Expert Strategies for Managing Vendor Risk and Data Protection
By Dan Garrett, Jeff Wilk and Tim Buckler
Subscribe to our original industry insightsOur latest episode of Oyster Stew features industry veterans Dan Garrett, Jeff Wilk and Tim Buckler, who share their insights into the complexities of vendor risk and data protection. Discover how to protect client data amid the vulnerabilities brought by new vendors and how to implement a robust strategy to ensure operational continuity and resilience.
Our team’s insights into operational continuity, vendor bandwidth, vendor selection and data sharing protocols will help you make informed decisions to protect client data and maintain trust.
In this informative podcast, you’ll learn:
- the importance of using structured processes like detailed scorecards and questionnaires to align with security, compliance, and operational standards like GDPR and CCPA
- the critical role of data access controls, encryption standards and maintaining ownership of your data
- the importance of securing sensitive data, even when outsourcing your operations
- how to evaluate vendor capacity using a “trust, but verify” approach
- the necessity of negotiating strong Service Level Agreements (SLAs) to ensure vendor accountability, especially concerning Personally Identifiable Information (PII)
- incorporating recognized cybersecurity frameworks such as NIST and ISO into vendor contracts
Managing vendor risk and protecting sensitive data is more critical than ever in today’s rapidly evolving digital landscape. By understanding the intricacies of vendor relationships and implementing robust protocols, your firm can safeguard client information, maintain trust, and ensure operational continuity.
Successful Vendor Risk Management
Equip your organization with the tools needed for success in vendor risk management. At Oyster Consulting, we understand the transformative power of technology and the balancing act of moving forward while managing risk. Our teams of regulatory compliance consultants and technology strategists work closely with wealth management firms to ensure that vendor contracts and relationships comply with industry standards. By partnering with us for compliance consulting and operations strategy, your firm can embrace the digital age while protecting your firm and your clients. Leverage our expertise in wealth management operations to optimize your vendor relationships, getting the value and innovation your firm deserves.
Transcript
Transcript provided by TEMI
Bob Mooney: Welcome to the Oyster Stew Podcast. I’m Bob Mooney, General Counsel for Oyster Consulting. In today’s podcast, Oyster Consulting’s technology experts Dan Garret, Tim Buckler and Jeff Wilk explore the complexities of vendor risk management and data protection. In this episode you’ll learn:
- Strategies for securing sensitive data when outsourcing
- How to evaluate vendor capacity and SLAs
- Why data ownership, accessibility and post-contract destruction protocols are so important
- Best practices for leveraging cybersecurity frameworks for vendor contracts
Let’s get started – Dan?
Dan Garrett: All right, thank you, Bob. I appreciate the opportunity to join today’s podcast. I’m joined here by Tim Buckler and Jeffrey Wilk. We’re going to be speaking about third party vendors and the risk involved with them and how to mitigate some of those risks, and just some things to think about when you’re making vendor changes. Let’s start off with just kind of a round of introductions. Jeff, if you want to go first.
Jeff Wilk: Sure. Dan, and thanks everybody for tuning in today. We’ve got some great, great topics to cover. I’m Jeff Wilk. I’ve got about, let’s just call it 35 years in the business, ranging a full sweep from the product side, marketing side, IT platforms, and the like, basically running large wealth management platforms. So, I’m happy to be here today to talk a little bit about vendor management and risk. Tim?
Tim Buckler: Yeah, thanks, Jeff. I’m Tim Buckler. I’ve been with Oyster for 13 years. I help with risk assessments, cybersecurity reviews, and other types of vendor selection.
Dan Garrett: Great. And I’m Dan Garrett. I’ve got about the same number of years as Jeff, about 30 in the industry working at broker-dealers, RIAs, clearing firms, running operations and technology groups. So, this is a topic near and dear to our heart. And it’s something that we continue to work with our clients here at Oyster on when we’re dealing with either helping them identify good vendors to work with or reviewing the risk and opportunity of bringing those new vendors in.
