Director, Midwinter Financial Services