by Michael Werneburg
The Investment Industry Association of Canada has issued new guidance on evaluating cyber security readiness in third parties. I had the honor of contributing to that process, and thought I'd explain that contribution in an unofficial capacity.
The approach I chose was to look at cyber security in context of:
1. The impact of the relationship between the wealth management firm and its vendor(s).
2. As a question of vendor capability.
Without understanding the nature of the data share, you're wasting your time evaluating a vendor's stance. It's vital to understand the nature of the data being shared, the purpose of that sharing.
Understanding the extent of the data share allows you to understand the risk inherent. Understanding the purpose of the share allows you to set the minimum viable share.
The minimum viable data share should always be the targetnothing more should be shared, due to the inherent risk of the vendor compromising your data.
For example, if sharing a client's name and birth date (the classic "tomb stone" data set), you can expose your client to identity theft. It's important to evaluate the need to share the full name and birth date. If the vendor's producing printed annual statements, you likely need the real name but might be able to do without the birth date. If the vendor's providing you with internally reporting, you likely don't need the full name. If they're performing a calculation on the birth date such as evaluating investments against a "time horizon" such as retirement date, you likely don't need to share the actual birth date. By not needlessly sharing both name and birth date, you're protecting your clients' privacy. And by doing that, you're reducing your own potential liability despite sharing data.
When I say "nothing more should be shared" I mean in light of the potential loss incurred to the firm or its clientele. When dealing with extensive databases of personally identifying information, breaches can attract client class action lawsuits, regulatory fines, and lawsuits from attorneys general. They also require forensics and remediation costs. While this sounds complex, there are calculators online that allow for ballpark estimation of the cost of a breach. Even insurance carriers now offer these calculators.
Once you understand the magnitude of the problemand I've seen the numbers climb into hundreds of millions of dollarsyou have a very good idea of context. A data breach can end a firm.
I was asked by IIAC to provide twenty question on evaluating a vendor's cyber capability. Instead, I started with the above standpoint, and provided some preliminary questions:
That larger vendor looks a lot more like an assessment of the vendor from a "business" standpoint. Here are some important considerations:
Armed with these answers, it is easier to understand the big picture.
I have provided some elaboration on each of my twenty questions, with an explanation of the question and guidance on interpreting the results, as well as citing references. That can all be found here. Additionally, I have a deeper exploration of the subject of third party risk, here.