Redtail has not released any further information regarding its self-reported March 4 data exposure, which left some client information exposed in a nonsecure environment. But conversations with executives at cleverDome, an industrywide group with the goal of broadening and strengthening data security across financial advisory firms, have revealed more of what took place. For advisors, Redtail’s admitted mishandling of client data stands as a reminder that even though they may rely on the cybersecurity standards of third-party organizations, such as cleverDome, they still bear the burden of third-party incidents affecting client data.
Redtail is a founding member of the public benefit corporation, cleverDome, which was launched two years ago and consists of its three co-founders and a team of independent contractors whose goal, in part, is to create a set of common cybersecurity standards and bring heightened risk management to the network of vendors serving financial advisors.
For members, including Redtail, that wanted to go “under the dome,” each had to undergo a due diligence process that addressed hundreds of line items covering cybersecurity processes, technology standards and governance requirements.
In order to be accepted, companies are contractually obligated to adhere to the 13-page list of “minimum” standards, according to Bridget Gaughan, co-founder and chief risk officer at the organization.
They are also obligated to notify the organization’s leaders in the event of a security breach that impacts cleverDome or any data contained within its environment, said Michael Hallett, CEO of the organization. While Redtail’s data exposure didn’t trigger that provision, because it did not have an adverse impact on cleverDome or its members, Redtail CEO Brian McLaughlin still provided Hallett with information on the incident. Those conversations are ongoing, Hallett confirmed.
It’s from those conversations between Hallett and McLaughlin, which Hallett relayed to WealthManagement.com, that brought to light more details of the March 4 incident. After speaking to McLaughlin, Hallett characterized the data exposure as “simple human error” and “a typical internal company process that needs to be reviewed and checked every year on a constant basis.” He said Redtail employees were “reviewing their internal practices” to address what happened.
Redtail, in response to questions of whether "human error" was responsible for the March 4 incident, or if it had received offers of assistance from cybersecurity experts, replied with the same statement released last month. The firm, as it has previously stated, said that “less than 1%” of its clients were affected. It did not indicate whether it would be changing its employee training in light of the incident. Redtail’s CEO Brian McLaughlin declined to comment further.
While remaining tight-lipped about the details of the incident, the Redtail affair shows just how fragile cybersecurity in financial services can be, and draws attention to the vulnerabilities the industry faces—usually at the human operator level—that no amount of technical standards or heightened risk management can completely erase.
The due diligence process of joining cleverDome is so sensitive that it is not publicly available, said Hallett, in order to protect the members by not revealing information that could be used against them. But members cannot join cleverDome without passing the due diligence process.
“Due diligence of our members is an essential component of our zero-trust network, ensuring that all people and devices are vetted before gaining access to networks,” he explained. “In less than two years since the inception of cleverDome, we have expanded our due diligence process to include more than 800 points of review.” A zero-trust network assumes that all traffic is a threat until it has been verified.
Hallett was unsure if the strict adherence to cleverDome’s standards would have addressed the root cause of the data exposure at Redtail, but a copy of the “minimum” cybersecurity standards suggested that there are pertinent requirements in spirit, if not letter.
One of the standards notes that partners “shall have appropriate administrative, physical and technical safeguards that are designed to …ensure the security and confidentiality of the Protected Data.” Another states that partner firms must have “a process to establish, implement, and actively manage its system and the security configuration of all devices such as phones, laptops, servers and workstations (including personal devices) used by its employees/contractors to send, receive, store or access the Protected Data.”
In a statement released after reports that client data, including personally identifiable information, was exposed, McLaughlin said Redtail “began a thorough forensic investigation to determine how the exposure occurred.”
Despite the incident, Hallett said Redtail had “met or exceeded” his organization’s annual due diligence process, adding that the CRM provider “will complete our evolving due diligence process again in 2019.”
“Redtail has continuously demonstrated a firm commitment to cybersecurity, including undergoing one of the most rigorous external audits available today known as a SOC 2 Type 2, which exceeded industry standards,” said Hallett.
Each cybersecurity incident a member encounters presents an opportunity for cleverDome to improve its standards, noted Gaughan. “I am positive that we will always be making changes to those standards. I don’t know if there’s anything yet, specifically, that would be [changed] as a result of what happened at Redtail,” she said. “We’re going to be asking a lot more questions among our members to find out if there’s anything [they] feel they’re missing or that could be added to enhance our standards.”
She said that none of the cleverDome members, which include TD Ameritrade Institutional, Orion, Riskalyze, FCI and United Planners Financial Services, have contacted cleverDome to express concern with Redtail’s exposure of protected client data.
But the stakes are high for Redtail’s response to the incident, said Brian Edelman, CEO of cybersecurity firm FCI. “With so many advisors reaching out to Redtail, even right now, about this breach, Redtail is going to be materially damaged—by not just the breach, but the breach response,” he said.
Edelman called Redtail’s response “immature.”
“There’s a lot missing in here. Investigations aren’t speculative,” he explained. “There’s a process, right? I have an incident. I investigate. I declare the breach. And I declare what was breached.”
“I don’t go from incident to notification requirements and credit monitoring. It doesn’t make any sense,” he added, explaining that there was room for cleverDome to improve Redtail’s handling of the incident. “What cleverDome could have done better was push Brian [McLaughlin] to say maybe you don’t know everything about cyber and you need to talk with some of our experts that are part of cleverDome. That’s the error. That’s the mistake. They just didn’t push hard enough.”
But every cybersecurity solution has its limits, explained cleverDome’s leaders. “There is no silver bullet in cybersecurity and in this one particular instance, Redtail fell victim to one of the vulnerabilities outside of technology that any company can experience,” Hallett said. “Human error will always be a risk and no entity is immune from making mistakes.”