A Guide to Performing Due Diligence

Your clients rely on you to protect their sensitive information, so it’s important that the vendors you work with have safeguards in place to keep this information safe and secure. Not to mention the fact that the law requires due diligence of business owners who have access to, maintain, or store a consumer’s sensitive information.

But with the array of technology products and services available, you may find it difficult to properly assess the security standards of potential vendors and identify any loopholes or red flags. Here, I’ll walk you through the process for vetting your vendors—including how to evaluate whether they are adequately prepared to defend against threats to sensitive information and unauthorized access that could result in harm to your clients.

Be sure that any vendor you’re considering has an information security program in place. This program should outline technical, physical, and administrative safeguards specifically designed for protecting sensitive information. These safeguards may include, for example:

• Strong password requirements
• Account lockouts
• Idle browser session timeouts

When evaluating a vendor’s physical security, you’ll want to take note of the location and number of data centers. In the event of natural or environmental outages or disaster, storing data in multiple data centers provides better protection. It also helps improve the uptime of your data and the ability to recover from data loss. You might also ask for a copy of the vendor’s physical security policies, and verify that they cover building security, shredding and disposal procedures, and backup/redundancy.

When it comes to a vendor’s data security policies, here’s the bottom line: Sensitive information should be encrypted at rest, and you should hold the encryption key. That way, if a privacy breach does occur on the vendor side, your data will be meaningless to whoever gains unauthorized access.

Also, role-based access is a necessity. That is, only authorized vendor employees should have access to sensitive information, and authorization should be based on a business need.

Any vendor you partner with should use software that is set up to receive the most current security updates on a regular basis—so your sensitive data won’t be left vulnerable. Vulnerability assessments should be performed on a continual basis, and a change management procedure should be in place, as software changes could open up security holes in the vendor’s system. Finally, antivirus programs are a requirement, and they should offer real-time scanning protection on all computer systems.

By law, industry-standard firewalls are required. These firewalls should be deployed and kept current, and access to firewalls should be allowed only through Transport Layer Security (TLS). TLS ensures that records and files containing sensitive information are encrypted when transmitted wirelessly (also a requirement by law). Intrusion detection systems are typically included in firewall hardware/software, as are intrusion prevention systems.

You want any third-party vendor to take the responsibility of securing your sensitive information as seriously as you do. Accredited audits, including SSAE 16 or SOC 1 and 2, are one way to test and validate your vendor’s controls and safeguards against known industry standards.

Of course, successful completion of these certifications doesn’t guarantee security. But it does help establish that your vendor has effective controls in place.

Vendor/third-party due diligence and oversight have risen to the top of FINRA’s and the SEC’s examination priorities lists, and examiners are looking for evidence of a due diligence process from financial institutions, large or small. No matter what state your branch or clients are in, you must ensure that you are abiding by the federal information security laws, which require financial institutions to safeguard the security and confidentiality of customer information and protect that information against any threats or risks.

Ultimately, it is your decision whether to entrust this information to a third party. But by following the due diligence process for vetting your vendors, you will get the vital information you need to make an educated decision and guarantee compliance with the laws and regulations.

What other areas of concern do you cover when vetting your vendors? What red flags have you noticed as you work with different vendors? Please share your thoughts with us below.

Editor's Note: This post was originally published in November 2015, but we've updated it to bring you more relevant and timely information.