By Dale Sanders, Director of Technical Operations, StarCompliance
Compliance software isn’t just about checking a regulatory box. It’s an important tool in the effort to achieve data security for financial institutions. If your compliance software vendor doesn’t prioritize security, however, your firm’s sensitive data — confidential client information, merger and acquisition data, deal specifics, employee PII and holdings information, and more — is at risk. In other words, compliance software vendors must themselves be compliant: adhering to financial data security regulations, adopting industry security standards and best practices, and taking your security as seriously as they, ideally, take their own.
This need to have a laser focus on data security is only becoming more important as related regulatory momentum accelerates around the world. The General Data Protection Regulation (GDPR) in Europe was one of the first broad pieces of legislation designed to guide how organizations collect, use, store, and share data. Since its implementation in 2018, GDPR has inspired a host of similar regulations globally. In the United States, for example, some states are establishing their own laws that aim to govern data use, such as the California Consumer Privacy Act (CCPA). Countries such as Singapore and Brazil have also passed legislation — the Personal Data Protection Act (PDPA) and Lei Geral de Proteção de Dados Pessoais (LGPD), respectively.
These regulations are more than just guidelines. Violating data protection laws can result in significant financial penalties for financial institutions and vendors alike. In fact, as of January 2021, GDPR regulators had issued more than $330 million in fines since its implementation in 2018.
To stay out of regulatory hot water, preserve your firm’s reputation, and keep business running as smoothly as possible, you must ensure your compliance software vendor has the strongest security posture possible. To determine how much your current vendor prioritizes data security, and hence to vet potential vendors before signing on, consider the following:
1. Culture of data security
Compliance software vendors that truly prioritize security will have a security culture that’s embedded across the entire organization. Such a culture might manifest as employee training in specific security and privacy approaches. It might take the form of offering more helpful resources to educate employees about the types and sensitivity of data to which they have access.
First, ask about security awareness training at an organization-wide level to gauge the broader culture. Then, start looking into specific training areas around certain financial data security regulations. Are employees familiar with GDPR? Do they know what PII is and how to protect it? Do they understand the basics of what each pertinent privacy regulation dictates and why those regulations matter in their day-to-day roles?
Ask about more role-specific training, as well. Are developers aware of secure coding practices and some of the more well-known financial data security regulations? Are frontline employees familiar with how access to client data is managed, and have they received training on those tools?
Another excellent indicator of overall security culture is how data security compliance information is relayed to top leadership, such as the vendor’s CEO. Are these executives kept informed and updated on security and privacy issues? You want to know that leadership is as in-the-know about security matters as the rest of the company, so they can lead by example. Groups such as governance committees that include the CEO are a good sign that every stakeholder in the company prioritizes security.
2. Regulatory compliance
Any compliance software vendor should take regulations as seriously as your financial institution does. When vetting potential vendors, be sure to ask how they stay ahead of regulations. Firms in the European Union and the European Economic Area, for example, will want to ensure compliance vendors are prepared to meet GDPR standards. Start by ensuring that any vendor contract includes the standard contractual clauses on information security standards set forth by GDPR.
If a vendor operates outside of the country where your firm is based, also ensure that it has experience working with global clients and understands the various legal frameworks around data security for financial institutions that can change based on geographical location. For example, if your firm is located in the European Union and the vendor is in the United States, does the vendor know what to do if the United States government requests data on your firm? Some vendors may think they have to hand it over, but those who understand the legal framework within the global environment will know that they can take steps to push back.
What’s more, you’ll want to ensure the vendor understands the geographical boundaries of data. Transferring data across jurisdictions can be in breach of both the client contract and GDPR, so vendors must understand the obligations of storing data, where data is processed, who’s accessing the data within supporting teams, and how that data is secured.
3. Business buy-in for investments in ongoing improvement
You want your vendor to use enterprise-grade security solutions to protect your data. Often, that will require vendors to partner with outside experts in the security space so they can leverage the best technologies to protect your data. Ask vendors to talk through their security architecture, the security systems deployed, the people managing those systems and ask for examples of how they have improved their practices by updating and innovating them in the past. You want to make sure this is an ongoing effort — and that the business side of the organization believes in the value of such continual investment to bring on the best tools and services to serve their clients.
For example, if a vendor company has experienced a lot of growth in recent years, you’ll want to see that they have implemented measures to increase control over data access. A privileged access management system, for instance, requires each employee to obtain permission before accessing any asset or server that stores client data and then records the activity. If you ever need to know who accessed your data and when, any vendor with a privileged access management system will be able to run the audit and report back with ease.
Along with investing in innovative solutions, you’ll also want to ensure that a vendor company is dedicated to continually investing in its employees. It’s important that a company helps each employee develop the right skills to navigate the compliance space as it changes over time. Look for certifications that ensure employees have gone through the rigorous training they need to fully understand how to protect your data, such as Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and Certified Ethical Hacker (CEH).
4. Operational effectiveness of controls
All compliance software vendors will say that they take security seriously, but that doesn’t mean you should take their word for it. Independent, third-party audits are a great source of feedback for these vendors, but they can also be expensive for vendors. In other words, if a vendor is investing in these kinds of procedures, it’s a strong indication that they’re likely committed to and prioritizing their own security as well as yours.
A good audit to start with is the ISO 27001. This is an internationally recognized point-in-time audit that will tell vendors whether their information security management system is designed and effective at that time. While this is good to know, however, it doesn’t account for how these security controls are functioning over a period of time.
A SOC 2 Type 2 audit, on the other hand, tells a much fuller story. This audit can only be performed by a CPA firm, which will review evidence demonstrating the security controls were running effectively throughout the entire year. Request documentation from both ISO 27001 and SOC 2 Type 2 audits to get the most accurate idea of how effectively a compliance vendor is operating controls.
A compliance software vendor is a critical partner for your organization, which is why you should take great care in selecting this kind of vendor and ensuring they live up to your own standards and the standards of regulatory bodies. As you work through the list of considerations above in your conversations with current or prospective vendors, remember that their response or reaction to these inquiries is itself a valuable source of information. Transparency is key for trust. Keep looking until you find a partner that is eager to prove its data security compliance capabilities.