(The writer is a Reuters columnist. The opinions expressed are
By Jennifer Cummings
June 5 A weak link in many financial advisers'
cybersecurity plans is the outside companies that help run their
businesses, such as payroll companies and computer-repair
Advisers want to focus on delivering great service to
customers, so vendors' cybersecurity practices are often not top
of mind, said John Brady, head of information security at the
Financial Industry Regulatory Authority (FINRA), at a recent
"In a lot of cases, they're trusting their vendors to look
out for their best interests," Brady said.
That trust could be costly. Data breaches can require
expensive notifications to customers and payments for credit
monitoring services, along with bills from lawyers and
FINRA, Wall Street's industry-funded watchdog, requires the
more than 4,000 brokerages it oversees to supervise their
vendors. The U.S. Securities and Exchange Commission, which
oversees investment advisers, has issued guidance on how firms
can monitor vendors.
An SEC examination of 57 broker-dealers and 49 registered
investment advisers revealed that most had experienced
cyber-attacks directly or through their vendors, according to a
What is more, 30 percent of 40 banking organizations
surveyed by the New York Department of Financial Services did
not appear to require outside vendors to notify them of
breaches, according to an April report.
For extra security, consider the following measures for
vendors that have access to your firm's most sensitive data.
1. Visit their offices to get a first-hand look at security.
Check for cameras and make sure employees wear badges, said
Joseph Rivela, chief strategy officer and co-founder of Breach
Intelligence Inc, a New York City-area information-security
2. Make sure your cyber-security insurance covers your
damages from vendors' information-security failures. Insurers,
however, will still likely expect you to do your part in
monitoring, Rivela said.
3. High-risk vendors, such those that access client data,
should let you know if they hire a subcontractor. And you
should require in contracts that policies you set for vendors
extend to their subcontractors. For instance, if your vendors'
employees must have background checks, their subcontractors'
employees should too. Depending on the risk level of certain
vendors, you may even want to prohibit some from using
subcontractors, said Rocco Grillo, who heads a global
information security unit at Protiviti, a division of
California-based Robert Half International Inc.
4. Consider getting warranties from vendors that promise
they will use virus protection. Benjamin Lawsky, New York's
financial services regulator, expects to propose a rule this
year that will require banks to get warranties from vendors
about cybersecurity protections they have in place.
5. Include vendors in plans for responding to breaches. For
example, note the cellphone number of your vendor's IT person.
Role-play a data breach with vendors to see if there are
weaknesses in their responses.
Finally, make sure you have a back-up company in place to
take over if you have to quickly cut ties with a vendor.
"It's not easy to just pull the plug," said Grillo.
(Reporting by Jennifer Cummings; Additional reporting by
Suzanne Barlyn; Editing by Suzanne Barlyn and Steve Orlofsky)