RIA Compliance and Practice Management Blog

RIA Cybersecurity Focus: The Rise of Third-Party Vendors

Posted by RIA in a Box

Nov 27, 2019 9:45:48 AM

Vendor Third Party Vendor Due Diligence for RIA Firms on MyRIAComplianceThe usage of third-party vendors has increased exponentially within the registered investment adviser ("RIA") and broader financial services industry. Many firms are turning to outsourced technology (e.g., financial planning, portfolio management, etc.) and relying on third-parties to execute core business functions to increase efficiency and decrease spend. Within the 2019 RIA in a Box survey of 1,600 registered investment adviser firms, we found approximately 36% of RIA firms utilize at least three or more outsourced technology systems and roughly one-third indicated a need to maintain an inventory of data information for third-party vendors. Unfortunately, the third-party ecosystem is also an ideal entry point for cyber criminals looking to infiltrate RIA firms. This cybersecurity risk increases as firms grow and become more reliant on third-party vendors for a multitude of core business functions. 

Download Our Checklist on 10 Steps to Take When Selecting a 3rd Party Vendor

Beginning in 2014, there has been an increasing amount of attention placed on third-party vendors from the Securities and Exchange Commission ("SEC"). Regulators are focusing on mitigating risk posed by third-party vendor exposure – putting pressure on firms to manage their risks through due diligence practices. In 2014, the SEC issued a series of RIA risk alerts highlighting cybersecurity as a key compliance concern. In particular, on September 15, 2015, the SEC Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert flagging vendor management as one of six critical cybersecurity focus areas. Subsequent SEC OCIE risk alerts and guidance have also continued to identify third party vendor management as a critical cybersecurity risk area. 

Think about the data and access your third-party vendors have on a daily basis at your firm. Does your firm conduct enough due diligence to ensure your clients' non-public information ("NPI") is secure? It is imperative for investment advisers to heighten their awareness and due diligence standards to identify areas of potential risk with third-party vendors. The reality is, there is no one size fits all process to conduct vendor due diligence and the task may seem daunting. 

Challenges advisory firms can face conducting vendor due diligence include:

  • Identifying the correct contact at a vendor to provide due diligence information
  • Collecting the proper due diligence information and documents
  • Analyzing due diligence documents to verify the vendor will meet or is meeting the needs of the firm
  • Organizing vendor due diligence documents and version control
  • Conducting periodic due diligence reviews in a timely manner
  • Meeting regulatory compliance requirements and guidelines

Vendor due diligence is a critical component of a firm's cybersecurity program, which is why here at RIA in a Box we are spearheading a new platform to streamline this important process for RIA firms as part of our industry-leading MyRIACompliance® software platform. The free version of our Vendor Due Diligence Platform allows an RIA firm to connect with up to five vendors to help automate its third-party technology vendor due diligence review and documentation. Once digitally connected with a vendor on the platform, the RIA firm has real-time access to the vendors latest information security due diligence information. The RIA firm can also store vendor documentation and record the diligence process in the firm's online compliance log, which is fully exportable at any time for no additional charge. The free version of the vendor due diligence platform is now live and any RIA firm can sign up today. 

Sign-Up Now for Our Free Vendor Due Diligence Platform

Topics: RIA Compliance, RIA Technology

RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

RIA Compliance & Practice Management

Stay up to date on the latest RIA compliance, operations, and technology topics.

Hear from industry experts as they keep you up to date on the latest regulatory developments and practice management topics.

Subscribe to Email Updates

Recent Posts