Author Archives: Kylee Beach

Kylee Beach is General Counsel of Orion Advisor Services, LLC.
No More Phishing Around: Why Vendor Risk Management is Critical to Keeping Your Firm Protected

Data breaches are becoming more common and, unfortunately, they’re not isolated to only certain industries.

In 2018, billions of consumers were impacted by data breaches. The second-largest breach that was revealed last year, an attack on Marriott’s reservation system, resulted in the personal information of more than 500 million individuals being compromised over a number of years.

The pursuit of personally identifiable information (“PII”) by criminals is increasing.  Year over year, more people are affected by data and privacy breaches. In 2017, for example, almost 20% of breaches included credit and debit card information (up almost 6% from 2016); the actual number of records exposed in those breaches increased by 88% over the amount reported in 2016.

Financial advisors typically store client information, including PII, within a CRM and portfolio accounting system in addition to other technology like financial planning or account aggregation tools.  Accordingly, having an established vendor risk management program is critical to ensuring that your firm’s data (and the PII of your clients) is protected.

In this article, we’ll identify what you should look for when evaluating potential vendors (particularly those with access to your clients’ PII) so you can be confident that the vendors you use are doing their part to protect your data and mitigate the risk of a cybersecurity incident.

Creating a Vendor Management Policy

An effective vendor risk management program begins with making vendor management a priority for your firm by adopting an actual policy regarding your firm’s initial and ongoing vendor risk assessment.  Formalizing your vendor risk management policy will help ensure that everyone in your organization understands the expectation of a completed assessment before a vendor is engaged, and create accountability for complying with your policy.

Your vendor risk management policy should provide you with the means to:

  •      Identify, categorize and rank your vendors.
  •      Determine the level of due diligence required on each vendor and how to perform it.
  •      Document your actions in carrying out your policy.
  •      Report your findings.

While all firms should recognize the importance of vendor management, many firms simply fall short in effectively creating and implementing such a program – often, they just don’t know who or what to ask.

Start by creating a list of any vendors that have access to sensitive data and/or PII, as well as those who have access to your network or physical environment; within this list, rank the vendors in terms of (1) the type and level of access they have; and (2) which vendor’s services are essential to your business.

Remember this list should be broad – after all, Target’s highly publicized breach was directly caused by an HVAC vendor.

This list will not only give you a starting point to determine the current vendors you need to review (if you haven’t already), but also help you identify the types of new vendors that will need to be reviewed going forward.

Vendor Cybersecurity Governance

As an initial step in vetting each appropriate vendor, firms should confirm that the vendor maintains a consistent and comprehensive cybersecurity governance program that follows controls that are at least as strict as those that the firm uses itself.

A vendor’s cybersecurity governance program should address the following items:

  •      Inventories of devices and systems
  •      Maps of network resources, connections, and data flows
  •      Identification of how resources are prioritized
  •      Logging capabilities and practices
  •      Written information security policy
  •      Periodic risk assessments
  •      Designating a Chief Information Security Officer or equivalent
  •      Proper insurance coverage

You should be able to obtain a copy of a vendor’s cybersecurity governance program and/or security policies simply by asking for them. If a vendor does not have documented policies available to share, your firm should seriously consider whether that vendor has the ability to protect its information and that of its clients.

Access to Data and Appropriate Security Controls

A firm’s analysis of a vendor should begin by focusing on the specific access that particular vendor will have to client data and/or PII, as this should determine the depth and type of review that you should perform prior to engaging that vendor.  For example, if the vendor will be hosting sensitive data on their system, you’re going to want to confirm:

  • That the vendor has evidence of their cybersecurity practices and controls regarding the protection of networks and information used by the firm, including established policies and procedures to document these items.
  • That the vendor appropriately encrypts data at rest and in transit.
  • That the vendor undergoes periodic audits of their cybersecurity policies to confirm the adequacy of and compliance with those policies.

In addition to the considerations above, below are further controls that you will want to look for when evaluating the strength of a vendor’s cybersecurity program in the event the vendor offers remote access to its systems and/or is responsible for processing funds transfers:

  •      The vendor has established procedures to authenticate users prior to access.
  •      The vendor has security measures to protect customer PINs.
  •      The vendor has procedures to verify the authenticity of email requests to transfer customer funds.
  •      The vendor maintains a policy that addresses how they will respond in the event of an attack or intrusion.
  •      The vendor maintains a list of third parties that manage their services or require network access (for your software vendors, this may be a list of the other vendors/sub-contractors with whom they integrate).

Keep in mind that these lists are not comprehensive and only address certain types of vendor relationships, but they do provide a solid foundation to begin your review of the adequacy of a vendor’s cybersecurity program.

The importance of the role vendors play in maintaining your own comprehensive cybersecurity risk management program cannot be underestimated or ignored. If your vendors have the right controls in place, they can be a valuable complement to your own cybersecurity program; however, they can also be detrimental to the security of your firm’s data, and that of your clients, if they aren’t taking the appropriate steps to safeguard your data and ensure that they maintain a solid cybersecurity governance program.

Ensuring that your vendors keep your data safe is only one aspect of a comprehensive compliance program.  At Orion, our Compliance app can help you streamline many aspects of your compliance operations.  Click here to attend an upcoming webinar to learn more.



You Can Now Add “Award-Winning” to the Orion Compliance App

We are excited to announce that Orion has been named the best “Compliance” solution at the 6th Family Wealth Report Awards 2019, held in New York on March 19.

Created to showcase ‘best of breed’ providers in the global private banking, wealth management and trusted advisor communities, the Family Wealth Report Awards were designed to recognize companies, teams, and individuals which the prestigious panel of judges deemed to have “demonstrated innovation and excellence during 2018.”

And now, that list of innovative and excellent companies includes Orion.

