As Marc mentioned last time, the SEC’s Division of Examinations’ (EXAMS) has made it a priority in 2021 to review the steps that firms take to ensure information security and operational resiliency. For robo-advisers, given that they conduct so much of their operations online, these steps are of paramount importance.

In its report, EXAMS noted that it will scrutinize whether advisers have implemented appropriate measures to oversee vendors and service providers and manage the cybersecurity and privacy risks inherent in those relationships.  So what does the agency expect to see from you?

Luckily, the SEC already tipped its cards.  The agency published guidance in 2020 that indicates its view that vendor management policies and procedures should address due diligence for selecting vendors, monitoring and overseeing them, requiring appropriate contract terms, and understanding how vendors protect client information.

Here are some practices observed by the SEC that illustrate those expectations:

  • Vendor management programs. The agency noted firms had established vendor management programs that set standards for vendors’ information security practices, ensured safeguards were in place, used questionnaires to evaluate potential vendors, required the review of third party reports (such as SOC 2 reports), mandated independent audits, and established procedures for terminating and replacing vendors.
  • Understanding vendor relationships. The SEC found that advisers (and their personnel) demonstrated that they understood privacy and cybersecurity related contract terms, understood risks associated with vendor outsourcing, and effectively managed those risks.
  • Vendor monitoring and testing.  The agency observed that companies took demonstrable steps to monitor each vendor relationship to make sure the vendor continued to meet security requirements and ensure that advisers were alerted to changes in the vendor’s services or personnel.

Want some more advice?  Be ready for data breaches caused by your vendors.  A common misconception is that if you share sensitive information with a vendor and that vendor gets hacked, the vendor is the one with legal obligations relating to the breach.  That’s not true.  State laws put the onus on the adviser who collected information from the consumer in the first place, and they often limit the responsibility of vendors to promptly informing you that something happened.  So what do you do? Ensure your contract with any vendor that handles your clients’ information specifies what must be done if a breach occurs, who must do it, how fast it must be done, and how the costs will be allocated.

Want even more advice?  For a fulsome discussion of the steps you can take to manage the privacy and cybersecurity risks of your service providers, I encourage you to check out our webinar available here.  That’s all for now – please be sure to return for our next post where Josh will discuss the importance of maintaining effective access rights and controls in your organization.