New SEC Exams Emphasize Vendor Risk Management

Jake Olcott | September 24, 2015 | tag: Vendor Risk Management

Last week, the SEC issued a Risk Alert, announcing that they will continue to assess cybersecurity risk and preparedness among brokers/dealers, investment advisors, and other financial institutions. The release details several focus areas for these exams. Here are a few highlights: 

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark
  • Governance and Risk Assessment: Examinations will assess whether businesses are evaluating cybersecurity risks, and whether or not there are appropriate controls in place.
  • Access Rights and Controls: The SEC will look to see how businesses manage access to systems and data through user credentials, authentication, and authorization.

  • Data Loss Prevention: Examiners will assess how businesses monitor the volume of data transferred outside of their networks by employees and third parties.

  • Vendor Management: Recognizing that some of the largest data breaches over the last few years have originated from the hacking of third parties, the SEC examiners will also assess businesses’ practices and controls for vendor management. Specifically, examiners will look at vendor selection, contract terms, monitoring, and oversight of vendors. 

Like many financial regulators, the SEC is focusing on vendor risk management. Last month, US law enforcement officials, along with the Securities and Exchange Commission, announced the indictment of 35 individuals who hacked into earnings press statements prior to their release. Armed with this insider information, the traders made more than $100 million in profitable trades before the earnings became public.

Looking to streamline your vendor risk management process? Take a look at these tools and techniques. 

The case is a perfect illustration of how complex third party security has become - data breaches affecting critical vendors, contractors, and other business associates can have a material impact on your business. These newswires were not likely critical vendors for the businesses affected by insider trading, yet they held highly sensitive data.

Third party data breaches have affected multiple industries this year. The compromise of two background check providers for the government was an integral to July’s breach of the Office of Personnel Management (OPM).

Commercial enterprises continue to struggle with vendor risk management. Recently, CVS confirmed a data breach of their photo service, which remains offline after hackers allegedly breached PNI Digital -- a third-party vendor that manages the photo website.

More recently, Cal State University was breached through an outsourced firm that provided online courses for violence prevention. Hackers gained access to Cal State’s system through underlying vulnerabilities in the code of the third party. Personal information on 80,000 students was exposed.

In its Risk Alert, the SEC suggests that “monitoring and oversight” of vendors is a crucial step to developing a vendor risk management program.

BitSight has a wealth of resources on this topic to help with vendor risk management -- whether you’re just getting started or your organization already has a program in place.  

Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...


5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.


5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...


Get the Weekly Cybersecurity Newsletter.