Investment Advisers Should Review Cybersecurity Incident Response Plans of Vendors

March 21, 2020

In this new environment of working from home during the COVID-19 pandemic, it’s important for investment adviser firms to remember to conduct initial and ongoing due diligence of the cybersecurity policies and practices (including incident response plans) of third-party vendors which maintain confidential information of your investment advisory clients and provide services through the cloud over the Internet.

In an interview last week, the chief executive officer of a company, which provides client relationship management (CRM) software to many investment adviser firms, discussed the lessons he learned from a cybersecurity incident last year where confidential information (e.g., names and social security numbers) of the investment advisory clients was exposed and available on the Internet, and the CEO noted that he wished his CRM software company could have more quickly notified affected individuals.

Unfortunately, RIA Compliance Consultants has noticed that failure to promptly notify and regularly update the affected investment adviser firms and clients is not uncommon in cybersecurity incidents involving vendors.  As a result, to the extent a vendor has access to or maintains confidential client information, a best practice is for an investment adviser firm to review (if possible) such vendor’s cybersecurity incident response plan and practices as part of its due diligence processes and require the vendor to promptly notify the investment adviser firm of each cybersecurity incident related to the investment adviser firm’s clients and provide regular and detailed updates regarding the vendor’s investigation, notifications and mitigation/resolution of the cybersecurity incident.   For additional cybersecurity best practices related to your investment adviser’s due diligence of third-party vendors, please check out Cybersecurity – Conducting Due Diligence of Cloud Computing Service Providers and Cybersecurity – Best Practices Checklist.

Although RIA Compliance Consultants is not a cybersecurity expert, we are available to assist your investment adviser firm (in conjunction with your information technology staff or consultant) with developing and maintaining policies and procedures to address cybersecurity issues as it relates to your investment adviser firm.  To learn more about our services, please call us at 877-345-4034.

Posted by Bryan Hill
Labels: Cybersecurity, Due Diligence, Incident Response Plan