The usage of third-party vendors has increased exponentially within the registered investment adviser ("RIA") and broader financial services industry. Many firms are turning to outsourced technology (e.g., financial planning, portfolio management, etc.) and relying on third-parties to execute core business functions to increase efficiency and decrease spend. Within the 2019 RIA in a Box survey of 1,600 registered investment adviser firms, we found approximately 36% of RIA firms utilize at least three or more outsourced technology systems and roughly one-third indicated a need to maintain an inventory of data information for third-party vendors. Unfortunately, the third-party ecosystem is also an ideal entry point for cyber criminals looking to infiltrate RIA firms. This cybersecurity risk increases as firms grow and become more reliant on third-party vendors for a multitude of core business functions.
Beginning in 2014, there has been an increasing amount of attention placed on third-party vendors from the Securities and Exchange Commission ("SEC"). Regulators are focusing on mitigating risk posed by third-party vendor exposure – putting pressure on firms to manage their risks through due diligence practices. In 2014, the SEC issued a series of RIA risk alerts highlighting cybersecurity as a key compliance concern. In particular, on September 15, 2015, the SEC Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert flagging vendor management as one of six critical cybersecurity focus areas. Subsequent SEC OCIE risk alerts and guidance have also continued to identify third party vendor management as a critical cybersecurity risk area.
Think about the data and access your third-party vendors have on a daily basis at your firm. Does your firm conduct enough due diligence to ensure your clients' non-public information ("NPI") is secure? It is imperative for investment advisers to heighten their awareness and due diligence standards to identify areas of potential risk with third-party vendors. The reality is, there is no one size fits all process to conduct vendor due diligence and the task may seem daunting.
Challenges advisory firms can face conducting vendor due diligence include:
- Identifying the correct contact at a vendor to provide due diligence information
- Collecting the proper due diligence information and documents
- Analyzing due diligence documents to verify the vendor will meet or is meeting the needs of the firm
- Organizing vendor due diligence documents and version control
- Conducting periodic due diligence reviews in a timely manner
- Meeting regulatory compliance requirements and guidelines
Vendor due diligence is a critical component of a firm's cybersecurity program, which is why here at RIA in a Box we are spearheading a new platform to streamline this important process for RIA firms as part of our industry-leading MyRIACompliance® software platform. The free version of our Vendor Due Diligence Platform allows an RIA firm to connect with up to five vendors to help automate its third-party technology vendor due diligence review and documentation. Once digitally connected with a vendor on the platform, the RIA firm has real-time access to the vendors latest information security due diligence information. The RIA firm can also store vendor documentation and record the diligence process in the firm's online compliance log, which is fully exportable at any time for no additional charge. The free version of the vendor due diligence platform is now live and any RIA firm can sign up today.