March 6, 2020 / 12:47 PM / a month ago

IA BRIEF: Three vendor management practices to battle cyber risk

New York (Thomson Reuters Regulatory Intelligence) - The U.S. Securities and Exchange Commission has highlighted three management practices to enhance vendor safety, as part of a recent report identifying industry practices and approaches to managing and combating cybersecurity risk.

A German flag is seen on the laptop screen in front of a computer screen on which cyber code is displayed.

The use of outside vendors for critical functions related to operating an investment advisory business continues to grow in popularity, as offers the promise of allowing advisers more time to focus on client relationships. But with it come increased compliance obligations and cybersecurity risk.

The practices the SEC has taken note of are: advisers creating vendor management programs, taking steps to understand all facets of the vendor relationship and implementing vendor monitoring and testing programs.


A vendor due diligence program must treat its vendors as an extension of the firm. Therefore, an outside vendor that maintains some of the firm’s most sensitive information should face the same scrutiny that would be placed on the firm itself.

For example, many advisers contract with outside vendors to store electronic data and files, and if those databases are hacked, it can hurt the firm and its clients. A risk of this nature requires a firm to be aware of how the vendor protects its data and to be confident that the data-protection policies are always followed.

In a 2015 risk alert{}, the SEC found that some of the largest data breaches in preceding years may have resulted from the hacking of third-party vendor platforms.

Most recently, the 2020 SEC exam priorities letter continued to prioritize information security{}. Specific to advisers, the SEC will focus its examinations on assessing advisers’ protection of clients’ personal financial information.

SEC focus areas will include governance and risk management, access controls, data loss prevention, vendor management, training and incident response and resiliency.

In the area of third-party and vendor risk management, the SEC will focus on the oversight practices related to service providers and network solutions, including those leveraging cloud-based storage.


The SEC's advice on vendor management is part of a larger report by its Office of Compliance Inspections and Examinations on cybersecurity, issued January 27{}. It said its recent inspections have found firms have taken steps to establish policies for the management of vendors.

Typical practices and controls include those related to conducting and determining the appropriate level of due diligence and the ongoing monitoring and oversight of the vendor and contract.

A risk-based approach to a vendor’s cybersecurity risk is vital.

A risk assessment of a vendor relationship can be accomplished by looking at a list of potential impacts and rating them as low, medium or high. A firm may evaluate the financial, reputational or operational impact of a vendor failing or the sensitivity of information influencing the level of risk.

The SEC found firms are requiring vendors meet security requirements and that appropriate safeguards are implemented.

Advisers are also using questionnaires based on industry security standards (e.g., SOC 2, SSAE 18,) and paying for independent audits.


A contract may be the best way a firm can protect itself and its clients’ most sensitive personal information.

The SEC has found many firms are taking steps to understand all contract terms including rights, responsibilities, expectations and other specific terms to ensure that all parties have the same understanding of how risk and security is addressed.

An additional aspect of vendor relationships is the risks that also come from a firm’s primary vendor using outside vendors to deliver a service. The SEC observed many firms are making attempts to comprehend and manage the risks related to vendor outsourcing, including vendor use of cloud-based services.

A vendor’s outsourcing relationships should be highlighted in the contract, but the risk may only be fully understood after closer review of the business. In some cases, advisers may perform an audit to ultimately discover the parties involved in delivering its contracted service.


Continuous oversight and monitoring must be done to ensure the vendor is upholding its end of the contract and to identify any changes that may affect the initial risk rating. Additionally, the needs of the advisory firm may have changed since the contact has been signed.

The SEC observed firms are taking steps to monitor the vendor relationship to ensure that the vendor continues to meet security requirements, and to be aware of changes to the vendor’s services or personnel.

The intensity of monitoring may be risk-based. For vendors that have access to more sensitive data, they may be subjected to a higher level of monitoring than other firms. A higher level of monitoring may include onsite visits to the vendor and system tests.

(By Jason Wallace, Regulatory Intelligence, in San Diego)

*To read more by the Thomson Reuters Regulatory Intelligence team click here:

This article was produced by Thomson Reuters Regulatory Intelligence - - and initially posted on March 2. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters

0 : 0
  • narrow-browser-and-phone
  • medium-browser-and-portrait-tablet
  • landscape-tablet
  • medium-wide-browser
  • wide-browser-and-larger
  • medium-browser-and-landscape-tablet
  • medium-wide-browser-and-larger
  • above-phone
  • portrait-tablet-and-above
  • above-portrait-tablet
  • landscape-tablet-and-above
  • landscape-tablet-and-medium-wide-browser
  • portrait-tablet-and-below
  • landscape-tablet-and-below