The pandemic prompted a significant shift within the financial services space, yielding a decentralized workforce as professionals moved from the corner office to their home offices. What was believed to be a short-term solution has evolved into the new reality for many businesses. While the change may be welcome in many regards, it creates new vulnerabilities that RIAs have never encountered. Chief among them, a greater risk of cyberattacks. Globally, over 75% of institutions saw an increase in cyber attacks and crime since the pandemic began.
Cybersecurity needs to be a top priority for RIAs. Our team at GVA has been proactively designing a solution that will help advisors in the GVA network safeguard their practices and client data, and we are excited to share more on GVA SecureOffice, a new cybersecurity-focused platform powered through our partnership with Align Managed Services, a leading technology and advisory firm in the investment management industry.
Our Chief Operating Officer James Spinelli recently sat down with Align’s Chief Operating Officer, Vinod Paul, and Managing Director, Cybersecurity and General Counsel, John Araneo to discuss the latest trends in the cybersecurity space and what RIAs need to know to protect their businesses. Here’s what they had to say:
What is GVA SecureOffice and what benefits does it provide GVA advisors?
James: The GVA SecureOffice is a cybersecurity and operational platform designed for our advisors. It provides the proper cybersecurity infrastructure, rooted in the policies and procedures that our firm adheres to. It also provides managed IT services and the office applications and backend structure that they need to run their business. The platform is powered by our third party partners at Align Managed Services. Align is cutting edge in respect to cybersecurity best practices and regulatory policies, and GVA SecureOffice empowers our advisors to focus on their clients while having the peace of mind that their business is properly structured.
How does a single-point solution like GVA SecureOffice yield stronger cybersecurity measures?
James: We feel incredibly confident in the platform as we introduce it to our advisors. GVA has been using the GVA SecureOffice platform internally for over a year. We did this to best understand exactly how it works, its full potential and Align’s role. It will help yield stronger cybersecurity measures because advisors and access users will be on one secure platform with professional oversight on the cybersecurity policies and procedures we put in place for the different offices we are working with.
How will the components of GVA SecureOffice better protect GVA advisors from cyberthreats?
James: We have the best minds on this platform. There is protection from both the technology and knowledge standpoints of who our advisors will interact with at Align and GVA. Those are measures that we put in place to not only protect the advisors, but also their end clients and the personal information they hold.
Vinod: Maintaining a secure environment is a must-have from a compliance, reputational, operational, legal and due diligence standpoint. Cybersecurity is a multi-factor challenge that requires a number of layers of security. These layers are built into the technology platform we have designed for GVA SecureOffice. Aside from the technology piece, we have to ensure users know how to leverage the technology available to them.
James: Education is essential.We have quarterly compliance calls that include an educational component about cybersecurity. In our most recent session, John spoke to our advisors and employees on best practices, what to look for and more.
Vinod: The beauty of the platform is it’s evolving. We don’t just deploy dual-factor authentication and never look at it again. As the threat landscape changes, new technology becomes available that enables us to better protect our clients, and we pass on that industry-specific knowledge to the clients.
Cyber attacks have increased in recent years and have been a heightened concern as more businesses operate in a virtual environment. What do advisors need to know about the current environment for cyberthreats? How can they safeguard against cyber attacks?
John: The world has transitioned from the corner office to the home office, and the necessary protections have evolved. Technologies can accommodate protections at the end-point level. Advisors need to be mindful of this. We are no longer looking to protect just the server room. Instead we now need to safeguard the end-point, the laptop, mobile phone and other parts of a distributed network. Those who are working from home need to make prudent decisions about what has been authorized by the network. The shift to a decentralized workforce has really changed this.
What is new for advisors when it comes to cybersecurity? What changes have been made in 2021 to help better protect RIAs?
James: The applications advisors are using today have gone internet-based. They are no longer installing software on a computer and are logging into their trading platforms, performance reporting platforms, email, etc. Advisors’ work is cloud-based, and these changes open the door to vulnerabilities and have come with the need to enhance the overall platform and tools installed on computers to monitor usage and related activity on individual computers. Align has end-point services that monitor what is going on. It sends information to a centralized source that monitors if someone’s activity is unusual.
