Vendor Due Diligence Cybersecurity Checklist for New SEC Rules
Critical business operations rely on technology and tech suppliers. As dependency on third parties increases, your threat landscape evolves and expands. Two-thirds of data breaches happen because of vulnerabilities in vendor systems.
Sophisticated investors are insisting that hedge fund managers treat vendor due diligence as seriously as they approach investment due diligence. The SEC’s newest cyber risk rule proposal backs them up and requires registered funds and advisors to have policies and procedures in place to ensure the security of sensitive data—both in proprietary and SaaS-delivered applications.
As you reinforce your internal risk threshold, it’s critical to assess the cybersecurity risk to data or critical business needs when using an external SaaS vendor. Do their cybersecurity protocols meet or exceed your internal protocols? Any compromise of business operations or customer data puts you and your firm at significant risk and has regulatory consequences. At the end of the day, it’s your responsibility to disclose and report any breaches to the SEC and investors and include them in your prospectus, so make sure your partners can provide the protection you need.
No vendor relationship is without risk, but that risk must be evaluated and managed throughout the relationship with the provider. We’ve put together this cybersecurity checklist you can use to evaluate your SaaS vendors to ensure they meet your firm’s compliance requirements as well as the SEC’s recommended security standards. Here’s an outline for how you should be assessing SaaS vendor risk ahead of the SEC’s final rule release.
Data Ownership & Conditions
- Identify the classification, regulations, and compliance requirements of data the vendor will process, store, transmit, or otherwise have access to.
- Review the access control and audit functionality of the vendor system. Ensure they meet the same standards that are required for proprietary systems, such as multifactor authentication, principle of least privilege, and logs containing access time, location, and user actions within the application.
- Identify the geographic location where the data will be stored and processed. Ensure these locations are in approved regions and that data will not be moved to unapproved regions.
- Review access and security information to validate they align with internal policies and requirements.
- Confirm provider commits to maintaining relevant international standards and will provide updated compliance reports when available.
- Confirm provider meets or can carry out all of the firm’s information security policies for which it would have responsibility.
- Define how data will be returned to your firm and destroyed from the provider’s storage upon termination of the agreement.
- Confirm the extent to which the vendor can access, disclose, or sell customer data to third parties.
- Establish Right to Audit provisions, allowing you to audit the physical, technical, and administrative controls of the provider at least annually. This provision may include the specific requirement for the vendor to complete an assessment your firm provides.
- Define the timeline for when your firm will be informed of a material or potential breach impacting investor or business data.
- Evaluate the risks to data availability associated with critical vendor events. For example, what happens if they go out of business or change business focus? Does your vendor use other vendors? If so, what protocols are in place to mitigate risks and ensure confidentiality?
- Develop contingency plans to transfer services and data to another provider or in-house.
How Do Your Partnerships Measure Up?
The SEC’s newest proposal lays out the non-negotiables required for compliance and makes it clear you’re responsible for implementation across all business systems—whether that’s a proprietary application or not. And that’s a lot. Agio can help.
As your cybersecurity expert, we have the services you need to assess, monitor, and remediate the inherent risk in vendor (and other third-party) relationships.
Agio’s Vendor Risk Program evaluates each of your vendors and assigns a cybersecurity maturity level and risk rating so you can make smarter decisions, stay compliant, and avoid negative impacts on your firm’s reputation. We handle the mechanics and management of vendors, so you don’t have to.
Agio is a complete solution; none of our services exist in a vacuum. Clients who bundle our Vendor Risk Program with Extended Detection and Response (XDR), IT Management, and our SEC Cybersecurity Governance Program are positioned to meet current and upcoming SEC guidelines. That’s an assurance that should give comfort to you and your investors.
Our clients are ready. Are you? Contact us to take our SEC Cybersecurity Risk Management Rule Readiness Assessment today.
Connect with us.
Need a solution? Want to partner with us? Please complete the fields below to connect with a member of our team.