How to Review Third Parties to Assure They Don’t Create Vulnerabilities for Your Regulated Firm
When OCIE comes knocking to learn whether your regulated firm has robust cyber security policies and plans in place, one critical area of inquiry will be third-party cyber security risk management. They want to know if you’re performing a cyber security risk assessment of the vendors who have access to your data or network – and taking action based on the results.
This aspect of security compliance is not on enough company radar screens, so if you’re reading this, you’ll be ahead of the game.
It can seem daunting to take responsibility for how your vendors stack up in the increasingly hair-raising world of cyber security. This post will provide you with a roadmap that will not only improve your firm’s security, but also lead the way to better overall vendor relationships.
First Step: Ask Accounts Payable
Over time, it’s surprising how many vendors you might interact with to help you execute day-to-day business for yourselves and your clients. There’s your:
- Phone service
- Email provider
- Banking and funding providers that have access to your own and client assets
- Internet and productivity software/application providers (Like Microsoft Office 365)
- Cloud services like DropBox and others that handle your data
- Managed service providers like us here at Soundshore Technology Group
- Any third party that could compromise information
The best way to start is to ask your accounts payable department to make a comprehensive list or spreadsheet of vendors that fall into any of the categories above. For each vendor they should include key information including, minimally:
- Contract renewal date
- Automatic renewal or not
- Cancellation notice and related terms
- Length of contract
- Pricing and other contract terms (services provided, changes to scope of services during contract, etc.)
- Whether they’ve completed a cyber security risk assessment in the past
Having this information right at hand will help keep you from missing, for example, an automatic renewal with a vendor that you’d just as soon replace, or inadvertently being renewed for an onerous period of time at non-competitive pricing.
Send a Vendor Due Diligence Questionnaire
We recommend starting the vendor cyber security risk assessment process 60 to 90 days before your contract renewal date. It should be updated annually.
Each year we create a comprehensive vendor due diligence questionnaire (DDQ) that meets current best practices and addresses new threats. We complete the questionnaire ourselves and provide it to each of the firms for whom we are vendors.
We also make the questionnaire available to them to send to their vendors. Some clients send out and evaluate the DDQ themselves. Some send it and leave it to us to evaluate the results. For others, we handle the full process.
Once DDQ’s have been completed and reviewed we’ll make recommendations for how vendors can become more compliant – or whether you might consider replacing one or more with more savvy competitors. One thing we ask is how they manage their vendors. Do they go through a similar process to what we’re asking of them? Security is a chain, after all.
We use a Green Flag, Yellow Flag, Red Flag system to communicate the level of cyber security a vendor exhibits.
Green flags will have, as a baseline, data encrypted on both the hard disk and in transit, robust password policies, multi-factor authentication of all sign-ins, modern anti-virus and anti-malware installed and current cyber security patches of all software and applications.
Red flags will have little to none of the above or no cyber security plan in place at all. Yellow falls somewhere in between.
Often clients will ask us to become involved in contract negotiations with their technology vendors and others that may have a cyber security impact. In addition to assuring that they get the right levels of services for their needs at fair terms, we can, if needed, guide vendors in security compliance and evaluate fixes to risks identified in their DDQ.
By assessing vendor cyber security risk you’ll be in the vanguard of companies in this increasingly important area of regulatory compliance.
If you’d like more information about third-party cyber security risk management, please contact Soundshore Technology Group’s cyber security experts by email to firstname.lastname@example.org. We’ll be happy to help you get started. While you’re here, please take a look at our full array of cyber security services.