Learn About Issues Like Evaluating Third Party Vendor Cybersecurity
The Professional Issues Committee is starting a Cybersecurity Working group to help FPA members who need assistance fully grasping cybersecurity compliance regulations. These new regulations can be challenge for many smaller firms that don’t have on staff IT professionals. We will meet once a month to tackle one aspect of the cybersecurity regulations and share ideas about best practices. Our guides on this journey are compliance and regulatory professionals who have experience putting compliant cybersecurity systems in place. We are planning on hold these early morning meetings in Bloomington but will have call-in capabilities. Let Committee Director, Brian Edstrom, know if you are interested by contacting him at email@example.com.
What is your vendor assessment system?
One of the more challenging requirements of the new cybersecurity compliance is assessing the cybersecurity posture of third party vendors that store or have access to your client’s data and personal information. When most advisors can barely grasp their own cybersecurity, how are they supposed to evaluate that of a network or software company?
The requirement doesn’t come out of the imagination of regulators to torture advisors. A recent survey showed that 63% of data breaches in 2016 were traced back to cybersecurity lapses of third party vendors.
The fact is that you cannot make an expert assessment of the cybersecurity of your third-party vendors but it is still your duty to understand the steps they are taking to safeguard your clients data by doing the following:
Understand the breadth of the data or access shared with each vendor. You need to show to regulators that you are fully aware of the data or access to data that you share with your vendors.
Understand what the vulnerabilities or risks to that data from your end. How could a hacker access the third-party vendor’s software or network from your end? What protocols do you have in place for protecting access? Understanding the vulnerabilities on your end will help you ask those question of the vendor.
Have them explain to you how they are protecting your client data on their end. Whether you fully understand it or not, you need the third party vendor to fill out a questionnaire or provide information about their level of encryption, password security and employee access to your client data.
Expect them to repeat this process annually before you renew your contract. You cannot expect to do this once and forget it. Regulators expect you to do this annually and the best time is when you are about to renew the contract.
Determine what you are going to do if the vendor does turn out to be unreliable. What is your Plan B for replacing the service from vendor with unsafe system?
These and other similar cybersecurity issues are what we will be covering in our meetings of the Cybersecurity Working Group. We hope to see you there getting a grasp on these complicated issues because regulators expect you to be getting a grasp on these complicated issues.