More Tips on Third-Party Risk

By Matt Kelly | January 31, 2025 |

FINRA, the regulator for broker-dealer firms, published its annual report on regulatory oversight issues this week — and to little surprise, the report included a section on third-party risk and the internal controls that your firm should consider to keep those risks in check. The advice is useful to anyone in any business sector, so let’s take a look.

For starters, the report viewed third-party risk entirely through the lens of cybersecurity and business continuity. That’s to be expected; FINRA has little need to worry about other, more “traditional” third-party risks such as overseas bribery and corruption, since most broker-dealers don’t have business arrangements that would breed FCPA risk. 

Still, there’s a point here worth teasing out: that the very phrase “third-party risk” means different things to different people within the same enterprise. At the rate we’re going, ethics and compliance officers who view third-party risk as a function of anti-corruption will soon be (or even already are) a distinct minority. 

Instead, everyone else in your enterprise — internal auditors, CISOs, procurement officers, and above all, senior management — will hear “third-party risk” and immediately associate the phrase with privacy, cybersecurity, and operational threats that arise upstream from your own business, somewhere in the supply chain. That’s quite different from ethics and compliance officers worried about third-party anti-corruption risk happening downstream among the sketchy resellers, distributors, and agents who drive you crazy.

Why dwell on this distinction? Because what boards and senior managers don’t want to hear is different groups arguing the need for multiple tools and investments to handle multiple types of third-party risk. They’re looking for efficiency and simplicity. They want one comprehensive, universal approach to managing third-party risk, ideally with a single tool or process that monitors all the risks that all your third parties might pose.

Or, if you can’t find that single solution for all third-party risk, when push comes to shove, management will care more about those privacy, security, and operational risks. After all, an FCPA risk gone wrong brings regulatory scrutiny and the cost of a settlement, but it doesn’t derail the business. A ransomware attack coming up through your supply chain, however, very well could derail the business and leave operations paralyzed for weeks or more. Wouldn’t you make that your priority too? 

Anyway, enough theory. Let’s get on with the nitty-gritty of what FINRA recommended for good third-party risk practices. 

What Third-Party Risk Programs Should Do

The FINRA report’s discussion of third-party risk began with a list of objectives that your third-party risk management program should be able to do:

  • Establish adequate third-party vendor risk management policies; 
  • Conduct initial and ongoing due diligence on third-party vendors that play a role in your own important processes, such as cybersecurity or transaction monitoring; 
  • Validate data protection controls in third-party vendor contracts; 
  • Include third-party vendors that support key systems in the testing of your Incident Response Plan; 
  • Maintain a list of all third-party services, or third-party provided hardware and software components, that your firm’s IT function uses; 
  • Have procedures to govern the return or destruction of your data at the end of a vendor contract; and 
  • Address your third-party vendors’ use of other vendors (that is, fourth-party vendors to you) that may handle your data.

As far as I’m concerned, that’s a list you should print out and carry around in your wallet. It’s a concise summary of goals for your third-party risk management program, and it lets you move onto the next step — thinking about the capabilities your program will need to have to achieve all of the above goals.

That’s the framing mechanism compliance officers and CISOs should always use when thinking about how to improve your program: think about capabilities your program will need to have, rather than the specific adjustments you’ll need to make in the short term. 

Or, to describe the challenge another way: decide that fixed point on the horizon you want your program to achieve by, say, 2027. Then reverse-engineer the steps you’ll need to take — investments in new tools, changes to policy, new roles or responsibilities — to get to that point on the horizon. That’s far better than plunging forward one step at a time, only to discover in 2026 that you overlooked a much wiser path forward and need to adjust course. CFOs reviewing budget requests never like to hear about adjusting course.

Practices to Adopt

So given those objectives listed above, what practices should you implement? The FINRA report offered advice on that question, too:

  • Maintain a list of all third-party vendor-provided services, systems, and software components, so that you can better assess the potential damage from a cybersecurity incident or tech outage at a vendor; 
  • Evaluate the effect on your ability to meet regulatory obligations if a third-party vendor fails to perform the outsourced activity or function; 
  • Ask potential third-party vendors whether they incorporate generative AI into their products or services, and if so, consider whether you need to amend your contracts with that vendor to comply with your own regulatory obligations (like, “no consuming our data without permission”);
  • Review your vendors’ default settings for technology or services they provide, and adjust those settings as necessary (such as disabling a chat feature or capturing communications for supervisory reviews); 
  • Ensure that a vendor’s access to systems, data and corporate infrastructure is revoked when the relationship ends.

All good advice; all steps that every organization in every industry should take. Now tie it back to the question we asked previously: What capabilities would you need to have, to be able to do these things? 

For example, if you want to maintain a list of all services, systems, and software provided by third parties, you’ll need strong oversight of your procurement processes. Maybe that comes from an actual, dedicated procurement team that classifies and tracks all that information. Maybe it comes from a new process where the IT team regularly turns off one of those processes to see who picks up the phone and starts screaming, and then you tell them they’re responsible for maintaining risk controls on that software. 

Or, to assure that you can cut off a vendor’s access to data when a contract ends, maybe you automate your de-provisioning processes and follow up with scans to see which outsiders still access the corporate data repository. And so on and so forth.

Those specific controls will vary from one company to the next, depending on the IT and human resources you have. My point is simply that you start by thinking through the capabilities you need, and work your way back to slot deposit 5000 remediation from there. 

As to that fixed point on the horizon that you’re trying to reach with your third-party risk management program — well, FINRA’s list of objectives is a good place to start. 

Posted in General and tagged , ,

Leave a Comment

You must be logged in to post a comment.