With cybersecurity threats on the rise, John Messinger shared insights with AdvisorHub on how financial advisors and institutions can understand cybersecurity risk and provided a framework for wealth management enterprises to assess vendors and the importance of SOC 2 compliance in the process.
John Messinger, Information Security Officer, FusionIQ:
Wealth management and financial planning center on reducing risk and mitigating the negative impacts of its realization. Cybersecurity operates on a similar paradigm – while risks cannot be fully eliminated, they can be mitigated based on available resources. Just as a portfolio manager recommends risk management techniques, cybersecurity requires balancing the cost of protection with the likelihood and impact of threats. This approach can be implemented using a statistical model based on standard deviations, with different categories of risk requiring varying levels of management, such as SOC 2 Type 2 reports, the NIST Cybersecurity Framework, and other third-party risk management techniques.
When considering cybersecurity risks through a lens of probability and preventability, a first standard deviation risk could be as simple as using weak or common passwords without multifactor authentication. More complex threats, such as spear-phishing attempts, fall within the second standard deviation and can be mitigated with email filtering technologies and adherence to best practices. In the third standard deviation, we encounter more complex threats, such as misconfigured systems exposing sensitive data, insider threats like a compromised employee, or supply chain compromises. Beyond the third standard deviation lie risks associated with highly skilled attackers, including nation-state actors or organized crime, where prevention and mitigation strategies have limited efficacy due to the sophistication and resources behind these threats. However, the likelihood of such events is significantly lower and more focused on high-value targets.
For many wealth management advisors and financial planners, technology and cybersecurity are not core competencies. This makes evaluating the cybersecurity posture of vendors a challenge, often requiring outsourcing to in-house security teams or third-party auditors. One common method for assessing third-party risk is a SOC 2 audit, which evaluates a vendor’s compliance with the Trust Services Criteria. In a SOC 2 audit, a Certified Public Accountant (CPA) — verifies the implementation of industry-adopted security controls. For advisors limited in time and resources, outsourcing vendor risk assessments to licensed professionals provides confidence that a thorough, standardized evaluation has been conducted.
However, while a SOC 2 audit offers valuable insight, it doesn’t address every risk, especially those in the third standard deviation. Just as driving a car involves inherent risks despite wearing a seatbelt and adhering to traffic laws, doing business with a SOC 2-compliant vendor does not guarantee immunity from cyber incidents. SOC 2 provides a solid foundation of security controls, but no framework can prevent every breach. The value of standardized audits lies in their ability to reduce the frequency of common attacks, even if they cannot entirely eliminate more sophisticated or rare threats.
Some argue that SOC 2 is ineffective, citing breaches at compliant organizations as evidence. However, even the most sophisticated intelligence agencies — the CIA, NSA, and foreign counterparts — experience breaches, despite advanced security measures. Does this mean these agencies should abandon polygraph tests, background checks, or physical security measures because breaches still occur? Of course not. Defense-in-depth remains the best strategy for preventing common threats and mitigating more advanced risks. SOC 2 prevents countless attacks that never make headlines. The number of successful breaches at SOC 2-compliant organizations is small in comparison to the number of attacks that are thwarted due to the adoption of its controls.
When assessing vendor cybersecurity risk, it’s important to approach it with the same care as managing portfolio risk. Consider the potential risk a vendor poses to your business, your own capacity to evaluate their security posture, and the resources required to manage that risk effectively. SOC 2 is not a panacea, but it is a critical part of a larger risk management strategy that ensures a baseline level of security is in place.
John Messinger is the Information Security Officer at FusionIQ, where he leads the firm’s cybersecurity efforts. He holds a master’s degree in cybersecurity technology and a bachelor’s degree in finance from the University of Maryland Global Campus, along with multiple certifications in cloud and cybersecurity.
