Picking the Right Software – Security & Integration Edition
As a broker you know what you need in a product in terms of features.
Maybe you need a document signing platform that supports multiple signers, and PDF uploading of forms.
Maybe you need a CRM that has automated email reminders, or email triggers.
Maybe you need an email marketing tool that has an easy-to-use interface and supports customer distribution lists and groups.
That’s all great, and knowing what you are looking for and what’s most important to you is a great way to save money and increase adoption of the services you decide to add to your stack. But you are also responsible for your client’s data, and that data may also be stored on these service provider’s servers. So, what do you need to look for to keep that data safe? Here’s our rundown of some key details and concerns when vetting a new piece of software.
Country of Origin/Hosting
Software companies operating from the USA or Canada must comply with Canadian or US data security laws. Companies may claim to comply, but enforcement is nearly impossible; and in the event of a security incident, legal proceedings are likely to be much slower or impossible depending on the location. Look for companies that originate in Canada, the USA; and sometimes the UK is acceptable as well depending on the service type.
A Security Framework or Compliance Framework
A recognized security framework or compliance standard goes a long way to speaking to a company’s commitment to security. Something like SOC2 shows that a company has met a high bar for security and is audited regularly to keep in compliance. SOC2 is the “gold standard” in North America, while the predominant global standard would be ISO 27001, either would indicate a strong security environment at the company. These standards can be a high bar to meet, especially for a startup or smaller company, so some alternatives that are less rigorous but also show a commitment to security are NIST, CIS, or locally (in Canada) ITSG-33.
Encryption of Data
Data encryption is a mandatory detail on any platform you plan to store or process customer data on. This comes in 2 forms - data at rest, and data in transit. You want both! Look for products that offer AES(256), 3DES, RSA, Blowfish, Twofish. This will ensure that your client’s data cannot be accessed if your provider has a breach of their systems.
Safe Authentication Methods
Your username and password are your responsibility, and we hope that most users have a password manager with STRONG and RANDOM passwords for most of their services. But you rely on the provider to enable and provide a means to have MFA (Multifactor Authentication) on their platform. In 2023 this should be on every system you use and there’s really no excuse for not having it enabled anymore (some insurers are even voiding claims completely if it is not enabled!). Providers should have MFA in the form of APP-Codes or email. SMS is sometimes an option, but it is the weakest form of MFA and we like to avoid it whenever possible.
So now you’ve found a product and it ticks all the boxes, great! Is there anything else you should consider? Well we have one more concern that may or may not be important to you, but we feel it should be a major decision point for any broker.
Integration Support
The platform may be the best in the world, but if you can’t connect it to other platforms, it will always be a source of lost time for your team. A platform with a robust API that is ideally RESTFUL (that’s just a fancy standard for API’s that makes them a lot easier to work with). (API means Application Programming Interface, which is a fancy way of saying it can “talk” to other software.) API’s open the doors to a huge amount of automation and connections, which ultimately equates to more time to sell and more time to build relationships, rather than copy-pasting and duplicating tasks.
So when picking a piece of software to add to your silo, try to make sure you take a moment to consider your client’s data safety and how this platform can impact it (positive or negative) before diving in.
