Cybersecurity and data breaches are hitting American businesses, including RIAs, more frequently than ever. A 2022 report from Gartner reveals that 88 percent of executives now consider cybersecurity to be a direct threat to their business operations.

If your RIA were to experience a security breach, what would your clients do? Most likely, they would lose confidence in your ability to keep their money safe and secure. They would leave you for another financial advisor. It’s more than fines; the biggest concern is losing clients and ultimately going out of business. Nearly two-thirds (60%) of small and mid-sized businesses with a security breach don’t recover or go out of business within 6 months. This number is likely a lot higher for RIAs.

If you’ve spent some sleepless nights worrying about what would happen if you lost clients, you’re probably not alone.

For the roughly 32,000 RIA firms in the United States, IT risks run high, especially for RIAs with five to 25 employees. Unlike very large RIA firms that might have more experienced teams managing their IT, small and midsized firms often are not aware of the resources available to them, or they cannot access them. Their IT is not as secure, either.

Is your RIA maximizing all the enterprise security tools available? If you’re unsure, it’s likely time to do a gut-check on your IT. Let’s begin.

Start With Your IT Provider
A trusted IT service provider is critical for RIA firms, especially those with 5, 10 or 15 employees. Unlike other businesses of the same size, RIAs manage hundreds of millions of client dollars. Does your IT provider have a successful track record of working with financial advisors and RIA firms? All too often, IT providers treat small RIAs as they would another small business; they set them up with basic, off-the-shelf versions of Microsoft, whose security solutions just aren’t good enough for an RIA or any financial services firm.

Unlike the business next door, you’re managing millions of client dollars. Your small or midsized employee-sized RIA firm is a lot different than another similar employee-sized company.

I see this as a 1 to 4 ratio. If you’re an RIA with 10 people, you’re equivalent to another professional services business with 40 people. Maximizing your security, SEC compliance and reducing IT risk are exponentially more important. IT providers without a good understanding of the needs of an RIA often understand this; they don’t know how to effectively protect RIAs.

Maximize Your Enterprise Security
In over 15+ years of running a cloud and managed IT services company, I’ve seen roughly 80 percent of RIAs using the Microsoft platform such as Office 365 or Microsoft 365 subscription. This encompasses Microsoft Teams, email and calendar sharing, as well as Office applications like Word, Excel and Powerpoint. That’s all good – but beware.

Microsoft is SEC compliant and ideal for RIAs, but there are some common mistakes that can occur. Let’s take a look.

1. Using OneDrive instead of SharePoint for file storage and sharing.  OneDrive is considered a consumer-class solution; it’s fine for many consumers and very small businesses, but not for firms managing client money. Instead, SharePoint is the preferred solution because it comes with the necessary security features. It can still look and function like OneDrive, but there are fewer risks.

2. Paying for third-party apps when Microsoft can do it for them. This is the case for email encryption, email archiving, data loss prevention, and instant message archiving.  The common excuse I hear is that Microsoft archiving is not SEC compliant and that’s simply not true. The vast majority of RIAs and IT providers don’t know this; part of what I do is educate these RIAs.

 

3. Not leveraging Secure Single Sign On (SSO). Often, RIAs are using a plethora of web- based applications. If you are using a SSO solution, most likely you are paying for a 3rd party tool that is not as good as Microsoft. Or if you are not using a SSO solution, you’re dealing with a lot of pain when it comes to managing all the logins and passwords, along with access for all these web-based applications for your employees. You might even save these in a spreadsheet for each employee. There’s much better productivity and security with Microsoft’s SSO. Imagine hiring a new employee, and they have secure access to all their web-based applications without the need to remember all the user names and passwords. Even more important is when you let go of an employee. All you have to do is disable their Microsoft account, and they cannot access their computer, work email, or any of the web based applications. Throw out that spreadsheet and start using Microsoft’s SSO!

All three of these situations come down to an inexperienced IT provider not maximizing opportunities to leverage all the great security tools a firm is paying for.  

Data Loss Prevention—It’s No Longer Just For The Big Guys
Like everyone, you’re using anti-virus and firewall protection. That’s great. What about data loss prevention? This is another enterprise-class security solution that every RIA must have.

Fifteen years ago, data loss prevention solutions easily cost over $100,000 for purchasing, licensing, and implementation. Only the largest RIAs could afford it. Today, even a firm with five employees can access these same solutions because they’re now built into the Microsoft enterprise-class package.

I’ll share two examples for why data loss prevention is such an important feature.

Working with an RIA or any financial management firm, an IT provider should know how to set up certain "categories" of sensitive data or information (such as account numbers or social security numbers). This can actually prevent those categories from going into email – and being sent out through email. If this is set up correctly, then anyone trying to insert an account number into an email, for example, should receive a message warning that the email cannot be sent. Another option here is to automatically encrypt the email if it detects that sensitive data in the email. 

Data loss prevention also prevents certain types of files and data from being deleted, downloaded, emailed or printed. It also can prevent certain people from seeing certain types of information. For example, if you're not involved in Human Resources, you cannot see the personnel files for employees.

Check with your IT provider to confirm which data loss prevention solutions have been set up within your RIA. Chances are, if you’re not using them, they may be readily available in your Microsoft Enterprise package.

All You Need Is Five Minutes
Now I’m going to give you something tangible.

If you’re wondering about your firm’s IT situation, then take the 5-Minute IT Risk Scorecard. My team developed this test based on years of observing four common IT areas challenging RIAs today: Email, security, applications and data, and infrastructure. You can find it here.

You don’t need to be an IT expert to take the test, nor do you have to pay an arm and a leg for it. It’s FREE and only takes 5 minutes. Once completed, you’ll quickly receive a custom score revealing how your RIA firm is doing, where your weaknesses are, and what needs to change or improve.

Take your scorecard to an IT provider who knows how to implement these improvements. Then come back after six or eight months and take the test again. See what’s improved. You’ll get validation that your RIA is more secure, and I guarantee you’ll sleep better at night.

David Kakish is CEO of RIA WorkSpace, a provider of Cloud and managed IT services for RIA firms most often with five to 25 employees. As an author, entrepreneur and IT expert, Kakish is committed to helping RIAs navigate their way through the world of ever-changing technology and complex IT environments. For more information, visit RIAWorkspace.com or connect with David at [email protected].