Registered investment adviser (“RIA”) firms should be aware of the surge in cybersecurity threats over the past few years as well as the increased cybersecurity regulatory focus. Unfortunately, some of the largest data breaches across all industries have been perpetuated through compromised third party vendor access. The Securities and Exchange Commission (“SEC”) has recommended that RIA firms implement vendor management programs.
RIA firms face three main pillars of cybersecurity threats: people, technology, and vendors. In this blog post, we explore the threats related to third-party vendors and how to help mitigate such risk at your firm.
The 2021 RIA in a Box survey of about 1,800 RIA firms revealed that 49% of RIA firms use at least three or more outsourced technology systems. The use of third party vendors in the investment adviser industry has increased over the years with RIA firms increasingly turning to best-in-class third party technology providers to replace spreadsheet and other insufficient internal systems. Providing vendor access to your RIA firm’s network or sensitive client data creates a security risk as cyber criminals are known to use third party entry points to gain access to the firm’s internal systems.
The SEC began focusing its attention on third-party vendor risks in 2014 urging firms to establish due diligence processes. On September 15, 2015, the SEC Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert flagging vendor management as one of six critical cybersecurity focus areas. Subsequent SEC OCIE risk alerts and guidance have also continues to highlight third party vendor management as a critical cybersecurity risk area.
An efficient third party vendor due diligence program will facilitate how firms manage interactions with their vendors. The SEC will evaluate how firms establish and document the processes and procedures to monitor, secure, and allow access to their network and sensitive client information for third party vendors. This should include a standardized and documented protocol for performing due diligence, reviewing vendor contracts, a comprehensive vendor selection and approval process, and a system for monitoring their network and data access. As a reminder, while some key vendors such as customer relationship management or portfolio management and reporting software may have access to high levels of sensitive data, it may not be necessary for other less critical vendors to have access to non public information (“NPI”). Be sure vendors only have access to the absolute minimal level of sensitive data possible in order for them to deliver their service.
It’s important for RIA firms to complete a risk assessment to assess the security levels and policies of vendors. This needs to be done for all vendors, such as outsourced information technology management firms, payroll services, phone systems providers, printer and scanner companies, etc. You should talk with RIA-industry specific and more general vendors about their cybersecurity procedures and how they mitigate risk to your firm.
You should look to classify your vendors by risk, determine which vendors are qualified to work with your firm, which vendors cannot meet your firm’s due diligence requirements, and the vendors that do and do not require access to your firm’s computer network or data of any kind. Vendors who do not require access to the RIA firm’s computer network, data of any kind, or physical paper records may not need to go through the same due diligence process as vendors that require high levels of access to client data and infrastructure. Identify these vendor roles up front to save yourself time when evaluating and onboarding a new vendor.
Bottom line, the SEC examiners are looking to ensure your RIA firm has identified all external vendors or third-parties with access to your network and sensitive data. Then, they want to make sure you have done the work to properly identify who those vendors are, what level of data and access they have, what their own cyber security policies and procedures are, that you have communicated your expectations with them, and how you will monitor their activity.
To learn more about our automated Vendor Due Diligence program, click here.