Mitigating cyber risks at third-party vendors is paramount for meeting cyber-related compliance regulations.
Dozens of regulations have specific standards. For this blog, we cover key regulatory requirements from the SEC pertaining to third-party risk.
2024 SEC Exam Priorities and Proposed New Rules
The SEC’s Department of Examination has made it clear that oversight of third-party vendors is a key focus for 2024. The SEC expects Managers to:
- Address cybersecurity risks associated with technology solutions, both on-prem or cloud-based.
- Take appropriate steps to identify and mitigate risks if a third-party vendor is breached.
- Conduct robust oversight and monitoring of vendors to protect sensitive data.
The enhanced SEC cyber rules currently proposed (but not enacted) will further reinforce two points:
- Implement robust cybersecurity policies and procedures, including the assessment and management of third-party risks. Related artifacts will be discoverable in an exam.
- Ensure that vendors adhere to high cybersecurity standards to safeguard against potential breaches that could compromise a Manager’s sensitive client data.
The recent amendment to the SEC’s S-P regulation emphasizes the importance of third-party vendor risk management. Under this regulation, firms must:
- Conduct thorough due diligence and continuous monitoring of their service providers.
- Maintain comprehensive Incident Response Plans, incorporating procedures for addressing potential third-party data breaches.
The bigger picture— Despite the varying specifics of these regulations, common themes emerge that highlight the broader importance of robust vendor risk management.
Monitor third-party vendors: All regulatory frameworks clearly emphasize the need for thorough due diligence prior to implementing third-party vendors and continuous monitoring once in service.
Develop incident response plans: Effective incident response plans that address third-party data breaches are crucial, underscoring the importance of taking swift action to mitigate damage. Note, damage may not just be to data. Operational resilience must be considered to ensure the business can continue to function when Vendors become unavailable.
Actively apply your cybersecurity policy standards to your Vendors: Implementing and maintaining robust cybersecurity policies and procedures is a common mandate, as well as the need for Alternative Investment Managers to take an active role in assessing and managing vendor risks.
Next steps – For practical recommendations on how to optimize your cyber program to meet current and upcoming cyber-related compliance requirements, watch our interactive session on June 27 entitled, “Cyber compliance and cyber resilience: Mitigate vendor third-party cyber risks in alternative investments.”
If you’re interested in talking to a Drawbridge representative now to get your firm ready for the next compliance exam, reach out to one of our representatives at info@drawbridgeco.com
