SEC and FINRA CCOs: How to conduct vendor cybersecurity due-diligence reviews.

SEC and FINRA CCOs: How to conduct vendor cybersecurity due-diligence reviews.

It is a chore. I get it. But, as CCO, you are required to be performing cybersecurity due diligence audits on all third-party vendors that "touch" your client's personally identifiable information (PII).

Here is a quick guide to help you streamline this process.

Understand what data you will be providing to the vendor.
Not all vendors have the same access. Determine the sensitive nature of the data, the source of the data, and which internal systems the vendor will have access to.

Understand which products and services you are interested in (or using)
A vendor may offer both hosted services and on-premise software. Each service provider and service offering will have a different set of questions that need to be asked. If you let the vendor know which services you are using or interested in the vendors can provide the most relevant information. If you ask for an assessment applicable to all their products and services you’re much less likely to get a usable response.

Craft the questions to the specific risks associated with that particular vendor:
The vendor may already have documentation readily available that covers your concerns (and many more) so be sure to ask for that. If they have a been through a third party cybersecurity audit, you can ask for those results (Heads Up : The vendor will usually require an NDA before providing you with the reports.)

If adequate documentation is not available, here are some customizable vendor security questionnaires you can start with to craft your own:

• Consensus Assessments Initiative Questionnaire (CAIQ) offered by the Cloud Security Alliance
• Standardized Information Gathering (SIG) questionnaire sold by Shared Assessments
• Vendor Security Alliance questionnaire

When choosing which questions to include in your outreach, consider the following:

• Where will the vendor store your data?
• How will the vendor encrypt your data? (In transit, in use, and at rest?)
• How robust is the vendor’s ability to identify, respond to and notify you of a security incident affecting your data/systems? What protocols and systems are in place?
• How long will the vendor retain the data? Do they meet SEC and FINRA compliance requirements?

If this vendor is a critical part of your business operations (trading platform, custodian, etc), you will also want to understand:

• What steps does the vendor take to ensure resilience and business continuity in the event of external and internal disruptive events?

Ongoing Maintenance
I suggest that you reassess your due diligence assessment annually as part of your annual compliance review.
And, of course, if you don't document this process, it didn't happen.

Document everything.



​