If you do it well it can be a powerful value proposition for prospective clients or a quick review during an SEC audit. If you fail, it can mean negative news headlines and damaged reputations.
While there may be someone at your firm whose job it is to worry about cybersecurity, that doesn’t mean you are off the hook. Whether you are a portfolio manager, client services lead, or CMO, you should understand the basics.
To begin, it’s critical to understand that every part of your sales enablement and client reporting platform, must be secure. It’s not just about how you get data from external sources/vendors. It is also about how you work with the data, how you share the data with your clients, and how you save the data. One lapse in cybersecurity jeopardizes the entire process.
With that in mind, let’s dive into the specifics. I am going to use your sales enablement and client reporting platform as the example, but these practices can relate to most software vendor relationships you have.
#1: Security Certification Matters
Is your sales enablement and client reporting vendor SOC 2 certified? The SOC 2 designation is granted by the AICPA and is considered the gold standard for any company storing client data in the cloud. To be SOC 2 certified a company must follow strict policies and procedures covering the security, availability, processing integrity of their systems, and the confidentiality and privacy of client data.
What to look for: Don’t be fooled by a vendor claiming that their cloud is secure so there is no need to worry. The cloud may very well be secure, but that is not enough. You need to ensure that the cloud platform your vendor runs on (Microsoft Azure, Amazon Web Services etc…) AND your vendor itself are SOC 2 certified.
#2: Code of Ethics & Training
Your provider should have a strict code of ethics and conduct when it comes to who has access to your data and what they can do with it. Employees should also be regularly trained in cybersecurity best practices.
What to look for: Your provider’s employees and contractors should sign confidentiality agreements or other legal agreements to protect your data.
#3: Data leakage
Your provider should protect against information theft and leakage across their entire IT system, not just the servers.
What to look for: Do they use technology that prevents data leakage from laptops, USB sticks, and mobile devices?
Your sales enablement and client communication platform should come with multiple layers of data encryption and dual-factor identification.
What to look for: All data that the platform stores for you, including passwords it needs for access should be encrypted. Personally Identifiable Information (PII) should ideally be encrypted separately (effectively encrypting PII a second time).
#5: Data Permissions
You should understand how your data is being used by your provider. Can they use it only to run general system tests or gather performance data on their system?
What to look for: Make sure your provider provides a detailed description of how will and will not use the data that is flowing through their platform. This should be limited to only the tasks necessary to run their platform for your benefit.