Death, Taxes, and Vendor Breach The CCO’s Guide for Approaching the IT Consultant

Almost every engagement we undertake has Vendor Management considerations. This makes sense as every day more and more Investment Adviser and Broker-Dealer processes are outsourced. While outsourcing can make life easier in many ways, the unavoidable responsibility of third-party due diligence is in the regulatory spotlight. The enforcement of R.T. Jones centered on policies and procedures related to vendor management. And, similar to death and taxes, you can expect another vendor breach story tomorrow.

The SEC has put the headlights directly on Vendor Management by making this practice one of the six focus areas of the 2015 Cybersecurity Examination Initiative as follows:

Vendor Management: Some of the largest data breaches over the last few years may have resulted from the hacking of third party vendor platforms. As a result, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms. Examiners may assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.

The Challenge

To simplify – you need to have Policies and Procedures for vendor management including a repeatable process that should take into account initial and ongoing due diligence, focus on the higher risk scenarios of vendors critical to operations and those who maintain sensitive data, and scale up the scrutiny for any person or company touching your systems or networks.

Unfortunately, it’s not this simple. Vendors don’t make it easy, and due diligence is a time-consuming and variable process. You can cross the regulatory “T” by aggregating data for your folder, providing a Due Diligence questionnaire, and attempting to automate this nuanced process. The bottom line is that the CCO has to have the right mindset to approach the issue of Vendor Management.

Uptime versus IT Security

My day currently begins with a series of emails rolling in from servers that we manage. Operating System patching, application updating, and any errors in these processes are sent to my inbox. Any change in system logs is brought to my attention. Finally, host-based intrusion detection software serves up an integrity check of configuration files, root or administrative activities, and various commands executed. Oh, for the days of a cup of coffee and the New York Times! The ritual starts with security activities and validations which were not considered important just a few years ago. As the CCO, you should likely be seeing some of this reporting, but we often find this is not the case. Why? Because most IT consultants and even internal staff focus on one thing: uptime.

Primary IT consultants or the people you work with on setting up your network, maintaining your systems, and adding capabilities were not trained, first and foremost, in security. Functionality is really the mindset of most IT consultants (speed and functionality for Developers). This is to be expected and is driven by client demands, which change daily. In the upper echelons of IT services firms, some system administrators and consultants are even bonused on the concept of “uptime.” So, we have all, including Chief Compliance Officers of investment firms, been forced to put on a new headset concerning IT security.

The problem is that we see a lot of shoddy practices on the part of IT services firms and consultants. Not all, mind you, as there are extremely diligent firms and consultants obtaining IT certifications and making security a priority, but, as the CCO, you have to be tuned into the culture at your IT consulting firm.


We are offering a few notions for you to consider as you approach your consultants or the people helping to administer to your IT programs:

  1. Be tough on your vendors, especially your close IT consultants. Make sure you understand their security and business continuity practices, which should be documented. Many vendors are scrambling to put this information together in reaction to new client demands and regulatory considerations. There is nothing wrong with this as long as your vendors “get it” and are making a good faith effort to make security a priority. Ask your vendor: Do you utilize two-factor authentication or other similar controls in accessing our networks/systems?
  2. Your IT vendors should be proactive on IT security. Do you have the impression that you are guiding your IT vendor in IT security practices? When is the last time your consultant came to you with an idea for hardening security of networks/systems? You need to communicate to your primary IT consultant that you expect them to be actively considering security practices, staying on top of vulnerabilities and exploits related to open ports, services, and protocols in place at your firm.
  3. Do your IT vendors really understand the SEC’s agenda? This is a pet peeve of mine, but Compliance Consultants with a checklist are the last people you want to hire for enhancing IT Security. Similarly, you need to be aware that every IT Consultant is advertising their expertise regarding the SEC Cybersecurity Initiative. Have a conversation with your IT consultants about the regulatory initiative. Find out what they really know about the types of data that must be protected, changing State laws, and the SEC’s focus on Encryption and Data Loss Prevention. Everyone today calls themselves a Cybersecurity expert. Unfortunately, many CCOs that we deal with know more about IT security than their IT consultants.
  4. Make sure your IT vendors are providing you with monitoring data. This subject could be a book in and of itself, but Chief Compliance Officers should be obtaining regular monitoring data to validate the efficacy of the policies and procedures put in place for IT Security and the C-word, Cybersecurity. Let your consultants know that you need to see daily healthchecks, any security yellow-flags, validation of Active Directory group and user permissions, and changes in systems and configuration. You need to put your eyes on this information or bring it to the Information Security Committee to validate practices. These notions are right out of the 206(4)-7 Compliance Rule playbook, and someday, not too far away, the SEC will be asking you for proof of process.
  5. Is your primary IT vendor prepared to deal with breach? Have they dealt with breach or IT security events for other clients? Do they understand concepts of the chain of evidence, isolating systems, and protocols for interfacing with law enforcement? Lyman Terni has just written a Client Alert for Ransomware (please ask us for this to help train your personnel). How are your IT consultants preparing to deal with a Ransomware attack at your firm? In addition to patching, training, and filtering, do your IT consultants know that they can reduce the possibility of Ransomware attacks by disabling executables in the temporary Windows %AppData% directories (see link below)?


We have focused on the concept of your IT consultants for this post, but other critical vendors to investment advisers and broker-dealers, such as law firms, are in the news over the past two weeks. In addition to specific FBI warnings, breach has, predictably, been made public at major firms. About one year ago, we wrote about the legal industry, systemic risks, and the need for improved security practices in general. Just as every IT consultant is purporting to be a regulatory expert, every law firm is the leading expert in privacy and data security. If this is the case and law firms want to be the tip of the spear for breach at your firm, the CCO should be adding Law Firms to the critical vendor list. Given that Law Firms, as guardians of sensitive client information, are obvious targets in the current environment, we recommend that you apply your Vendor Management Program and security headset to validation at your legal partners.


OCIE 2015 Cybersecurity Examination Initiative:

Software Restriction Policies to fend off Ransomware

The Wall Street Journal on Legal Breach