What to keep in mind when selecting third-party vendors for your RIA firm.
RIA firms face three main pillars of cybersecurity threats: people, technology, and vendors. Keep these steps in mind when selecting a third-party vendor to help mitigate risk at your RIA firm:
- Sign non-disclosure and confidentiality agreements.
- Research the vendor thoroughly online. This can reveal potential issues,
customer complaints, and strengths and weaknesses of the product or service. - Review and understand the vendor’s information security policy.
- Review the vendor’s business continuity plan. If the vendor experiences a
business disruption and does not have the proper redundancies in place, it can
cause a business disruption for your RIA firm. - Ask your vendor if they have experienced any security breaches, and if so, the
relevant details regarding any such incident. - Ask the vendor how they manage risk internally, and what kind of testing
systems are in place to make sure their risk management systems are working. - Understand what types of third-party vendors the vendor is using themselves,
how they manage them, and how they mitigate potential risks. - Know which employees from the vendor will have access to non-public
information, and make sure sensitive information is only being shared with the
necessary employees. - Do not overshare sensitive information with vendors, make sure they only
have access to the specific information needed to provide the service they are
providing. - Aside from performing initial due-diligence, be sure to perform regular
ongoing due-diligence on each of your vendors.
Learn more about Third-Party Vendor Management here.