The judges recognized the Orion Compliance app as having the ability to support “efficiency and speed” for the everyday needs of an advisory firm’s chief compliance officer, and also commented on the “comprehensive partner integration features”—including an integration to help screen clients against anti-money laundering lists.

View all the Family Wealth Report winners here.

A Turnkey Compliance Solution for All Advisors

If you aren’t yet familiar with Orion’s Compliance solutions, allow us to fill you in.

Orion’s compliance solution addresses common compliance challenges with features like:

  • A testing and exception reporting system that enables firms to perform continuous testing of policies and procedures in accordance with their requirements.
  • Ability to track regulatory production, conduct a mock audit, and verify compliance with necessary requirements in one location.
  • Automated employee trade activity monitoring to address personal securities trading obligations and complete front running reviews*.
  • Enhanced assistance for regulatory reporting with comprehensive dashboards for Forms ADV and 13F

But beyond the software capabilities you can find in the Compliance app, Orion also provides advisors with an expert compliance team for additional support.

Expert Help from Compliance Experts

That’s right—while some outsourced compliance software solutions only provide you tools to track your information, Orion also provides a complete Subject Matter Expert team for additional assistance.

You can now contact the Orion Compliance Team if you have questions about:

  • Setting up a database for SEC ADV filing
  • Running a 13F Report
  • Finding households by state
  • And much more!

Our Compliance Manager and Subject Matter Experts are ready to help when you need it.

Maintain an Effective Compliance Program with Ease

Through the tools available in Orion’s award-winning Compliance app, maintaining an effective and robust compliance program in your advisory firm can be simple.

Even amidst a complex regulatory environment where the expectations are always shifting, you can have confidence when you have the right technology supporting you.

For more information about how Orion supports your compliance needs, click here to download our new ebook for chief compliance officers on navigating the compliance landscape.

*available for an additional expense



What the Recent SEC Action Means for Your Business

In light of a recent litigation release concerning the Securities and Exchange Commission’s (SEC) actions against a well-known broker-dealer for failing to report suspicious activities, many independent advisors may be left wondering what the federal regulator’s action means for their businesses.

Here’s What Happened

Last month, the SEC charged and subsequently fined a major custodian for failing to file Suspicious Activity Reports (SARs) relating to the termination of several independent investment advisors from its custodial platform. The advisors’ terminations resulted after they were found to have violated internal policies and to have created risk for the custodian and its customers.  Interestingly though, the SEC indicated that the custodian should have done more, including filing SARs regarding the advisors’ behavior and that the failure to do so constituted the custodian’s violation of securities laws and the Bank Secrecy Act (BSA).

The advisors’ offenses consisted of a range of transactions not involving the outright misappropriation or misuse of client funds, including possible undisclosed self-dealing or conflicts of interest, charging client accounts excessive fees, potentially fraudulent transactions in client accounts, posing as the client to effect or confirm transactions in the client account, and executing client trades and/or collecting advisory fees without being properly registered as an advisor.

At the heart of the matter, according to the SEC complaint, is that the custodian lacked clear policies and procedures necessary to identify and report suspicious activities under the SAR rule with respect to activities of these independent third-party advisors.

Why Advisors Need to Take Notice

While the SEC’s action is a warning sign for broker-dealers and custodians to better watch their platforms, investment advisors are wise to pay attention too. This complaint is a strong signal that the custodian is strictly responsible for the failures of their RIA accounts; putting custodians “on notice” for the failures of their advisors.

RIAs, particularly smaller ones, may now find large custodians less willing to provide custodial and execution services if the RIA can’t demonstrate robust compliance programs to protect against the failures identified by the SEC action.

If the latest SEC action is an indication of things to come, here are a few things advisors will need to add to their to-do list:

Identify & Report Transactions Involving Possible Undisclosed Self-Dealing or Conflicts Of Interest

While most RIAs probably have policies to avoid self-dealing and conflicts of interest, it may be that custodians are actually going to want to know and maybe even see evidence of how RIAs are policing this.

Orion Tech Tip: Our Supervise tool in Compass is immensely valuable to test a firm’s policies and procedures and identify conflicts or other activities that may signal a violation of the firm’s policy.  For example, auditing trading and billing activities not only help a compliance officer know when activities have gone outside of the firm’s procedures but evidence of this ongoing monitoring, which is also available in Supervise, may prove essential to doing business with a large custodian.

Give Extra Attention to Billing on Client Accounts

RIAs can look for ways to streamline and even automatically schedule and review their billing activities to ensure that clients are being billed appropriately and that excessive fees aren’t being charged up front.

Orion Tech Tip: Additionally, our Advisory Fee Benchmark tool in Trends is a good tool to identify possible outliers at a glance or if there’s a suspicious trend for certain reps.

Flag Potentially Fraudulent Transactions

Even if the ultimate responsibility lies with the custodian as a broker-dealer, custodians are going to want to confirm that the RIA they’re working with has anti-money laundering (AML) policies and procedures in place.

Orion Tech Tip: For this, our Verify tool in Compass that utilizes LexisNexis data is extremely helpful to identify clients that may be likely to engage in fraudulent behavior.

Leverage Technology to Avoid These Pitfalls

Look for ways to streamline your efforts around all these activities by deploying the help of an advisor tech platform that supports your billing, reporting and compliance activities.

Orion Tech Tip: At Orion, we’re continually developing solutions to help our customers stay ahead of the regulatory curve.  While a complex topic like compliance rarely ever has a simple answer, Orion technology solutions can help you address the issues seen from advisors in the SEC action.

Want Even More Compliance Support?

As complex and ever-changing as the regulatory environment can be, you don’t have to figure it out alone. Contact Orion Advisor to schedule a demo of our platform and see how we can enhance your compliance program.