We’re going to start off talking about data breaches and the risks there. When you have new vendors, client data, especially in financial services, is our most valuable asset, and really the most vulnerable. When you put vendors into the mix, we’re adding new pathways and opportunities for data breaches. A lot of this is a terrible thing because it compromises your client’s trust, not to mention regulatory compliance and ultimately, your reputation as a firm.
The last thing you want is your name to be in the headlines over a data breach this year. We’ve seen a few coming up every year. We hear about more and more firms that are in the headlines and, unfortunately, we’ve had a few in the financial services area. A large financial services investment company had a breach of about 77,000 accounts. We also had a tech vendor, a cloud provider solution, very well known, that had a data breach as well that affected several of their clients who were a financial services company. And really, that particular breach was over the fact that they just didn’t have really good multifactor authentication. We’ll get to that topic a little bit later. But here at Oyster, we really advocate for strict data access controls and encryption standards. Those are very important things that you want to look at when you’re talking to your vendors, making sure that you understand how your data is being stored on their servers, who has access to that data and what did they do and how do they react to data breaches. And we’ll talk about that a little bit later as well. So, Jeff, or Tim, is there anything that you guys want to add?
Jeff Wilk: In this day and age, everything is about data, right? So, I think it’s really very appropriate to start out talking about the risks and the safeguards that firms need to put in place to control that and manage it, to the best they can. And to have all the, I call it, “bubble wrap” put around the whole process just to make sure in case anything gets bumped, breakage is minimal, if at all.
One of the things that it really brings to mind too, is, and you can go back and look at the FINRA website and things, you’ll find many, and I could think of three or four off the top of my head, significant rules or notices to members that the regulators have put out over the years. This is nothing new, but that talks to the fact that while you can outsource functionality, you can’t outsource your responsibilities. I think that’s something that’s got to remain first and foremost in folks’ minds too, is, you really have to take it seriously – even if you hand it off to somebody else. But at the end of the day, clients will look to you. They’re not going to look to your third-party provider. It’s really critical to have a strong vendor management approach in place to keep the safeguards there and do what you have to do as a broker dealer or, frankly, as an RIA as well.
Dan Garrett: Let’s talk about vendors’ bandwidth, operational capacity and how that’s important to risk. I know we’ve got some new legislation that’s coming out about resiliency and that we could probably do a whole podcast on that a little bit later, but could you kick that off just with what we’re seeing today?
Jeff Wilk: This touches on the last point as well in terms of getting to know who your providers are, who your platforms are, that you are leveraging for your own internal operational procedure processes and procedures. It really comes down to not just looking at some of the standard items, but also looking at the bandwidth of a third-party vendor who you are contracting with for a service or for technology. I kind of like to use the term “trust but verify,” and get to talk to other clients of those firms and those platforms, see what their day-to-day activities have looked like. What has the relationship been like? And get a gauge from them perhaps about what the capacity is of these platforms or these vendors in terms of delivering on what you have contracted for.
I think it also touches then on the continuity, the operational continuity piece of it, which comes down to that role that you still have as being responsible for the relationship. You can’t assume that just because they’re a big name they’ve got a large client base. They’re servicing hundreds and hundreds of thousands of accounts. You can’t assume that they’ve got a continuity plan in place that is sufficient for the way you do business today. So, I think part of that process of vendor risk assessment is taking a look at what do they do, see if they’ll share what their continuity plan actually is, and then make sure it dovetails neatly with what your plans are in your own firm from an operational standpoint, a capacity standpoint. I think that’s a really critical area.
Tim Buckler: I think part of that too, Jeff, is around the Service Level Agreements that you may negotiate with these, making sure that they have teeth in those too. If they miss their Service Level Agreement, you should be able to be compensated and you should have some sort of outlet there. They should have some sort of internal reporting that shows how reliably they hit their SLAs to make sure that you feel comfortable with the level of sophistication they have in their own documentation and set up.
Dan Garrett: Tim, I touched on it a little bit in the data breaches, but let’s talk about data sharing with approved vendors and what that looks like, because that is really one of the biggest risks when your data is in motion, particularly your PII information. Let’s talk about that a little bit.
