Contact us: 888-996-4642 | info@itegria.com

6 Steps to Assess Your Vendors’ Cyber Security Preparedness

We have been sharing a lot of information on how Registered Investment Advisor (RIA) firms can better prepare themselves when it comes to cyber security – getting the CEO to own cyber security within the organization, understanding how to comply with SEC cyber security guidelines, and training your employees on how to protect the firm and identify any cyber breaches quickly.

For an RIA firm to truly protect itself, the entire organization needs to be committed to protecting the firm’s and its’ customers’ data. Every employee from the CEO on down needs to understand cyber risks, and embrace the controls necessary to protect the firm. However the focus can’t just be internal. Only looking inside the company to shore up protections leaves many RIA firms vulnerable to attacks.
Why? Because you probably have third party or external vendors who help you run your business. To do so, they need access to your network. Payroll service providers. Printer and scanner vendors. Computer repair firms. Even HVAC engineers.

For example, remember the big data breach that hit Target Corporation in 2014? The hackers broke into the Target Corporation when network credentials were stolen from an employee at an HVAC company that was hired to monitor their energy consumption patterns.

If your external vendors don’t have the same level of cyber preparedness as your RIA firm, then there is a weak link that could be exploited. Once you have your own house in order, it is important to look at who outside has access to your network, their level of cyber preparedness, and they need to be included in your cyber security policies, procedures, and training.

Here are 6 steps you can take to evaluate your external vendors’ level of cyber security.

 

    1. Work with all Departments to analyze who has access to your network

    You will be surprised how many external vendors have access to your network. Don’t think this just applies to outsourced IT management firms. It is important to go department by department and identify every third party vendor, consulting firm, human resources firm, marketing agency, and maybe even shipping company that has access to your network. Once you have a list of every access point, you can start to evaluate their level of cyber security awareness.

    2. Send them a questionnaire about their cyber procedures, knowledge

    You need to assess the cyber security posture of your vendors, so ask them. Make it easy for them to answer your questions and for you to analyze and compare their answers by creating a standard cyber security assessment questionnaire. We can certainly help you put this together or you can refer to the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cyber Security which combines a variety of cyber security standards and best practices together in one document. Some general questions could include:

    • Who is responsible for cyber security in the firm?
    • When was last time you had a cyber security assessment performed by a third-party organization? What were the results?
    • Do you have automated tools that continuously monitor to ensure malicious software is not deployed?

    3. Go through their answers with them to explain why it’s important

    Vendor management is an important area of focus for the SEC Cyber Security Exams this year. The SEC will want to see how you select vendors, conduct due diligence, and monitor their access to your network. Taking the time to talk with your vendors about the importance of cyber security when it comes to protecting your firm and your customers’ data is frankly a regulatory requirement. Your vendors need to know the risks and the impact of a cyber breach to your firm. The SEC wants to see that you have done this. So have your compliance officer sit with each vendor after they have answered your questionnaire to probe deeper and maybe even help them shore up vulnerabilities.

    4. Assess their level of comfort with technology

    You want to work with vendors who have a very high comfort level with technology. Ask them to describe the expertise and experience of their IT staff. Do they outsource their IT management or do they manage it in-house? If outsourced, who do they use? If you need your vendor to make some changes to their policies, procedures, or even technology to meet your regulatory requirements, you need to feel comfortable that they or their IT vendor will know how to make those changes for you.

    5. Walk through the security procedures for their personnel and their own network

    How do they determine who has access to their system? What do they do when employees leave? How are cyber security incidents reported? Do they have a culture where employees aren’t afraid to report a potential breach? Do they train their employees on cyber security? If their employees are well trained and have been following rigorous security procedures for years, then you can feel safe knowing they will extend that level of care to you. Knowing how they protect and handle their own network gives you a clue on how well they can protect yours.

    6. Ask if they have ever been breached

    Seeing how a third party vendor has handled a breach of their own will give you a sense of how they would handle an attack that may affect your system. Ask them to walk you through what happened, were they insured, where did the leak come from, what was the response, and what within the organization has changed based on the outcome of that breach.

 

Gathering data on all of this will help you to choose the right vendors to work with and ensure that your cyber security risk management policy is in place and understood by everyone who has access to your network.

To help CEOs or compliance officers of RIA firms better protect against cyber attacks, we have launched our new solution AdvisorGuard™. Using a combination of best-in-industry diagnostic tools to identify threats to your system including from third party vendors, this service will scan your system monthly to identify vulnerabilities; identify, track, and block suspicious URLs; as well as prevent malicious software from shutting down your system or creating a gateway for attackers to access sensitive data. AdvisorGuard will also give your system an extra layer of protection by deploying a multifactor authentication methodology to all of your workstations and servers. Get the data you need to make strategic decisions on how best to protect your firm.

If you would like more information about how our new solution AdvisorGuard helps you protect your firm or how to assess the cyber security preparedness of your third party vendors, contact us here or give us a call at 224-563-3602 with any questions.

 

You Might Also Like:

The Key Components of a Disaster Recovery Plan for RIA Firms

Valuable Cyber Security and Compliance Tips for RIA Firms

5 Things RIA Firm CEOs Need to Know About Cyber Security