Due Diligence For Your Vendors And Your Firm
Business Risk
Executive Management, Board-level, and compliance personnel should understand the exposure created by vendor relationships. Functional business units and personnel should be trained on the threat posed by third parties and that your firm’s security requirements must be extended to the vendor. Intruders can patiently hunt for means of accessing the most secure businesses. One way access is typically achieved is through a vulnerability in a third party’s network or a process that grants access to your resources. Apropos of the Target HVAC example, we see firms providing access to their networks and systems, for example in order for a third party to service internal copiers and printers. Administrative access to systems may be necessary to install drivers and plugins to control such devices. This access presents a possible intrusion vector to your network. Any time you are granting access to systems and networks, such as in this example, stringent controls should apply for the life cycle of these vendor relationships. Failure to do so could create a regulatory concern in the event of breach, and may represent a deficiency in a typical exam setting.
Regulatory Risk
Due Diligence of critical third parties is familiar territory for regulators. They have plowed this field with respect to research of outsourced managers, requirements for auditors (Regulation S-X), and custodial relationships for years. Examiners understand nuances of maintaining documentation with respect to the list of critical vendors maintained within your Business Continuity Plan, tied to notions of fiduciary responsibility as described in the Investment Advisers Act of 1940. With this regulatory backdrop and as all businesses become more dependent on outsourced technology, firms must develop and execute a plan to conduct Initial, Ongoing, and Terminating due diligence of their vendors. Readers should be aware that:
- Third parties were mentioned in the SEC’s statistical February 2015 Cybersecurity Examination Sweep Summary. (see our white paper on “Five Statistical Observations”);
- FINRA addresses the subject of Vendor Management more comprehensively in its February 2015 “Report on Cybersecurity Practices.”;
- Third parties were referenced in the opening paragraph of the Division of Investment Management’s April 2015 “Cybersecurity Guidance.” (PDF);
- Regulation S-ID requires the due diligence of third party vendors for whom identity theft may be an issue or possibility. This equates to any vendor who maintains identity information of clients or employees, such as a Custodian, a CRM provider, a third party client database, and so forth; and finally
- Law and Accounting firms as vendors for whom you should be conducting due diligence. (See our post on “Law Firms: The Current State of Affairs”)
Here are five key considerations for your vendor oversight process:
- Create a Vendor Management Program. You must have policies and procedures and a recurring process for examining vendor participation and access. Your approach to Vendor Management, like cybersecurity in general, should be risk-based. What type of data do vendors maintain and are vendor activities related to critical processes? Answering these questions will help you prioritize your vendors and define the controls surrounding each.
- Treat your Service Level Agreements (SLA’s) with care. Establish contractual terms appropriate to the sensitivity of information and systems on which vendor applications may reside or to which vendors may be granted access. Remember that terms of Data Ownership, Transference, and Destruction must be spelled out clearly. Review SLA’s on an annual or as-needed basis depending on the changing requirements of your business or changes in the vendor’s model. Vendor management via the SLA is a complex and multifaceted subject. You should also be considering:
- Non-disclosure and confidentiality agreements;
- Breach notification responsibilities;
- Right to audit clauses;
- Vendor employee access limitations; and
- Use of subcontractors.
- Due Diligence on prospective vendors should be thorough. Consider developing a vendor Due Diligence Questionnaire (DDQ) addressing the issues important to your firm’s cybersecurity program. For example: Does the firm utilize encryption of data at rest and/or in transit? Does the firm have control reporting conducted (SSAE-16, SOC-1, SOC-2)? Does the firm have disaster recovery practices in place? Exactly which employees will have access to your data? There are third parties that can assist with Due Diligence, but we caution that those vendors must clearly understand both business and regulatory risk for financial firms.
- Get Your IT Team Involved. The administrative business of contracting and maintaining vendor information is often handled by Compliance and Legal, but all firms are different. Vendor Management is a significant undertaking, and the CCO should leverage existing resources for assistance with this process. In the case where vendors have been labeled high-risk, IT should be directly involved in monitoring the vendor’s access, controls, and activities. This will always be the case when Personal Identifiable Information is involved but may also apply to your firm’s intellectual property depending on how you approach Data Classification. (see Lyman Terni’s series on “Security through Data Classification”)
- Terminating Vendors. This is tricky subject matter, depending on how the relationship is structured upfront. The focus must remain on protecting customer and firm data throughout the termination process. How your firm retrieves its data; how it is removed from vendors’ systems; how vendor access is revoked; and how you document this process should be considered in your initial or prospective Due Diligence phase. This process can be a lot tougher if you are dealing with legacy third party vendors for whom appropriate SLA terms do not exist. If this is the case, consider remedying this issue promptly as part of your Vendor Management Program.
Managing Client Due Diligence Requests
Investment advisers and broker-dealers are wrestling with satisfying extensive due diligence requests from potential clients, especially institutional investors. The best way to satisfy such demands is through the utilization of an existing standard or Framework such as the NIST Cybersecurity Framework, ISO 27001, COBIT5, and more. This is where the NIST CSF is becoming an essential tool for demonstrating attention to the subject of cybersecurity. More and more, we see institutions accepting NIST CSF as validation of a comprehensive approach to cybersecurity.
The NIST CSF, itself, mentions vendors in two capacities:
- The role of third party stakeholders and their understanding of cybersecurity responsibilities;
- The responsibilities of vendors with respect to coordination and restoration activities in the Recover Function.
One of the real benefits of devoting time and effort to a Vendor Management Program is that you will have a more effective understanding of exactly what potential clients and investors need from your firm for IT Security Validation. A strong Vendor Management Program is a marker of a mature IT program, which will protect your firm’s assets and, ultimately, be a distinguishing factor and selling point for your services.
Contact us for further information Vendor Management and/or managing client requests for Due Diligence.
For Further Reading: (Links will open in a new window)
Artemis White Paper on Sweep Summary Results
Law Firms: The Current State of Affairs
Cybersecurity Sweep Exam Summary
Division of Investment Management’s Cybersecurity Guidance