To the SEC, third party risk management is a vital part of the compliance framework they expect to see in their regulated institutions and, since third parties can represent a very wide swath of activities, the SEC claims broad authority.
The SEC is fairly prescriptive in how it suggests that vendors are managed as we have seen in the risk alerts and, while they don’t provide a straightforward simple definition of a vendor or clarify who should be included or excluded in the current examination priorities report, they do offer broad and informative guidance on selecting, managing and regulating vendor activities through interpreting their own vendor communication plan.
Whether you are a registered broker-dealer, investment company or investment adviser, here are 4 ways to respond:
Centralize the data on your third parties to efficiently manage, monitor and risk assess your third parties.
Our industry experts and certified team can become your cost-effective staff augmentation answer.
The SEC has sat at the forefront of cybersecurity concerns for some time – in 2017, they were among the first to ring the alarm bells on the WannaCry ransomware attacks and their statements in the report indicate they will be looking for evidence that you, as a regulated entity, have taken appropriate steps.
In August of 2017, the SEC also issued a Risk Alert packed with observations on the role of vendor management and cybersecurity and noted the appropriate steps that institutions should be employing to properly oversee their vendors. A copy of that report can be found here that reinforces that the regulators in the financial services industry all generally share the same concerns over the need for heightened vendor management practices.
“We will continue to prioritize cybersecurity in each of our examination programs. Our examinations have and will continue to focus on, among other things, governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.”
SEC 2018 Examination Priorities Report