A Guide to Performing Due Diligence
by Andy Boncoddo, Commonwealth Financial Network
In a world that seems to grow more prone to data breaches and identity theft by the day, what can you do to protect not only your own information, but that of your clients as well? Your clients entrust you with a lot of sensitive data, so itâs important that the vendors you work with have safeguards in place to keep this data secure. In fact, the law requires due diligence of business owners who have access to, maintain, or store consumersâ sensitive information.
With the array of technology products and services available, you may find properly vetting your vendors to be a challenge. Here, Iâll walk you through the parameters you can use to assess the security standards of potential vendors and identify any loopholes or red flagsâincluding how to evaluate whether they are adequately prepared to defend against threats to sensitive information and unauthorized access that could result in harm to your clients.
Any vendor with the potential to access or store advisor or client data must have an information security program in place. This program should outline technical, physical, and administrative safeguards specifically designed for protecting sensitive information. These safeguards may include:
- Strong password requirements
- Account lockouts
- Idle browser session timeouts
When it comes to a vendorâs data security policies, hereâs the bottom line: sensitive information should be encrypted, and you should hold the encryption key. That way, if a privacy breach does occur on the vendor side, your data will be meaningless to anyone who gains unauthorized access.
Also, role-based access is a necessity. That is, only authorized vendor employees should have access to sensitive information, and authorization should be based on a business need.
Any vendor you partner with should use software that is set up to receive the most current security updates on a regular basisâso your sensitive data wonât be left vulnerable. Vulnerability assessments should be performed on a continual basis, and a change management procedure should be in place, as software changes could open security holes in the vendorâs system. Finally, antivirus programs are a requirement, and they should offer real-time scanning protection on all computer systems.
By law, industry-standard firewalls are required. These firewalls should be deployed and kept current, and access to firewalls should be allowed only through Transport Layer Security (TLS). TLS ensures that records and files containing sensitive information are encrypted when transmitted wirelessly (also a requirement by law). Intrusion detection systems are typically included in firewall hardware/software, as are intrusion prevention systems.
You want any third-party vendor to take the responsibility of securing your sensitive information as seriously as you do. Accredited audits, including SSAEÂ 16 or SOC 1 and 2, are one way to test and validate your vendorâs controls and safeguards against known industry standards. Of course, successful completion of these certifications doesnât guarantee security. But it does help establish that your vendor has effective controls in place.
When evaluating a vendorâs physical security, take note of its location(s) and number of data centers. In the event of natural or environmental outages or disaster, storing data in multiple data centers provides better protection. It also helps improve the uptime of your data and the ability to recover from data loss. You might also ask for copies of the vendorâs physical security policy and verify that it covers building security, shredding and disposal procedures, and backup/redundancy.
Vendor due diligence and oversight has risen to the top of FINRAâs and the SECâs examination priorities list, and examiners are looking for evidence of a due diligence process from financial institutions, large and small. No matter what state your branch or clients are in, you must ensure that you are abiding by the federal information security laws, which require financial institutions to safeguard the security and confidentiality of customer information and protect that information against any threats or risks.
As you work to ensure that your firm has the proper safeguards in place, as well as to vet existing and potential vendors, here are some questions to guide your thinking:
- Are you taking every reasonable precaution with your clientsâ data? Are these controls documented? Periodically reviewing the protections you have in place todayâand proactively making any needed changes or upgradesâcan help ensure that the information you store is secure into the future.
- Do you have more than one vendor providing a similar service? How many of your vendors have access to sensitive data? Assessing your current suite of vendors is an easy way to detect potential redundancies and minimize unnecessary access to your clientsâ data.
- Have there been any red flags you should address? If so, donât leave anything to chance. Investigate warning signs promptly to ensure that your vendors continue to meet your security standards.
- If one of your vendors experiences a data breach, how do you plan to shut off the data flow and communicate the issue to your clients? Identifying and planning for potential threats ensures that you are prepared for any scenario.
Ultimately, it is your decision whether to entrust this information to a third party. Remember that you are your own most-trusted ally for controlling the flow of data to your vendors. By following the due diligence process for vetting your vendors, you will have the information you need to make an educated decision and guarantee compliance with applicable laws and regulations.
What does your firmâs vendor due diligence process look like? How have your security standards evolved as the prevalence of data breaches has grown and industry best practices have changed? Please share your thoughts below.
Editor's Note: This post was originally published in November 2015, but we've updated it to bring you more relevant and timely information.
Commonwealth Financial Network is the nationâs largest privately held independent broker/dealer-RIA. This post originally appeared on Commonwealth Independent Advisor, the firmâs corporate blog.
Copyright © Commonwealth Financial Network
