financial industry vendor management

by Michael Werneburg
on 2017.01.11

You are here:
Risk topics
» Risk topics blog
July, 2017
· getting it wrong with R
· de-identifying health information
· that's a lot of tracking!

June, 2017
· gaming Google news
· privacy in this day and age
· another record breach
· writing an industry standard
· ISACA article accepted

May, 2017
· Covey time-management quadrants
· safe harbor de-identification of health data
· an ISACA article

April, 2017
· my guide on managing third party risk
· PMP for five years
· metrics that matter
· 720 reads in 48 hours
· I lost my job

March, 2017
· farewell, SIRA board
· the message and the medium
· an interesting take on consulting

February, 2017
· the ever-expanding sh*tlist
· claiming professional expenses in Canada
· get cyber safe
· the flight of the wealthy

January, 2017
· virtual kidnapping
· financial industry vendor management

November, 2016
· securing your life
· yet another reason to patch

October, 2016
· DNS subdomain discovery
· fintech and information risk

September, 2016
· on failed persons

July, 2016
· how to sabotage innovative projects

June, 2016
· no fix for cyber security in our lifetime


Today I attended an wealth management industry committee meeting in which we're looking at an industry-wide approach to managing third party risk. was asking whether we might as an industry adopt a sprawling set of questionnaires put out by SIFMA in the past year. The purpose being for the industry association to take the lead rather than the regulator, and make this a common business practice rather than a regulatory mandate. Which is what SIFMA’s been doing for some time in the US.

What we’ve decided is to incrementally build a baseline set of cyber security questions that we expect all member dealers, regardless of their size or capability, to ask of vendors when contracting for services that deal with sensitive data. This list of questions will be mapped to the standard controls from sources like NIST.

This will help the wealth management "member dealers" as well as vendors in a few ways: 1. We can prepare answers for the list that convey our competence but also lead the client to things they have to do. 2. By defining a standard for RFI’s, vendors won’t have to respond to random, different RFI formats from scratch as we currently do. 3. Having such guidance means that even the smaller member dealers can learn the ropes. Also, in having guidance on interpreting the answers, smaller clients can deal with a complex response from a vendor. 4. Though it’s intended to start with "cyber", this can be extended to a broader vendor management standard including availability and fundamental vendor assessments (financials, ownership, current legal actions, the usual).

We also discussed the idea that the industry association can use this as a germ of a service of perpetually vetting vendors on behalf of the industry. "Yes, that vendor was a founding vendor and have been in good standing ever since." Between the bank's current undertaking and SIFMA’s initiative, it’s clearly the way that the financial industry will be dealing with third party risk in the future.

big list