We’ve all seen the headlines surrounding data breaches and identity theft. If you’re a financial advisor, these stories are a reminder that you must take steps to protect not only your own information, but also that of your clients. One way to do just that? Reduce the risk when working with third-party vendors.
As you think about how to assess the security safeguards of third-party vendors, keep in mind that regulatory requirements and contractual obligations must be considered. After all, the law requires business owners (i.e., you) who have access to, maintain, or store consumers’ sensitive information to exercise due diligence.
Data Security and Privacy
When working with third-party vendors, knowledge isn’t just power—it’s also protection. One of the most important actions you can take to reduce exposure to third-party risk is to be diligent in your review of potential service providers, with a strong focus on data security and privacy.
When researching a provider’s data protection capabilities, review summary documents related to independent cybersecurity audits, data center locations, and results of a vendor’s own third-party reviews. The goal of this review is to confirm that:
The provider encrypts client data at rest and in transit
Unique login IDs with separate access controls, as needed, are provided to everyone in your office
The provider adheres to applicable state and federal privacy laws
Vetting Questions You Should Be Asking
To ensure that you’re covering all the bases of risk reduction, you may want to ask the following questions when vetting existing and potential vendors:
Do your service providers take reasonable precautions with your clients’ data, and are these controls documented? Periodically reviewing controls helps ensure that the information you share is secure.
Do you have more than one vendor providing a similar service? Assessing your suite of providers is an easy way to detect potential redundancies and minimize unnecessary access to your clients’ data.
Are there red flags? Investigating warning signs promptly ensures that your providers are meeting your security standards.
If a provider experienced a data breach, how would you shut off the data flow and communicate the issue to clients? Planning for potential threats ensures that you are prepared for any scenario.
Once a vendor checks all the boxes in terms of data security and privacy, has answered the vetting questions to your satisfaction, and has met all of your firm-specific compliance requirements, you may feel ready to sign on the dotted line. Please hold! Contract review is the most overlooked third-party management function—and it’s completely in your control. The power to dictate and shape the obligations to which you are legally binding yourself and your clients is one of your greatest assets in mitigating third-party risk.
Nondisclosure agreements. You might start by executing nondisclosure agreements before negotiating service agreements. That way, you’ll protect your sensitive and proprietary client and business information throughout the onboarding process.
Provider liability. Next, be sure to narrow any broadly scoped indemnification clauses to prevent service providers from passing all of their risk on to you. Along with this, expand a provider’s limitation of liability (i.e., damages cap) to an acceptable percentage of the total value of the contract across the life of the agreement and for a period beyond termination. Also, confirm that the provider has proof of sufficient, up-to-date insurance coverage (e.g., commercial liability, cyber liability, fidelity bond, and errors and omissions).
Recovery time objectives (RTOs). Last, but certainly not least, apply clear RTOs to ensure that the provider is aware of and contractually obligated to provide services within an agreed-upon time frame. The RTO should clearly define what constitutes acceptable service levels. The provider’s disaster recovery plans should ensure that you receive your services at the level and time frame to which you have agreed, regardless of circumstance.
Contract Termination Provisions
Negotiating detailed termination provisions is just as important as negotiating provisions that will protect you and your clients through the life of the agreement. Termination provisions can help you navigate a smooth transition to another provider should your current provider not live up to its service level obligations or, worse, potentially damage your business by initiating a serious risk event. Be sure to add these provisions to your contract termination checklist:
The amount of time required to provide notice of termination ahead of the contract end date should be as short as possible. (Note that most agreements require clients to pay all invoices provided to them before notice of termination is given.)
There should be clear language regarding immediate termination rights in the event of wrongdoing by the provider.
No termination fee should be assessed if the reason for termination is a provider’s negligence.
Prompt destruction or return of all data the provider accesses or stores as part of the service should be required. (A requirement of written confirmation from the provider, once complete, should be codified.)
You Are the Best Defense
Ultimately, it’s your decision whether to entrust sensitive information to a third party. Remember, you are your most-trusted ally for controlling the flow of data to your providers. By following the due diligence process for vetting your vendors and the contract parameters for protecting your business, you will have the information needed to make educated decisions and reduce the risk when working with third-party vendors.
This material is for educational purposes only and is not intended to provide specific advice.