As the focus on cybersecurity continues to grow, registered investment adviser (RIA) firms need to be more focused than ever on protecting nonpublic client information. As more firms migrate to cloud-based technology systems, a key information security best practice is to use unique and strong passwords for each system. Unfortunately, many advisory firms struggle to implement this best practice as it’s quite challenging to require from a practical standpoint due to the inconvenience and difficulty in remembering a series of unique and complex passwords. To combat this challenge, we are seeing a growing number of RIA firms implement password manager tools. In a follow up to our previous post titled Should an RIA Firm Utilize a Password Manager Tool?, this post provides a few examples of such tools that firms may want to consider as part of their vendor diligence process.
While we generally recommend that investment advisory firms implement password manager tools as part of the firm’s information security procedures, performing detailed diligence on vendors in this category is critically important. It is crucial that the solution which is selected does not experience a security incident that could jeopardize the underlying security of the passwords stored within the tool. Furthermore, when implementing a password manager tool, RIA firms also need to be disciplined about enabling the tool’s two-factor authentication feature which can serve as a potential second line of defense should any underlying passwords be compromised.
Popular password manager tools for RIA firms to consider include:
Pricing: Free – $24/user/year (Freemium model)
Encryption: AES-256
- Cloud Backup
- Auto Fill
- Multifactor Authentication
- Sync Across Multiple Devices (Premium)
- Desktop Application Passwords (Premium)
- Administrative Controls (Enterprise)
- Security Reporting (Enterprise)
When considering LastPass, we strongly suggest that firms consider the Enterprise solution which begins at $24/user/year. The Enterprise plan provides additional administrative and reporting features which allow a firm’s Chief Information Security Officer (CISO), a role often filled by the firm’s Chief Compliance Officer (CCO), to more easily and thoroughly test whether information security policies and procedures are being proper implemented across the firm.
Dashlane for Business
Pricing: Free – $0-39.99/user/year (Freemium model)
Encryption: AES-256
- Auto Fill
- Digital Wallet
- Desktop Application Passwords
- Multifactor Authentication
- Cloud Backup (Premium)
- Sync Across Multiple Devices (Premium)
- Administrative Controls (Enterprise)
- Password Sharing (Enterprise)
- Security Reporting (Enterprise)
Like LastPass, Dashlane also offers the ability for staff members of an RIA firm to keep separate “spaces” for business and personal security credentials.
Pricing: $2.99-$4.99/user/month
Encryption: AES-256
- Desktop App
- Digital Wallet
- Administrative Controls
- Cloud Backup
- Sync Across Multiple Devices
- Password Sharing
- Multifactor Authentication
While considered one of the more popular alternatives, 1Password does not offer some of the enterprise monitoring and reporting capabilities found in the LastPass and Dashlane offerings. Instead most of the features are focused on consumer use which means it may be a solution for single advisor RIA firms to further diligence.
Other popular solutions to consider include: Keeper, Meldium, and Zoho Vault.
Key Feature Descriptions:
- Admin Controls: Access to a user interface that allows the user to manage their passwords.
- Auto Fill: Automatically fill usernames and passwords when a user visits a known website.
- Cloud Backup: All passwords are backed up in the cloud so that they are saved if a device is lost.
- Digital Wallet: A user can save credit card information that can be used to make purchases online.
- Multifactor Authentication: Using an smartphone application or other method, users benefit from the added security of 2 or more methods of authentication.
- Password Sharing: Systematically share access to a web service or platform with another user sharing the same account.
- Security Reporting: Reporting on users or firm password use and strength to help identify security vulnerabilities.
- Sync Across Multiple Devices: Saved usernames and passwords are made available on of a single user’s approved devices.
As RIA compliance consultants, we do not in any way officially endorse any of the above mentioned solutions and strongly encourage all RIA firm principals to conduct and document a thorough vendor diligence process when considering a password manager tool.