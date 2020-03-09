A German flag is seen on the laptop screen in front of a computer screen on which cyber code is displayed.



The U.S. Securities and Exchange Commission has highlighted three management practices to enhance vendor safety, as part of a recent report identifying industry practices and approaches to managing and combating cybersecurity risk.





The use of outside vendors for critical functions related to operating an investment advisory business continues to grow in popularity, as offers the promise of allowing advisers more time to focus on client relationships. But with it come increased compliance obligations and cybersecurity risk.







The practices the SEC has taken note of are: advisers creating vendor management programs, taking steps to understand all facets of the vendor relationship and implementing vendor monitoring and testing programs.







A vendor due diligence program must treat its vendors as an extension of the firm. Therefore, an outside vendor that maintains some of the firm's most sensitive information should face the same scrutiny that would be placed on the firm itself. For example, many advisers contract with outside vendors to store electronic data and files, and if those databases are hacked, it can hurt the firm and its clients.





A risk of this nature requires a firm to be aware of how the vendor protects its data and to be confident that the data-protection policies are always followed. In a 2015 risk alert{go-ri.tr.com/ryzGxB}, the SEC found that some of the largest data breaches in preceding years may have resulted from the hacking of third-party vendor platforms.







Most recently, the 2020 SEC exam priorities letter continued to prioritize information security{go-ri.tr.com/blLnRx}. Specific to advisers, the SEC will focus its examinations on assessing advisers' protection of clients' personal financial information.



SEC focus areas will include governance and risk management, access controls, data loss prevention, vendor management, training and incident response and resiliency. In the area of third-party and vendor risk management, the SEC will focus on the oversight practices related to service providers and network solutions, including those leveraging cloud-based storage.







The SEC's advice on vendor management is part of a larger report by its Office of Compliance Inspections and Examinations on cybersecurity, issued January 27{go-ri.tr.com/jEewjR}. It said its recent inspections have found firms have taken steps to establish policies for the management of vendors.







Typical practices and controls include those related to conducting and determining the appropriate level of due diligence and the ongoing monitoring and oversight of the vendor and contract. A risk-based approach to a vendor's cybersecurity risk is vital.







A risk assessment of a vendor relationship can be accomplished by looking at a list of potential impacts and rating them as low, medium or high. A firm may evaluate the financial, reputational or operational impact of a vendor failing or the sensitivity of information influencing the level of risk. The SEC found firms are requiring vendors meet security requirements and that appropriate safeguards are implemented.











Reuters, New York













