Protecting data held on third-party services

Security breaches are happening at an increasing rate around the globe, some affecting billions of people, but the recent PageUp hack is a lot closer to Aussies, because many major Australian organisations use it as their HR platform.

The human resources software provider PageUp, which provides services to the likes of Zurich and the Reserve Bank of Australia, recently flagged that it had detected "unauthorized activity" on its system.

Software-as-a-service (SaaS) products are great because they greatly reduce the cost of maintenance, including infrastructure, product updates, and security.

Additionally, in the case of SaaS, the software service provider is responsible for the security of clients' data. The benefit of software security providers is that they have access to greater security resources (often world-class), and the cost is that you don't have much of a say in how those resources are deployed.

What then, are your responsibilities, as a financial planner, to ensure that your data in the cloud at the SaaS is safe? Well, as anyone in security will tell you: there is no 100 per cent safety.

What one can do is manage risk and bring it down to an acceptable level. In other words, you need to do your due diligence to protect your customers' data.

As a buyer, when selecting a SaaS provider, you should ask these questions:

• Does the SaaS provider comply with information security standards such as ISO27001?

• Does the SaaS provider have an information security policy?

• Does the SaaS provider carry out regular security assessments?

• What security protection mechanism is installed, such as firewalls, anti-virus, intrusion detection system?

• Where is the data stored?

The cloud provider (and this includes financial planning applications) should be able to answer these without hesitation.

These questions can get technical very quickly. If in doubt, you should engage a security expert to help make the decision. If possible, you should consider carrying out your own technical security assessment against the SaaS provider.

Many cloud providers are open to this, but some are still reluctant, in which case you should ask to see the full security assessment (a.k.a. penetration test) report from an independent service provider. Midwinter, as an example is very open to potential customers in asking security-minded questions as part of their due diligence - it's expected.

Now, what if you are a small business? A user of a cloud storage provider is a bit like being a bullet train passenger, while keeping all your data in-house is like driving your own car - you're in the driver's seat, you are in control, but you must now take full responsibility of your risks.

When you take a bullet train, you are saving cost (compared to driving the car all the way), you are gaining performance (getting there faster), but you are putting someone in control of your life.

In this case, you are not in the bullet train driver's seat, and you don't really have a say in how the bullet train company runs their trains, even if you know what questions to ask. This is the same when you sign up to something like Office 365 or Google Suite.

These are instances where you should look for contractual protection and what compensations are there for you in case their security is compromised.

You could also look out for past history of security incidents - albeit this is often moot because in information security, the past is not a good indication of the future. You could take into consideration their security posture.

To give an example, you know a company takes security seriously when it has its own team of ethical hackers and is open to bug bounty programs (a bug bounty program is where everyone is invited to hack their products).

If you looked even closer, you will also see these companies typically respond to security vulnerability reports quickly and responsibly.

Last, but not least, prepare a communications plan with your customers should an incident like this happens.

Be prepared to be open and frank about what happened, what you are currently doing, and keeping the customers up to date.  Contact the SaaS provider and ask for details of the incident. Consult with your information security expert on how to handle the issue, and how the customers should be best informed to protect their data.

Individual financial planners are not in a position to be influential enough to get many SaaS providers to be responding to security questions - but their licensee should be. Licensees should be reviewing cloud-based software on behalf on their advisers.

Additionally, it is the licensee that is on the hook for much of this.

According to ASIC's RG 109.30, the licensee must ensure they have "enough technological resources to enable you to: (a) comply with all of your obligations under the law; (b) maintain client records and data integrity; (c) protect confidential and other information; and (d) meet your current and anticipated future operational needs."

So any licensee whose planners used PageUp should be re-reading that particular paragraph with interest. Luckily, I can't see much client data being caught up in this breach, so it is a good early warning indicator of what it to come.

What I think will happen is that licensee and practices will end up having an approved list of applications that have passed security tests, much like products on APLs must pass research tests.

We are just starting to see this happen - and this is even more important with the rise of the API and practices wanting to "build their own stack" of applications.

It's also worth considering the damage done to all advisers in this royal commission.

Sure, you may have a completely compliant business, but the royal commission will impact you. When I first saw the news of this breach, the attached graphic to the headline was a picture of the RBA building.

My first though was that the RBA had been hacked - and that assumption would have continued had I not read further… so now, in some minds, RBA's brand has been tarnished.

So the message is, you trade on trust so make sure you treat your clients' data with the care it deserves. Additionally, licensees must start doing due diligence on the applications that their planners use. If there is one thing worth protecting in our industry - it's data.

Julian Plummer is the managing director of financial services software firm Midwinter and its cyber security subsidiary Kamino.