Managing Third-Party Risk: Due Diligence Best Practices for Service Providers Handling Confidential Information

By ITA Compliance and Wolf & Company, P.C.

Third-party risk management and due diligence concept with secure documents, laptop security shield, and business agreement in background

Executive Summary

Organizations rely on a range of third-party service providers to support their business operations. Typical examples include bookkeeping, client relationship management systems, document and email archiving, IT support, financial planning software, as well as custodians. Choosing the appropriate provider to partner with is an important decision, as they help your operations run effectively and are given access to confidential information about your business and its clients. Organizations that lack a careful approach subject themselves to significant financial, regulatory, and reputational risks.

Organizations have obligations to comply with regulations such as Regulation S-P and Regulation S-ID to protect client data and implement protections to mitigate identity theft. In this article we highlight four (4) common shortcomings found in internal audits and regulatory examinations and suggest practical best practices. Even if your organization is not yet subject to federal and state regulations this guidance will be helpful for the handling of client non-public information, collaboration with regulated partners, and alignment with future regulatory requirements.

Common Findings and Best Practices:

1) Failure to Conduct Risk Assessments

Many firms did not have a formal process to evaluate and document their assessment of third-party threats. Some firms treat all vendors equally, regardless of whether they had access to limited or broad amounts of client data.

Tips and Best Practices:

  • Document your risk assessment and conduct a thorough review at least annually.
  • Evaluate key considerations when classifying risk, including: the nature of data access provided (such as sensitive personal information), whether access is limited to selected clients or extended to all clients, availability of auditor SOC reports and other independent testing documentation, engagement of fourth-party vendors, federal regulatory status, and examination history.
  • Utilize your risk assessment to determine the appropriate schedule for ongoing vendor oversight.

2) Missing Contractual Protections

Multiple deficiencies have been noted in vendor agreements such as the absence of provisions for data protection, lack of incident response timelines, omission of rights to obtain SOC or other testing reports, management of subcontractor risk, and missing clauses related to data return or destruction.

Tips and Best Practices:

  • Prepare a comprehensive contract checklist and reconcile it with vendor agreements to confirm that all essential areas are addressed.
  • For any aspects not addressed by an agreement, review the organization’s privacy notice as well as relevant policies and procedures to determine whether the gaps can be mitigated, and ensure that findings are thoroughly documented.

3) Inadequate Written Policies and Procedures

Many compliance policies were found to be generic and often failed to provide detailed procedures on vendor management. Policies did not clearly outline the necessary steps for initial due diligence or ongoing monitoring, nor specify when and how control reviews should occur. Often policies only addressed initial due diligence and omitted requirements for continuous oversight. In other instances, procedures listed documents to collect and review but did not include a procedure to evidence the reviews.

Tips and Best Practices:

  • State that due diligence will be completed before granting third-party access to your data. For ongoing oversight, specify review intervals (e.g., annually, or based on your internal risk assessment) instead of using vague terms like “periodically.”
  • Explain how document requirements will differ based on the relevant factors, such as risk classification of each vendor or document availability. For example, you might require negative news searches for all vendors and SOC 2 reports from a sub-set of vendors.
  • Clarify how you record reviews and outcomes, for example, by memo or checklist.

4) Insufficient Vendor Documentation Gathering & Review

Organizations frequently encounter challenges determining which documents to collect from vendors at the outset of the due diligence process. In several cases, vendors offered SOC 2 reports; however, these were not obtained. For companies lacking a SOC 2 report, there was no established procedure to request alternative documentation validating data security controls. Occasionally, firms granted access to sensitive client information based solely on reviewing a privacy policy.

Tips and Best Practices:

  • Let the vendor know that you are governed by privacy and information security regulations and ask for a “due diligence package” explaining their data security measures. (Often, this can yield more comprehensive information than simply requesting specific documents.)
  • Determine the scope of vendors’ independent testing and request their latest SOC 2 report or similar documentation if available.
  • Request copies of all relevant policies and procedures regarding privacy, identity theft prevention, and information security controls.
  • Search the internet (AI tools can assist) for negative news related to data loss or breaches involving the vendor.
  • Create a checklist to record what was reviewed, who did the review, the completion date, and whether results were favorable or not. If problems arise, add notes explaining how they were investigated.
  • If your firm does not have the expertise internally, consider partnering with a firm who can assist with reviewing SOC 2 and other technical documentation.

Conclusion

Due diligence and vendor monitoring programs should encompass a wide range of considerations reflecting the information shared, the various types of vendors, and outsourced services involved. Approaches to due diligence and ongoing monitoring should be tailored to the specific factors and objectives relevant to each organization.

How ITA Compliance and Wolf can Help

Many organizations depend on third-party vendors but aren’t always sure their vendor management program would hold up under scrutiny. Things like inconsistent due diligence, outdated policies or limited ongoing monitoring can quickly become a problem, especially when regulators start asking questions.

ITA Compliance, LLC
ITA is dedicated to performing independent testing for registered investment advisers and broker-dealers. If your organization has implemented a vendor management program and seeks an impartial assessment of your policies, procedures, and controls concerning this area or other regulatory obligations, please contact Nathan Jodat for further assistance.

Wolf & Company, P.C.
Wolf has the knowledge and experience to help any organization create and implement a vendor management program. Our expertise in the financial services sector and beyond positions us to assist you in every step of the vendor management lifecycle. Whether you are seeking an opportunity to improve your existing program or implement a new one, reach out to Brian Shea today to schedule a consultation call and strengthen your vendor oversight framework.