What to keep in mind when selecting third-party vendors for your RIA firm.
RIA firms face three main pillars of cybersecurity threats: people, technology, and vendors. Keep these steps in mind when selecting a third-party vendor to help mitigate risk at your RIA firm:
- Sign non-disclosure and confidentiality agreements.
- Research the vendor thoroughly online. This can reveal potential issues,
customer complaints, and strengths and weaknesses of the product or service.
- Review and understand the vendor’s information security policy.
- Review the vendor’s business continuity plan. If the vendor experiences a
business disruption and does not have the proper redundancies in place, it can
cause a business disruption for your RIA firm.
- Ask your vendor if they have experienced any security breaches, and if so, the
relevant details regarding any such incident.
- Ask the vendor how they manage risk internally, and what kind of testing
systems are in place to make sure their risk management systems are working.
- Understand what types of third-party vendors the vendor is using themselves,
how they manage them, and how they mitigate potential risks.
- Know which employees from the vendor will have access to non-public
information, and make sure sensitive information is only being shared with the
- Do not overshare sensitive information with vendors, make sure they only
have access to the specific information needed to provide the service they are
- Aside from performing initial due-diligence, be sure to perform regular
ongoing due-diligence on each of your vendors.
Learn more about Third-Party Vendor Management here.