As more asset managers invest in cloud-based data and analytics solutions to understand and serve their investors, information security certifications are becoming a primary consideration in the procurement process.
However, many teams do not want to invest weeks auditing vendor processes and controls in the early or even late stages of a request for proposal (RFP). That is where recognised industry standards and certifications such as ISO/IEC 27001:2013 come into play…
The importance of information security when handling client data
The International Organization for Standardization’s 27001:2013 guidance outlines the requirements for establishing, implementing, maintaining and continually improving an organisation’s information security management system and assessing and treating information security risks.
Information security is a critical factor for our business when assessing suppliers — and even more critically so when considering a supplier for our client data needs. Significant damage could be done to us as a firm should our client data become compromised. Therefore, we took great comfort from Aiviq’s ISO certifications and professionalism when answering our due diligence questions.
Terry Yodaiken, Head of Distribution, Business Support & Governance at First Sentier Investors
Why information security certification matters
There has never been a more crucial time to focus on data security. Cyber crime is becoming increasingly prevalent, and the stakes are high for any organisation routinely handling client data.
So, what role do industry standards and accreditations play in securing organisations and client data solutions?
In March 2022, the Financial Conduct Authority (FCA) stated that firms must have made the necessary investments to ‘operate consistently’ within their impact tolerances by no later than March 2025.
The Prudential Regulation Authority (PRA) also called on managers to ask themselves fundamental questions: how will we identify and protect critical assets? And how will we detect and respond to incidents that arise?
According to research conducted by HSBC, it takes two years on average for an organisation’s trust with investors to have recovered following a cyber incident. Furthermore, the share price of companies affected underperformed by an average of 15.6% in the three years after, with financial companies tending to fare worse than other sectors.
It is no secret that large data breaches cost money, disrupt day-to-day business and tarnish clients’ trust in an organisation.
For example, the asset and wealth management division of Morgan Stanley has fallen afoul of several data breaches, from external cyber attacks to leaked customer banking and login credentials. Similarly, development finance institution Norfund suffered a series of data breaches in 2020, with a mixture of manipulated data and falsified information leading to fraudsters making off with $10 million.
The easy way to identify partners that are serious about client data security
Information security should be a core requirement for any procurement team when evaluating client data solutions within the market.
Issues arise when teams lack the time or resources to begin auditing suppliers early in the RFP process, leading them to work with vendors with inadequate cyber defences. So, recognised Industry certifications such as ISO 27001:2013 are valuable for managers, as they instantly verify that an organisation is taking preventative, reactive measures to mitigate cyber risks.
ISO 27001:2013 is an internationally recognised standard of information security best practice. It affirms that a ‘top-down’, robust security culture is applied throughout an organisation. Certification to this standard is a sign of quality and assures that the confidentiality, availability and integrity of all data entrusted to us are protected.
Tim Pringuer, Information Security Lead at Aiviq
Aiviq’s security architecture goes beyond the ISO 27001 standard
Aiviq is dedicated to protecting information and adhering to the most stringent industry standards. The key objective of our security policy is met by achieving availability, integrity and confidentiality throughout all our operations.
Comprehensive business continuity and disaster recovery policies ensure Aiviq’s services are available when needed. We maintain trust and integrity through implementing a continuous monitoring policy on all services to protect, monitor and alert. Aiviq utilises the most globally recognised access management framework to ensure only authorised activities are allowed and guarantee confidentiality.
Pavan Cherlapelly, Head of Technology at Aiviq