Have you undertaken enough due diligence when considering the security of your planning software provider?
Managing Director of Midwinter, Julian Plummer explains –
Following on from my conversation with journalist, Julie May from the Financial Observer last week, there has been a dramatic shift in the way client data has been stored by advisers and licensees over the last decade. Advisers and Licensees have moved away from a desktop model (where they were in direct control of their data), to either a hosted model (where the adviser or licensee hosts their own planning software online) or a cloud based model (the model now used by Midwinter).
When selecting financial planning software, advisers usually carry out a certain level of due diligence. It typically takes an adviser or practice around three to six weeks to evaluate and determine their preferred financial planning software provider. In that time they would test the advice, CRM, workflow and point-of-sales capabilities of the system. Advisers will also take into account how long the software takes to produce advice, its ease of use, how much training will be required for their staff, and how complementary the software is to their business.
Larger licensees tend to take their time when evaluating software, often needing between six to nine months in order to analyse and determine their preferred solutions.
There is a big difference in the approach between the two. Larger licensees will usually spend more time examining the underlying technology and how secure the planning software is. More often than not, security is actually the starting point of their planning software evaluation – not functionality. Larger licensees insist that planning software vendors meet quite rigorous security standards and it can take a substantial amount of time for them to ensure that the system fulfills their security requirements before moving to the next stage – a planning software feature “beauty parade”.
I understand that individual advisers may not have access to the resources that the larger licensees have when spending time evaluating software security. This shouldn’t stop them from asking the hard questions. In fact, this is something we at Midwinter advocate for quite strongly.
Advisers do tend to look at functionality first, and this is understandable. It is important that the functionality is a right fit for their business. Less time though, is spent by advisers examining the security aspects of the planning system and even less time is spent researching who it is they are partnering their business with.
Choosing a planning software provider means choosing a business partner.
It is the software provider who stores all advice documents & client information, provides the practice management workflows and designs the advice engines that the planner uses to generate strategies.
Because an advice business is largely dependent on its planning software provider, it is more than just functionality that advisers should be evaluating when choosing planning software. Selecting planning software providers should be undertaken as carefully as selecting a business partner, because as I’ve explained – they ARE a business partner.
It is important for advisers to spend time understanding each of their prospective planning software provider’s businesses. They need to ask themselves –
- Do the owners of the planning software company have reputable backgrounds?
- Have ASIC checks been performed on the Directors of the firm?
- Are you aware of the Director’s previous work history?
- Does the planning software company require all employees to have had background checks?
Remember these are the people who store and manage all your client data.
Apart from the usual questions like “Where is my data stored?” (Which since the change to the National Privacy Principals in March of last year, advisers have been very judicious about), advisers should challenge their planning software providers (much like the larger licensees have no problem doing) by asking questions such as:
- Have they defined and implemented a formal ISMS (Information Security Management System) policy?
- How often do they perform an information security audit and management review to ensure compliance with the Information Security Management System?
- How often do they undergo penetration tests by a third party?
- What were the results of their last penetration test and are they willing to share the results with you?
- How does the organisation store user names and passwords to the client database that contains your entire livelihood?
- Are all their coders / developers / testers located in Australia?
- Do the coders or developers have access to any client data when they are developing and maintaining the planning system?
Understandably, it is highly unlikely that any individual adviser will ever be in a position to commission an independent penetration test (which is standard among the banks and larger licensees).
Advisers really do need to consider “How seriously does my business partner take my biggest asset?” i.e. their client data.
Good intentions are simply not good enough here.
What drives a successful relationship between a financial planning software provider and their adviser clients?
The short answer is trust.
Quoting Warren Buffett, “When looking for a business partner you look for three basic things – skill, energy and integrity. If you haven’t got the last one – you may as well forget about the first two.”
Trust is not easily defined, but most advisers I have spoken to in the last year will agree that when it comes to maintaining a secure planning system, transparency is essential to creating trust.
Our approach when it comes to informing clients about the security of their data is to be entirely transparent. We have collated our response to every security question we have ever been asked and made the answers available to all potential and current clients.
We are also ready to engage with advisers and talk them through the robust security processes we have in place, to ensure that we have their security covered.
So how do we try and mitigate as much security risk as possible?
Moving from a desktop based (or hosted managed system) to a cloud based system will mitigate many security issues, such as:
- Cloud based applications tend to have best of breed security through economies of scale. All customers, including the smaller practices receive professional security services along with the planning application service.
- There is a minimal daily administration requirement – all maintenance is provided by the planning software provider.
- All clients benefit from any external code reviews, penetration tests and security reviews as all clients use same code base.
- Control and processes ensure security measures like password protocols, firewalls and security patches are up to date for all clients.
- Cloud based planning software providers typically provide something a small business or someone using a hosted managed system might not be able to afford – a physical security guard. Because your data is stored at a data centre with physical security guards, it is more secure than on your premises.
Investing in security is an absolute necessity and we have learnt that it adds value to our business and our client’s business. For an adviser or practice, security spending can often be overlooked by other areas where concerns appear more immediate. Your planning software provider should be putting their financial resources to work on security – it not only makes your data more secure, it helps take the sting out of security spending for advisers who really should be worrying about the advice they provide to their clients.
The future of financial planning and financial planning software lies in cloud computing. Advisers should embrace it, but not all cloud computing partners are created equal. Spend time evaluating your financial planning software and make sure their level of security plays a large part in your decision.