May 18, 2020
The SEC and Vendor Risk Management
Vendor risk management is critically important for a number of reasons, and because of this, regulators in various industries have sought to ensure companies have proper controls in place. No industry has this been more true than in Financial Securities.
On Jan 27, 2020, the SEC released a document entitled “Cybersecurity and Resiliency Observations” that shared “examination observations related to cybersecurity and operational resiliency practices taken by market participants.” The point of the document is to share what regulators are seeing in the field and benchmark for financial firms the cybersecurity topics that they should be focused on. The document plainly says:
In sharing these staff observations, we encourage market participants to review their practices, policies and procedures with respect to cybersecurity and operational resiliency. We believe that assessing your level of preparedness and implementing some or all of the above measures will make your organization more secure.
The Observations Document that was released actually lists out Vendor Management as one of its key areas for firms to pay attention to. In the document, they list out three areas under Vendor Management.
1. Vendor Management Program. Establishing a vendor management program to ensure vendors meet security requirements and that appropriate safeguards are implemented. Leveraging questionnaires based on reviews of industry standards (e.g., SOC 2, SSAE 18) as well as independent audits. Establishing procedures for terminating or replacing vendors, including cloud-based service providers.
This one is straightforward. Firms need to establish a program and be conducting due diligence of vendors prior to selection. The report specifically calls out use of a questionnaire. Many people have looked down upon security questionnaires in the past 2-3 years but the truth is that they are your best source at finding out information about the vendor you would like to procure.
2. Understanding Vendor Relationships. Understanding all contract terms including rights, responsibilities, expectations, and other specific terms to ensure that all parties have the same understanding of how risk and security is addressed. Understanding and managing the risks related to vendor outsourcing, including vendor use of cloud-based services.
This is very similar to the first point but my take is that you have a contracting process in place that takes into account cybersecurity practices of your vendor. So while the first section advises to conduct due diligence, this section refers to codifying the cybersecurity expectations from your vendor. In many ways, I think this could have been numbered before the previous section.
3. Vendor Monitoring and Testing. Monitoring the vendor relationship to ensure that the vendor continues to meet security requirements and to be aware of changes to the vendor’s services or personnel.
Lastly, it is important to note that not only should you conduct initial due diligence, but conducting due diligence on a regular basis of your vendors is necessary. There are no definitie guidelines as to how often you need to conduct due diligence. Most of the official statements on this issue are rather ambiguous and ask that you base it on the risk that an individual vendor poses to your business. This is generally based on how sensitive and how much data that vendor has access to.