Longtime compliance chief Beth Haddock talks to ThinkAdvisor about cybersecurity, Reg BI and making compliance training less boring.
The biggest compliance issue facing advisors isn’t Reg BI. It’s cybersecurity. Protecting clients’ and firms’ confidential information from a nightmare breach is critical — and urgent, says attorney and compliance expert Beth Haddock in an interview with ThinkAdvisor.
A 20-year-plus veteran of running big firms’ compliance departments, she has helmed her own compliance consultancy, Warburton Advisers, in New York City since 2014.
Haddock’s fresh views breathe life into the essentially juiceless area of financial services compliance: For instance, the frequent industry speaker argues that by delivering a return on the firm’s investment, a compliance department can change from being a cost center to something of a profit center.
In the interview, Haddock, whose clients include fintech companies, BDs and financial advisors, discusses, among other issues, her take on Reg BI and Warburton’s Hollywood-produced training that employs virtual reality to teach compliance regs.
ThinkAdvisor recently interviewed Haddock, on the phone from New York. The author of “Triple Bottom-Line Compliance” (Advantage Media Group 2018), she was chief compliance officer at AXA, Brown Brothers Harriman and Guggenheim Investments. In our conversation, the attorney stresses why advisors need to become more involved with the crucial issue of cybersecurity.
Here are highlights of our interview:
THINKADVISOR: What’s the biggest compliance issue facing financial advisors and firms today?
BETH HADDOCK: Data security, and data ethics and governance: How you collect data, how you use and store it, the parade of regulatory requirements. It’s everything from privacy, the security of advisors’ business information and investor information to using the information you collect in order to grow your business.
What differentiates data security from the concept of data ethics and governance?
Data security is chiefly about the nuts and bolts from an IT perspective. Data ethics and governance is about making a good business judgement as to, for example, how much in the way of resources you’re going to put toward [the tech and data security].
What’s part of that decision?
Will you have a personal server? Are you going to trust the cloud? These are the issues advisors have to decide about. It’s: How much risk do you want to take, and how much do you want to protect your clients, your reputation and your brand — because if you have a breach, it’s pretty disruptive to your business.
This is a whole additional area that RIAs and FAs have to worry about beyond being an advisor to their clients, isn’t it?
Yes — because it’s new and because it’s technical. If you’re an experienced advisor, you didn’t grow up having to think about this for your practice.
What’s the solution?
RIAs have to be educated on the technology rather than outsourcing it 100% and not really thinking about it. They need to be aware and make sure it’s on their radar. Second, they have to consider multiple sources for getting help. One of those would be having an IT person on retainer or, when they’re hiring a COO, making sure that person has a tech background. That will [provide] in-house expertise.
So is that all there is to it?
No. This isn’t a one-and-done. You have to look at data governance the same way you [tend] the investments in an investment portfolio.
What’s a big obstacle to acquiring technology and data security?
If, for example, you’re an independent RIA, you may not have the wherewithal to acquire excellent smart technology when it comes to cybersecurity or IT expertise. It’s really hard for advisors to be at the same level as big financial institutions.
But they need to make some sort of commitment. What should they do?
There are lots of vendors out there. It’s a matter of getting smart and figuring out what makes sense from a resource perspective. And it’s doing due diligence so you know that the tech vendor [you decide on] will protect your information from a breach and isn’t going to share it. You need to know that the whole infrastructure is safe. MORE