Vendor BCP: What Broker-Dealers Need to Know

From clearing firms and software providers to record retention and data vendors, third-party vendor relationships are often essential to day-to-day operations at broker-dealers.  

Imagine your trading platform provider is hit with a ransomware attack, your data storage vendor suffers a system failure, or your customer service provider goes offline after a natural disaster. These scenarios could all harm your firm and your clients.

Wouldn’t it be nice to know ahead of time that your vendor has plans in place to prevent these situations or get back online quickly – and if those plans align with your firm’s needs and expectations? The alternative is being caught off guard: finding out your trading platform promises a recovery time objective (RTO) of 12 hours when you’re counting on 4 hours.

That’s why third-party business continuity is a critical part of your firm’s operational resilience and disaster recovery preparedness. Ensuring smooth operations is critical for broker-dealers to maintain their reputation and protect client assets. For this to happen, you need to know whether your third parties and vendors are resilient and prepared.

Let’s look at why broker-dealers need to ensure third-party business continuity and practical TPRM steps to build third-party resilience.

Why Broker-Dealers Need Third-Party Business Continuity 

A single third-party disruption can trigger a cascade of operational nightmares and other issues for broker-dealers. It’s important not to fall into a trap of complacency, but to proactively identify, assess, and manage third-party business continuity risks.  

A third-party operational failure can lead to several consequences for broker-dealers, including: 

• Regulatory scrutiny: Regulators like the SEC and FINRA emphasize the importance of operational resilience for broker-dealers. Even when an incident is caused by a third party, regulators rarely make a distinction – it’s still your firm's responsibility to ensure resilience and protect clients. 
• Operational vulnerabilities: Cloud service disruptions, network failures, or data center incidents can interrupt client communications, prevent access to trading systems, or cause compliance reporting delays. This can bring your broker-dealer's operations to a standstill – resulting in serious financial and reputation damage. 
• Cyberattacks: A third-party cybersecurity incident can expose confidential data, disrupt access to critical systems, and force your firm to shift focus from day-to-day operations to crisis response.  
• Financial losses: A third-party incident can cost your broker-dealer firm in multiple ways — financial losses from fraud or downtime. A third-party disruption can also become a regulatory issue, exposing your broker-dealer to enforcement actions, penalties, or other fines. In some cases, clients may take legal action against your firm, leading to expensive legal fees.  
• Reputational damage: Clients expect a seamless experience, especially when it comes to financial services. Third-party outages and delays can reflect poorly on your firm, damaging your hard-earned reputation. 

Related: What to Do If a Vendor Has Weak Business Continuity and Disaster Recovery Plans 

FINRA expects broker-dealers to have business continuity plans (BCPs) to prevent and respond to incidents. If your firm relies on a third party to support any part of your business continuity plan or a mission-critical system, FINRA Rule 4370(c) says that relationship needs to be clearly addressed in your plan. 

How Broker-Dealers Can Assess and Mitigate Third-Party Business Continuity Risk 

• Identify critical third parties: Which third parties are most critical to your broker-dealer's operations? These relationships, such as those that support trades, have the highest potential for severe operational disruptions and incidents. Prioritize critical third-party relationships in your business continuity planning.            
• Review third-party business continuity plans: Your third-party vendors – particularly your high-risk and critical vendors – should have BCPs share information to help you decide whether a vendor’s business continuity planning is appropriate for the criticality of the service. This includes documented recovery strategies, testing procedures and results, communication protocols, and evidence of regular updates and senior oversight. Remember to review these plans periodically throughout the vendor relationship. 
  
  If the third-party vendor is hesitant to share business continuity plans with your firm, it may be helpful to send a questionnaire instead or offer to sign a confidentiality agreement. 
• Anticipate third-party disruptions in your BCP: Even the most-prepared vendor can encounter trouble. Plan for third-party disruptions or failures in your broker-dealer's BCP. Have a response plan for if a critical outsourced product or service were to fail.  
• Set expectations in the third-party contract: Third-party contracts should contain clear expectations for business continuity. Include independent testing requirements, ensure access to the vendor’s BCP, and set recovery times and breach/disruption notification protocols. 
• Continuously monitor risk: Third-party risks are never static, particularly business continuity risk. A disruption or incident can occur at any time, and sometimes with little warning. Use industry and news alerts and real-time monitoring tools to stay aware of any third-party vendors’ changes.  
• Maintain documentation: Document the steps your broker-dealer took to review the vendor’s business continuity plan, any issue remediation actions taken, and monitoring practices. Show your firm took reasonable and well-documented steps to mitigate vendor BCP risk. 

Third-party vendors are an extension of your firm’s operations. Overlooking third-party business continuity and operational resilience can be a costly mistake. Take the time to assess BCPs, ask the right questions, and set contractual expectations. This keeps your firm prepared for when the unexpected hits. 

What do you need to know about a third party’s business continuity and disaster recovery plans? Learn what to look for this on-demand webinar.