SEC and FINRA CCOs: How to conduct vendor cybersecurity due-diligence reviews.
It is a chore. I get it. But, as CCO, you are required to be performing cybersecurity due diligence audits on all third-party vendors that "touch" your client's personally identifiable information (PII).
Here is a quick guide to help you streamline this process.
Understand what data you will be providing to the vendor.
Not all vendors have the same access. Determine the sensitive nature of the data, the source of the data, and which internal systems the vendor will have access to.
Understand which products and services you are interested in (or using)
A vendor may offer both hosted services and on-premise software. Each service provider and service offering will have a different set of questions that need to be asked. If you let the vendor know which services you are using or interested in the vendors can provide the most relevant information. If you ask for an assessment applicable to all their products and services you’re much less likely to get a usable response.
Craft the questions to the specific risks associated with that particular vendor:
The vendor may already have documentation readily available that covers your concerns (and many more) so be sure to ask for that. If they have a been through a third party cybersecurity audit, you can ask for those results (Heads Up : The vendor will usually require an NDA before providing you with the reports.)
If adequate documentation is not available, here are some customizable vendor security questionnaires you can start with to craft your own:
I suggest that you reassess your due diligence assessment annually as part of your annual compliance review.
And, of course, if you don't document this process, it didn't happen.