Tim Buckler: Thanks, Dan. I think one of the first things you have to realize is that your vendor standards for technology are your standards. You should make sure that their documentation evidences that they have protections at least as high as yours, having their data encrypted at rest and in transmission, and the physical security of their data centers. But you should never share data with a company that doesn’t meet your standards. T
here are a few items beyond the basics that you should look for.
- You should be considered the owner of the data that you share with them.
- You should have the ability to access and download that data or delete it.
- You should have contractual obligations for them to delete any data that’s left on the platform after your contract is terminated. They don’t get to own that data and keep it and sell it, and they should not be able to share your data with affiliates or sell to third parties without your permission.
The old adage, you know, if you aren’t paying for the product, you are the product. However, there are some vendors who sell their services at a discounted rate because they know they can turn around and sell your data to third party brokers. So just make sure that you understand what they’re doing with your data once it’s on their platform.
Dan Garrett: That’s a great point, Tim. GDPR and CCPA and some of those regulations that really opened up eyes when you had to go a layer deeper, which was not just the vendor that you’re using, but then what vendors are they using. Do they have agreements and relationships with other technology firms that are helping them process information? Is that information being shared out? Can you talk a little bit about that and the responsibilities of the subprocess?
Tim Buckler: Yeah, Dan. So GDPR was the first of the four around disclosures of subprocess by your vendors. CCPA and some other state level legislation has touched on that as well, but I think GDPR is the strongest towards that front. If you can find a vendor that has worked in the EU, they’ll probably have the strongest transparency around these items. You can ask for documentation about who they use as a subprocess and where that data is housed. You should be aware if it’s being moved outside the United States, as some countries have different disclosure requirements, their governments may be able to see the data that you may not be comfortable with. You should look in the privacy policies in terms of service as well, because some of this may be disclosed publicly without you having to go to them directly. But you should always make sure you get as much information as possible about this.
They should be able to share this information with you quite readily. So, you should know how the vendor reviews and validates their subprocess. For example, they should have an audit processor around the subprocess, make sure that they’re meeting their cybersecurity standards and make sure that they are not failing in any capacity that you can’t see directly from an overall risk perspective. Since the subprocess will have more links in the chain to notify about a service change or a breach, it’s more severe and a delayed response for you because they have to notify the vendor, and they have to notify you. You’ll be impacted in a worse way by a sub processor than if you have breached directly. So, just be aware of how that changes depending on where they’re on the chain of how you can respond.
Dan Garrett: Alright, perfect. That’s great. We talked about a lot of vendor risks there. Let’s shift gears and talk about due diligence and how to make sure that we’re protecting ourselves against those things. For financial services firms, due diligence isn’t just about risk mitigation, it’s a regulatory requirement. So, Jeff, you want to kick us off a little bit and talk about risk and severity scoring that we might use in our processes?
Jeff Wilk: Thanks, Dan. I think what I want to start off with is kind of taking a couple of steps back at a high level and referring to what I opened with about the different FINRA notices to members and the different rules that are out there. One comment that is very important, and I know within Oyster we come across this often in working with different clients, is that you need to take a risk-based approach to due diligence. There are different types of vendor platforms or outsource services that a firm can choose to leverage. Some of them are mission critical, others might be far less. Simply said, the more mission critical they are, the more due diligence and the more rigor you need to put into your due diligence because they’re a of higher risk.
It sounds simple, but there’s an awful lot of confusion out there about what is required – what do I need to do for this vendor versus that vendor? Particularly amongst the smaller firms that you’re working with or that are operating, the more of a demand it places on a smaller organization. So, risk-based approach is a very, very important place to start. Do that risk assessment for this different platform or the operational process that you’re outsourcing, and then put a due diligence process in place that matches it.
One of the tools that we always recommend, and they can take on various different shapes and sizes, but we always recommend to put some type of scorecard in place when evaluating your vendors, do something with a defined scoring methodology. Something that’s not just a quasi-generic questionnaire that you send out, but something that has true meaning and you can put some weightings to it across your organization, particularly with the different business units that are all going to be touching this application or this process. You put something like that in place that does two things: it helps drive some discipline into the due diligence process and, equally as critical, maybe even more critically important than that, is that it provides you with documentation to show that you did that and that you went through a formalized process in choosing your vendor. Then, oftentimes it’ll also give you, if not the full roadmap, it’ll give you large components of what to work on in terms of your roadmap as you follow up and you continue to work with a firm going forward.
