The cost savings of moving a small RIA firm to the cloud are pretty tempting. I interviewed John Boulanger of Investment Technology Partners and Marco Naylon of MTN Group to get the story on what the risks and rewards may be for RIA firms considering moving to the cloud.
What RIA Firms Should Know about Cloud Security
According to Boulanger, the biggest thing that financial firms misunderstand or underestimate when it comes to cybersecurity is perception. Many firms believe they are safe if their data is up in the private cloud (i.e. Charles Schwab or Fidelity).
In reality, though, making your RIA firm safe in the cloud is more about policy and less about product. Security Best Practice requires that an organization have a comprehensive cyber security policy first. You can then determine what cyber products fit your policy once you have that established.
The other issue is documentation. Let’s say that you purchased Trend Micro for PCs and Mobile. Trend Micro does provide endpoint security, but we need to show regulators we monitor our endpoints daily for Malware, and if found we remediated it. All must be documented.
In Boulanger’s view, the mobile security area will sooner than later not be allowed to be off limits in SEC audits. Compliance officers currently can write policy dictating that no mobile devices are allowed to communicate directly to a client. This removes mobile off the audit review. This is likely to change.
Choosing a Cloud Provider for Your RIA Firm
According to Marco Naylon, the biggest misconception with the Cloud as an IT solution is that it needs to be a binary decision between traditional on-premise IT and a Cloud provider. The Cloud is capable of incorporating a hybrid solution that maintains some data and processes on local resources and moving others to the Cloud.
Furthermore, the hybrid solution can be completely customized to meet your firm’s internal and external requirements. For example, a firm can implement an archiving solution that keeps frequently accessed files or data on local resources and move older assets to low-cost storage in the cloud. An archiving policy could be created to automate the process and freeing up local storage while meeting your firm’s record retention requirements.
Before choosing a cloud provider, a firm should have an accurate assessment of their current IT needs and spending. Also, they should have a strategic plan for their firm and how IT will be used to meet their business objectives. An RIA firm should look at three things: Technology Offerings & Services, Pricing Model, and Security.
The offerings and services of a cloud provider should fit the firm’s needs for storage, computing and processing power as well as the ability to manage the development and deployment of applications.
Cloud Pricing Model
Firm’s need to understand the pricing model for what and how usage charges occur. The cloud provider should be able to provide detailed costs reports across their various services for firms to track their usage and spending trends.
Finally, a firm needs to understand the security offerings and protocols of a cloud provider. They should understand how and where their data is stored, as well as retaining full-ownership of their data. Furthermore, firm’s need to distinguish between their security responsibilities and those of the cloud provider. Cloud providers should provide the ability for a firm to set and implement security policies on their cloud environments.
Cloud Migration for RIA Firms
To begin testing the waters of a cloud solution, Naylon recommends starting with a small non-mission critical process. Good candidates are workflows that contain repetitive processes that can be automated in the cloud.
Moving to the cloud isn’t a clean cut process for RIA firms. Please post your comments below if you have concerns or questions on this subject.