The SEC Wants You to Prioritize Vendor Risk Management
U.S. securities regulators started off 2020 by emphasizing the importance of vendor risk management (VRM).
On Jan. 7, the U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) announced its Examination Priorities for 2020. And on Jan. 27, the OCIE released its Cybersecurity and Resiliency Observations report. Both treat vendor management as a critical exam area.
At the time, regulators planned to take a closer look at how companies are managing vendor compliance risks and enhancing cybersecurity preparedness and operational resiliency. Of course, the SEC’s annual priority list was published before the coronavirus (COVID-19) had reached crisis levels in the U.S. and most of the world.
Regulatory requirements don’t go away during a pandemic. If anything, they’re more important than ever. How can you be in compliance and protect company and customer data in these troubling times?
Following the report guidelines
The Wall Street Journal provided more details on the 2020 Examination Priorities list:
“On the outsourcing front, they plan to keep an eye on risks stemming from giving data-storage, asset-management, and other duties to outside vendors.”
The report also says the SEC will focus on service providers and network solutions that leverage cloud-based storage.
The importance of data protection carries over into the Cybersecurity and Resiliency Observations. That report states that any organization’s VRM program must assess how vendors protect any accessible client information.
What can you do to prepare for SEC examinations?
It helps to understand the guidance on the reports themselves. Here are some recommendations to meet the expectations of both reports:
- Review compliance procedures, especially for the Gramm-Leach-Bliley Act Safeguards Rule (Regulation S-P) and Identity Theft Red Flags Rule (Regulation S-ID).
- Establish procedures for terminating or replacing vendors, including cloud-based service providers, and establish safeguards around the proper disposal of retired hardware containing client and network information.
- Understand contract terms so both you and your vendor agree on how risks and security concerns are addressed.
- Continuously monitor and test the vendor relationship so the vendor continues to follow security requirements and be aware of changes to the vendor’s services or personnel.
- Have controls in place surrounding online access and mobile application access to customer brokerage account information.
The SEC’s guidelines are for the good of you and your customers. The current pandemic crisis adds even more urgency to protecting confidential and client data at a time when working remotely has made many vulnerable to cyberattacks.
A VRM system is the best option to stay ahead of your examinations. You can model your vendor risk management program on a solution that has powerful features and tools to ensure compliance and protect important data.