Dan Garrett: Great. Thanks, Jeff. That’s great. We help firms generate or create questionnaires that they can take back to their vendors. I wanted to talk a little bit about that process and what that looks like. I think everybody’s probably pretty aware of the RFP process, where you’re going out and requesting proposals or requesting different information about systems. But, I think having a vendor questionnaire is extremely important, and that it’s put together not just by the business, but by Compliance and your IT folks. Those type of questions that you want to make sure that vendor is adhering to your firm’s security compliance and operational standards, and really start defining well-rounded questions that really get to key areas about data security and privacy, not just regulatory adherence and your incident response protocols.
We really try to vet out vendors and make sure, especially the ones that aren’t specifically in the financial services space, that they’re at least aware of the different rules and regulations that financial services need to adhere to, and that they are aware of those. Vetting out and making sure that the vendor works with other clients that have similar needs, they’re very aware of who FINRA is, who the SEC is, and the rules and regs that are needed for those kind of things. We’d like to think that your vendors have a business continuity plan, they have a disaster recovery plan, they have an incident response plan. Those are important questions to ask of them because you may find out that they don’t, or you may find out that they don’t align with your own plans.
You know, as a SEC firm or a FINRA member, you need to have a business continuity plan. It includes disaster recovery. You also need an incident response plan, and in your incident response plan, you should be listing out your different vendors and who you’re going to call or who’s going to call whom in the event of a data breach or an incident that that needs to be taken care of, clearly lining out those areas of responsibility when something occurs and who’s going to do what when. So having questions around those three things are really critical to just understand what that firm is doing for themselves and how are they going to work with you on your plans, and the things that you need to do in the event of the crisis. You don’t want to have a vendor and not have a plan and then have an event happen and everyone’s scrambling and not sure what to do.
It’s important to test these things as well. So even after you select a vendor, you should go ahead and test those items. Again, you can put these vendors into different categories as being high risk vendors, those are the ones that have sensitive client data or proprietary data that’s extremely sensitive. You may have vendors that are low risk, where maybe they’re just supplying you with information security or something like that, where there’s no proprietary client information that’s flowing. You can definitely change your questionnaires depending on the risk and severity of the vendors that you’re looking at. I think building a targeted kind of risk-based questionnaire will just help your firm ensure that you’re not just checking the boxes and vetting each of a vendor, but you’re really looking at it from a unique regulatory and security demands standpoint, making sure that you’re adhering to those demands of our industry.
Tim Buckler: Yeah, that’s a great point, Dan. I think one thing to add, too, is to make sure that your vendor questionnaire doesn’t get out of date. With all these recent changes to state laws and the changes in SEC standards, you’ve got to make sure that your questionnaire stays relevant and appropriate. You can easily let it get behind and you miss the important questions that just suddenly popped up last year. So, just part of your annual policy procedure update should include the vendor questionnaire.
Dan Garrett: Thanks. One of the other areas is really your cybersecurity standards. This isn’t just a nice- to-have; it’s essential client information or regulatory compliance that come into play here. There are standards like NIST and ISO standards that are out there to help you provide a structured approach to cybersecurity for financial services firms so that you can benchmark your vendors in terms of the best practices that they have, and make sure that they’re aligned with the industry best practices.
So, coming back to the questionnaire, you do want to ask some questions around cybersecurity maturity. Are they employing multifactor authentication? Do they conduct regular vulnerability assessments? How do they prepare for a potential security incident? These types of questions really allow you to probe how well they’re mature and what the responses are that they give back to you.
