How can I perform Vendor Due Diligence?

What to keep in mind when selecting third-party vendors for your RIA firm.

RIA firms face three main pillars of cybersecurity threats: people, technology, and vendors. Keep these steps in mind when selecting a third-party vendor to help mitigate risk at your RIA firm:

  1. Sign non-disclosure and confidentiality agreements.
  2. Research the vendor thoroughly online. This can reveal potential issues,
    customer complaints, and strengths and weaknesses of the product or service. 
  3. Review and understand the vendor’s information security policy.
  4. Review the vendor’s business continuity plan. If the vendor experiences a
    business disruption and does not have the proper redundancies in place, it can
    cause a business disruption for your RIA firm.
  5. Ask your vendor if they have experienced any security breaches, and if so, the
    relevant details regarding any such incident.
  6. Ask the vendor how they manage risk internally, and what kind of testing
    systems are in place to make sure their risk management systems are working.
  7. Understand what types of third-party vendors the vendor is using themselves,
    how they manage them, and how they mitigate potential risks.
  8. Know which employees from the vendor will have access to non-public
    information, and make sure sensitive information is only being shared with the
    necessary employees.
  9. Do not overshare sensitive information with vendors, make sure they only
    have access to the specific information needed to provide the service they are
    providing.
  10. Aside from performing initial due-diligence, be sure to perform regular
    ongoing due-diligence on each of your vendors.

Learn more about Third-Party Vendor Management here.