Vinod: We put a lot of emphasis on securing your identity. This is leveraged often with single sign-on, dual-factor authentication, a secure Microsoft ID and accessing SaaS-based applications, like portfolio management, banking, institutional services and more. With the decentralized workforce, we worry about the actual end-point, whether it’s in the office, a hotel room or the home, and we look at behavior and leverage artificial intelligence to identify malicious behavior.
John: Cybersecurity Risk Management contemplates balancing many fluid elements simultaneously, new attack vectors, new malware and new protective technologies. As these elements continue to evolve, one thing is constant; advisors simply cannot skimp on the underlying IT infrastructure as the foundation to a meaningful Cybersecurity program. GVA SecureOffice is providing a stronger underlying IT infrastructure advisors need to adequately protect themselves.
Are there any new elements advisors need to consider for a robust cybersecurity policy/plan?
John: In 2020, the SEC made a significant shift in the regulatory landscape by adding mobile security as a unique domain within a model cybersecurity program. As advisors continue to respond to the evolving landscape, the ability to collaborate cohesively and securely is important, and mobile security is a part of this. Mobile security has been a significant and inevitable addition, and is certainly a sign of the times.
We have also seen an increase in regulatory appetite for disaster recovery and business continuity controls. These have been heightened up the ladder on the regulatory landscape.
Why is it so important for advisors to prioritize cybersecurity in today’s environment and to do so using the right partner?
James: In general, everything that every business is doing translates back to some internet base, and they have some information stored in a network environment. Cybersecurity should be your primary concern. You don’t want to simply partner with someone because they are the least expensive or easiest to partner with. You want to partner with a firm who does this day in and day out, specializes in the space and is entirely dedicated to designing and implementing cybersecurity solutions for financial services firms. Consider this: your clients come to you for specific advice for investments. If they come to you with tax questions, you partner with a CPA who can help. The same perspective applies to cybersecurity; you want to use someone who specializes in the space.
Through GVA SecureOffice, we are partnering with Align, who we feel is best in the space, so our advisors can feel comfortable and confident in the platform.
Vinod: The two greatest assets of financial advisors are their labor and employee-base and their intellectual capital. There is a misconception among small advisors that they are “too small” for a hacker to pay attention to them. This is the wrong way to think about things.
Hackers are sophisticated and see it is easier to mine a small organization’s data. Firms like Bank of America, Wells Fargo and other large institutions have layers and layers of protections. Small financial advisors, especially those who are decentralized, may not have as many layers. GVA SecureOffice allows small individual firms to deploy enterprise-level security within their organization.
John: Advisors must address cybersecurity risk management in a meaningful way and too many vendors fail to right-size the appropriate cybersecurity controls for today’s investment managers. The SEC has declared cybersecurity as a top regulatory priority for the last nine consecutive years and ODD firms will not give any managers who lack the required controls a second bite at the allocation apple.
How are advisors missing the mark when it comes to their cybersecurity measures?
John: The biggest mistake advisors make is not taking cybersecurity seriously as a fundamental tenet of their business and failing to properly invest in underlying IT infrastructure. The industry has long tolerated inexpensive IT offerings that provide sub-par networking and IT solutions and we’ve disproved the IT vendors’ “race to the bottom” model in this industry. So the big miss is when the underlying IT structure is not taken seriously enough or isn’t invested in it properly.
Vinod: It is easy to go and try to run IT by yourself. Anyone can go into Microsoft Office 365 and start up an environment. The hard part is configuring it correctly and ensuring you can employ levels of underlying technology features.
Cybersecurity is not a project, but rather a process. You can take a methodical approach to Cybersecurity and employ a reasonable cadence in maturing your cybersecurity program over time.
For more insight on GVA SecureOffice, our partnership with Align Managed Services and the combined benefit for advisors, schedule a call with us.