So, there’s a really important area to really focus on. Firms might claim that they’re in compliance, but if they don’t have any certifications, they don’t have any internal audits that they do, they can’t show that they’ve got actual practices, you might want to be a little concerned about that. At Oyster, we really recommend incorporating specific cybersecurity standards directly into vendor contracts. If there isn’t a section in there, you might ask why those things aren’t in there. You really do want to hold your vendors accountable and ensure that they remain aligned with the vigorous standards that are expected within financial services. This area of cyber threats is growing, always. There’re a lot of firms that are trying to help in this space. We’re now concerned about the use of AI being used and exploited for cybersecurity.
So, review your vendor cybersecurity practices annually, bi-annually, just to make sure that they’re keeping up with any kind of emerging risk that might be out there. That’s why it’s important to have your IT folks involved in reviewing your vendors and what they’re doing to make sure they’re up to speed with the latest things that are occurring out there. Again, Jeff mentioned earlier, if your vendors have a data breach, yes, it’s their responsibility, yes, it’s their problem; but it’s your client data and it’s your reputation in your firm.
Jeff, do you want to maybe talk a little bit more about internal and third-party audits, and what that looks like to make sure that these vendors are saying what they’re doing?
Jeff Wilk: It’s interesting – I think each of us touched on a couple of topics today that are really relevant and very much related to each other along the lines of something I called “trust but verify” earlier. One tool – I don’t want to call it a trick, because it’s really not – it’s a tool as part of your due diligence that I’ve often found provides a lot of information. Simply ask the firm that you’re considering working with, or one that you are working with, and maybe you haven’t done this in the past, is ask them and hopefully get it in your contract with them upfront, that they need to provide to you a copy of their internal or their own third-party audits. It’s fascinating and oftentimes telling, just on the response that you get when you ask for that. Some firms, not the most common response, will come right out and say, we can’t give you the full report, but we can give you a summary report – and they have no issues with it.
Other firms, sometimes it’s like deer in headlights. They’re like, “What do you mean you want to see my audit report?” And if you get a reaction like that, that’s a good indication of something right up front. So these are internal and third-party audits. They are required to have to some degree, depending on what type of platform they are, what type of risks they undertake for you. I’ll go so far as to say that that you have a right, if not at least a quasi-right, to get the results of those audits. They’re required to do them, and they should be more than open to share with you what the results are and what they are doing to address any areas that may appear to need some firming up, or some shoring up. So, I think that’s a good tool to utilize in the overall due diligence process. Again, risk-based and ask, trust but verify, and ask for their results.
Dan Garrett: Thank you, Jeff. Tim, what do you recommend in terms of review process?
Tim Buckler: So, we went through the whole process of you doing some risk evaluation. You go through the questionnaire, make sure they meet your cybersecurity standards, and you bring them on board. But that doesn’t mean the job is done on a periodic basis.
Your firm should be conducting a whole new due diligence process on these vendors. You should treat them in some capacity as a new vendor. You should be reexamining what types and amount of data that you’re sharing with them. Recalculate those risks and severity scores, and just confirm if you should have the same level of scrutiny in this new audit as you had in the original one. Sometimes you need to bring it up a level because they’re getting more or different types of data than they had originally. After you understand the severity of the new review, you should conduct the review by asking for all that new information all over again.
Even if you have an older copy, you shouldn’t just assume this would be the same information. They should have changed their policy procedures in the years since you’ve had that file. You also want to take into consideration any other experience that you’ve had with that vendor while they’ve been onboarded. Have they had any relevant service or data issues that may have occurred? And how do they respond to anything that happened in the past? Does that inform how you should review their ranking and risk at this point? So every so often you should be re-reviewing the review, but you should also do it again if you’ve had any major changes to your business model, if you add new products or some new business line that impacts how this vendor works. You should be redoing the risk review all over again to make sure that you are still having your appropriate due diligence against that vendor. So just because you brought them on board doesn’t mean the job is done.
Dan Garrett: Alright, thanks Tim. Appreciate it. Jeff, Tim, it’s been fun. Thank you for taking this time to do this podcast with me. And that’s it for today, folks. Thank you.
Bob Mooney: Thanks everyone for listening. If you’d like to learn more about our experts and how oyster can help your firm, visit our website at oysterllc.com. If you like what you heard today, follow us on whatever platform you listen to and give us a review. Reviews make it easier for people to find us. Have a great day.