Beginning in 2014, the Securities and Exchange Commission ("SEC") has issued a series of registered investment adviser ("RIA") risk alerts highlighting cybersecurity as a key compliance concern. In particular, on September 15, 2015, the SEC Office of Compliance Inspections and Examinations ("OCIE") issued a risk alert flagging vendor management as one of six critical cybersecurity focus areas. Subsequent SEC OCIE risk alerts and guidance have also continued to identify third party vendor management as a critical cybersecurity risk area. As more RIA firms migrate to cloud-based technology and vendors, proper vendor management and due diligence is becoming an even more important element of every investment advisory firm's cybersecurity compliance program. In today's world, investment advisers need to actively mitigate the risk of indirect information security breaches via a third party vendor that leads to the exposure of the RIA firm's nonpublic personal information ("NPI") or other sensitive information.
Here are ten helpful tips to consider when building and reviewing your firm's third-party vendor management compliance program:
- Implement policies and procedures to address third party vendor risk: Make sure that all current policies and procedures have been reviewed and updated to address the use of third party vendors including due diligence, contracts, approval process, supervision, monitoring, and risk assessments.
- Perform proper due diligence before choosing a vendor: Don't make the mistake of waiting to perform due diligence until after the vendor's solution has been implemented. It is vital that any potential information security issues are properly identified and if necessary, mitigated, before engaging with the vendor.
- Perform proper ongoing due diligence reviews: While initial vendor due diligence is essential, don't neglect to continue to perform ongoing due diligence reviews on a regular basis. In today's rapidly evolving technology world, it's important to continue to review the progress and implementation of a vendor's information security program.
- Conduct a regular vendor risk assessment: Each vendor should be evaluated to determine its potential risk to the firm. Vendors posing greater risk such as vendors that possess NPI or are critical to the RIA firm's operations will likely need to go through a more thorough due diligence and review process.
- Sign non-disclosure and confidentiality agreements: Regardless of the risk level the third party vendor poses to the firm, it likely makes sense to have a non-disclosure and confidentiality agreement in place with the vendor to further safeguard NPI and sensitive firm business information.
- Limit types of data and access given to the vendor: While some key vendors such as customer relationship management or portfolio management and reporting software may have access to high levels of sensitive data, it may not be necessary for other less critical vendors to have access to NPI. Be sure vendors only have access to the absolute minimal level of sensitive data possible in order for them to deliver their service.
- Review the contract with the vendor: Before engaging with the vendor, be sure the contract addresses items such as data storage and retention, breach notifications, use of subcontractors, etc.
- Review the vendor's business continuity plan: If a critical vendor experiences a business disruption, it could also lead to an RIA firm being unable to deliver timely service to clients. Ensure vendors have a robust business continuity plan in place to help mitigate potential business disruption issues.
- Understand who from the vendor will have access to sensitive data: Similar to how RIA firms should limit access to sensitive data to only the relevant employees, vendors should be evaluated for similar data access control policies to help mitigate the potential damage of a security breach.
- Research the vendor online: Don't forget this simple but critical step. A simple online search may reveal any recent complaints or potential information security issues.
Along with email phishing, third party vendor risk is quickly emerging as a key RIA information security risk. Investment advisory firms need to recognize the risk that third party technology and service vendors may present and actively address through the implementation of properly designed policies and procedures, risk assessments, and a regular due diligence and review process.