Vetting Your Vendors: A Guide to Performing Due Diligence

Commonwealth Staff
Commonwealth Staff

07.03.19 in Cybersecurity & Enterprise Risk

Estimated Reading Time: 5 Minutes (896 words)


In a world that seems to grow more prone to data breaches and identity theft by the day, what can you do to protect not only your own information, but that of your clients as well? Your clients entrust you with a lot of sensitive data, so it’s important that the vendors you work with have safeguards in place to keep this data secure. In fact, the law requires due diligence of business owners who have access to, maintain, or store consumers’ sensitive information.

With the array of technology products and services available, you may find properly vetting your vendors to be a challenge. Here, I’ll walk you through the parameters you can use to assess the security standards of potential vendors and identify any loopholes or red flags—including how to evaluate whether they are adequately prepared to defend against threats to sensitive information and unauthorized access that could result in harm to your clients.

Information Security Program

Any vendor with the potential to access or store advisor or client data must have an information security program in place. This program should outline technical, physical, and administrative safeguards specifically designed for protecting sensitive information. These safeguards may include:

  • Strong password

  • Account lockouts

  • Idle browser session timeouts

Data Security Policies

When it comes to a vendor’s data security policies, here’s the bottom line: sensitive information should be encrypted, and you should hold the encryption key. That way, if a privacy breach does occur on the vendor side, your data will be meaningless to anyone who gains unauthorized access.

Also, role-based access is a necessity. That is, only authorized vendor employees should have access to sensitive information, and authorization should be based on a business need.

Systems Security

Any vendor you partner with should use software that is set up to receive the most current security updates on a regular basis—so your sensitive data won’t be left vulnerable. Vulnerability assessments should be performed on a continual basis, and a change management procedure should be in place, as software changes could open security holes in the vendor’s system. Finally, antivirus programs are a requirement, and they should offer real-time scanning protection on all computer systems.

Industry Standards for Network Security

By law, industry-standard firewalls are required. These firewalls should be deployed and kept current, and access to firewalls should be allowed only through Transport Layer Security (TLS). TLS ensures that records and files containing sensitive information are encrypted when transmitted wirelessly (also a requirement by law). Intrusion detection systems are typically included in firewall hardware/software, as are intrusion prevention systems.

Privacy and Confidentiality Controls

You want any third-party vendor to take the responsibility of securing your sensitive information as seriously as you do. Accredited audits, including SSAE 16 or SOC 1 and 2, are one way to test and validate your vendor’s controls and safeguards against known industry standards. Of course, successful completion of these certifications doesn’t guarantee security. But it does help establish that your vendor has effective controls in place.

Physical Security

When evaluating a vendor’s physical security, take note of its location(s) and number of data centers. In the event of natural or environmental outages or disaster, storing data in multiple data centers provides better protection. It also helps improve the uptime of your data and the ability to recover from data loss. You might also ask for copies of the vendor’s physical security policy and verify that it covers building security, shredding and disposal procedures, and backup/redundancy.

Adopting an Information Security Mind-Set

Vendor due diligence and oversight has risen to the top of FINRA’s and the SEC’s examination priorities list, and examiners are looking for evidence of a due diligence process from financial institutions, large and small. No matter what state your branch or clients are in, you must ensure that you are abiding by the federal information security laws, which require financial institutions to safeguard the security and confidentiality of customer information and protect that information against any threats or risks.

As you work to ensure that your firm has the proper safeguards in place, as well as to vet existing and potential vendors, here are some questions to guide your thinking:

  • Are you taking every reasonable precaution with your clients’ data? Are these controls documented? Periodically reviewing the protections you have in place today—and proactively making any needed changes or upgrades—can help ensure that the information you store is secure into the future.

  • Do you have more than one vendor providing a similar service? How many of your vendors have access to sensitive data? Assessing your current suite of vendors is an easy way to detect potential redundancies and minimize unnecessary access to your clients’ data.

  • Have there been any red flags you should address? If so, don’t leave anything to chance. Investigate warning signs promptly to ensure that your vendors continue to meet your security standards.

  • If one of your vendors experiences a data breach, how do you plan to shut off the data flow and communicate the issue to your clients? Identifying and planning for potential threats ensures that you are prepared for any scenario.

Ultimately, it is your decision whether to entrust this information to a third party. Remember that you are your own most-trusted ally for controlling the flow of data to your vendors. By following the due diligence process for vetting your vendors, you will have the information you need to make an educated decision and guarantee compliance with applicable laws and regulations.

This material is for educational purposes only and is not intended to provide specific advice.

Please review our Terms of Use.


Enjoy thought leadership from some of the most respected, seasoned professionals in the industry.