February 27, 2019  |  BLOG POST |

By Tom Ulrich, Director of Application Delivery for Envision Financial Systems, Inc. and Scott Rodenhuis, Chief Technology Officer for Integrated Systems Corp.


Editor’s note:
This post is the third and final in a series of blog posts about how Envision approaches cybersecurity risks.  This blog post addresses the need to develop strong controls and independently verify that what you are doing is meeting its objective.


These days, there’s more than one cloud hanging over the heads of senior technology and business leaders in the fund and financial advisory industries. There’s the bright cloud, a vast network of remote servers around the globe that are hooked together and meant to operate as a single ecosystem, and they all recognize the benefits of moving core pieces of their infrastructure to it. They know this cloud offers better agility and efficiency, easier integration of new applications into their technology stack and the promise of greater client satisfaction.

But there are also dark clouds of doubt and anxiety. How can they make the switch while maintaining the security of their proprietary data and, even more key, that of their customers? How will they ensure they remain in compliance with securities laws, regulations and SRO guidelines? And finally, how will they close the skills gap between their own people—who know plenty about their legacy software systems and business workflows, but not the cloud—and giant cloud services providers that can deliver a whiz-bang hosting capability, but don’t know the first thing about customizing and supporting it for their customers particular needs?

FINRA’s red flags

Guidance released by FINRA late last year in the “Report on Selected Cybersecurity Practices – 2018” lays out some minimal best practices for working in the cloud—cloud vendors should be subject to firmwide security policies and customer data stored in the cloud should always be encrypted. But beyond those two recommendations, the guidance is not too specific when it comes to the cloud and companies undertaking the migrating will need to look elsewhere as they seek to implement best cybersecurity and operational risk management practices.

Going it alone

We’ve watched many financial services companies embark on the journey to the cloud on their own. They amble down the path, attempting to replicate their legacy software offerings as cloud-based applications using a combination of their own technology team and the resources of their large cloud services provider. Some have even pulled it off. But it is rarely easy and often becomes a significant distraction from their core business. In-house software developers are not the same as app developers who are not the same as systems administrators who are not the same as network security experts.

Similarly, the technical experts at major cloud hosting providers are not typically fluent in fund administration or financial advisory firm operations. They don’t understand the imperatives of the business or the regulatory framework in which it operates.

After all, one of the first rules of security is that your ability to secure something is directly correlated to your understanding of that which you wish to secure. An example of when working directly with a cloud provider that doesn’t understand the business becomes a problem is the provisioning of permissions to key personnel. It’s certainly a best practice to restrict what changes individual employees can make in the back end and what data they have access to, but time and again, we have seen personnel frustrated because they were blocked by a third-party cloud services provider from performing tasks that are fundamental to their work.

If a third party is going to put rules around what individual employees can and cannot do while working in the cloud environment, they ought to have a basic understanding of the employees’ job description.

Getting the right help  

When contemplating a migration to the web, we would advocate lining up senior level buy-in from both the business and technology side and then finding a partner that can help bridge the skills gap on both sides of the ledger—a bi-lingual partner that can speak the language of cloud service providers and help them understand the special security and compliance needs of a financial services business and that also can speak the language of financial services firms and help them navigate the nuances of the cloud and the Software-as-a-Service model.

If the operative question is, how can I gain the benefits of the cloud while ensuring security, privacy and compliance? The optimal answer, in all likelihood, is fintech SaaS solutions co-managed by fintech and information