A broker-dealer recently agreed to pay a $650,000 fine after an OSJ’s cloud vendor failed to adequately protect customer information. Apparently, an outside hacker was able to gain access to non-public personal information about the firm’s customers.
This breach and resulting fine should certainly serve as a wake-up to all firms, but, in particular, to smaller firms. These firms are those who are more likely to use outside vendors to maintain cost, but are at greater risk.
If anything, this fine only enhances the fact that firms are responsible for the vendors that they hire. A partner of mine taught me long ago that you can always delegate the task, but not the responsibility. The same holds true here.
It is perfectly fine to use a cloud vendor or some other third-party for your firm operations, but you must, at the same time, engage in heightened diligence. You must do more to protect yourself.
Although you cannot rid yourself of the responsibility to protect client information, you could assign the risk of loss to the other firm. In other words, the other firm would have to indemnify you for any fines if their system is breached.
At the same time, part of your due diligence when hiring a firm must include asking tough questions. Like, have you ever sustained a breach. And, if so, have you had another one since.
In short, go ahead and outsource, but make sure you know who you are using. Ask the hard questions, and protect yourself with negotiated terms in your contract.