New SEC Exams Emphasize Vendor Risk Management

Last week, the SEC issued a Risk Alert, announcing that they will continue to assess cybersecurity risk and preparedness among brokers/dealers, investment advisors, and other financial institutions. The release details several focus areas for these exams. Here are a few highlights:

  • Governance and Risk Assessment: Examinations will assess whether businesses are evaluating cybersecurity risks, and whether or not there are appropriate controls in place.
  • Access Rights and Controls: The SEC will look to see how businesses manage access to systems and data through user credentials, authentication, and authorization.

  • Data Loss Prevention: Examiners will assess how businesses monitor the volume of data transferred outside of their networks by employees and third parties.

  • Vendor Management: Recognizing that some of the largest data breaches over the last few years have originated from the hacking of third parties, the SEC examiners will also assess businesses’ practices and controls for vendor management. Specifically, examiners will look at vendor selection, contract terms, monitoring, and oversight of vendors.

Like many financial regulators, the SEC is focusing on vendor risk management. Last month, US law enforcement officials, along with the Securities and Exchange Commission, announced the indictment of 35 individuals who hacked into earnings press statements prior to their release. Armed with this insider information, the traders made more than $100 million in profitable trades before the earnings became public.

Looking to streamline your vendor risk management process? Take a look at these tools and techniques.

The case is a perfect illustration of how complex third party security has become - data breaches affecting critical vendors, contractors, and other business associates can have a material impact on your business. These newswires were not likely critical vendors for the businesses affected by insider trading, yet they held highly sensitive data.

Third party data breaches have affected multiple industries this year. The compromise of two background check providers for the government was an integral to July’s breach of the Office of Personnel Management (OPM).

Commercial enterprises continue to struggle with vendor risk management. Recently, CVS confirmed a data breach of their photo service, which remains offline after hackers allegedly breached PNI Digital -- a third-party vendor that manages the photo website.

More recently, Cal State University was breached through an outsourced firm that provided online courses for violence prevention. Hackers gained access to Cal State’s system through underlying vulnerabilities in the code of the third party. Personal information on 80,000 students was exposed.

In its Risk Alert, the SEC suggests that “monitoring and oversight” of vendors is a crucial step to developing a vendor risk management program.

BitSight has a wealth of resources on this topic to help with vendor risk management -- whether you’re just getting started or your organization already has a program in place.