Firm's chief technology officer on how internal management mitigates risks and cyber threats
Recently, Mako Financial Technologies announced its successful completion of the Service Organization Control (SOC) 2 audit, which was conducted independently by Deloitte.
By undergoing that process, the Montreal-based wealthtech firm, which provides automated solution for wealth management firms, has concretely demonstrated its commitment to protecting its business and its clients from disruptions and security risks.
“There have been a lot of security incidents lately, and it's something that people in the industry are nervous about,” David Kleiman, Chief Technology Officer, told Wealth Professional.
According to Kleiman, the recent boom in cryptocurrencies gave bad actors an incentive to infiltrate and hijack servers to do crypto mining. Ransomware attacks have also become much easier for attackers to execute, which means having cybersecurity measures in place to protect clients’ data is now, more than ever, a top priority for technology companies.
Kleiman says the SOC 2 certification is a gold standard for security and data confidentiality, particularly for firms that provide or use technological tools in their business and deal with confidential and personal identifiable information. While other certifications exist (ISO 27001, HIPAA, and others), they all have the same general approach to requiring a multi-layered internal control framework to prevent security incidents.
“Our processes didn’t really change much from the time we decided to get a SOC 2 audit until now,” he says. “It really is about reassurance for our existing clients, especially if they have downstream partners and customers themselves.”
For a firm to pass a SOC 2 audit, Kleiman says there are over 300 operational controls that the SOC 2 requires to be compliant. In terms of cybersecurity, that includes having a business continuity plan and a disaster recovery plan. There’s also a raft of other requirements around the capability to report and recover in the wake of a cybersecurity incident, with notifications sent out to all customers when the firm discovers something isn’t working properly.
A major piece of Mako’s cybersecurity strategy, Kleiman says, is its audited change management process for when it makes changes to any of its systems. It allows the firm to be flexible in developing or enhancing the platform, while still having multiple fail safes.
Before it deploys new code, the firm ensures someone else has reviewed it, then tests it locally. Deployment is done in stages, and Mako is always able to roll back a change in case it leads to a glitch or malfunction.
“There’s also an HR piece to our change management process,” he adds. “We have a robust user access policy using the need to know and least privileged methodologies. Access is reviewed and, if an employee leaves Mako, we have an immediate offboarding process to remove access.”
Kleiman says SOC 2 certification is table stakes for wealthtech vendors that want to do business with larger firms as it’s a necessary requirement of the due diligence in many cases. For smaller firms that may have less rigorous due diligence processes, the certification provides valuable reassurance and eases the burden associated with reviews.
“It definitely simplifies their audit process when they get audited on who their third parties are,” he says. “It's much easier for them to present a SOC 2 certification than to go and fill out their due diligence questionnaire and wonder if the responses are a true reflection of the controls in place. Doing the audit means the claims are backed up by evidence independently verified.”
To maintain its SOC 2 certification, Mako will have to undergo the lengthy and stringent audit process every year. Kleiman says it’s worth it, especially given the cybersecurity risks that run rampant across the world, including the wealth space.
“If you have something worth stealing, you should be aware of the cybersecurity implications,” he says. “It's obviously even more important within the wealth management space, because we have so much personal data like social insurance numbers … everything is becoming more and more digitized, so the attack surface is growing. And with new ways for attackers to profit from their activities, it's definitely a riskier environment for cybersecurity.”
