by Michael Werneburg
Today I attended an wealth management industry committee meeting in which we're looking at an industry-wide approach to managing third party risk. was asking whether we might as an industry adopt a sprawling set of questionnaires put out by SIFMA in the past year. The purpose being for the industry association to take the lead rather than the regulator, and make this a common business practice rather than a regulatory mandate. Which is what SIFMA’s been doing for some time in the US.
What we’ve decided is to incrementally build a baseline set of cyber security questions that we expect all member dealers, regardless of their size or capability, to ask of vendors when contracting for services that deal with sensitive data. This list of questions will be mapped to the standard controls from sources like NIST.
This will help the wealth management "member dealers" as well as vendors in a few ways: 1. We can prepare answers for the list that convey our competence but also lead the client to things they have to do. 2. By defining a standard for RFI’s, vendors won’t have to respond to random, different RFI formats from scratch as we currently do. 3. Having such guidance means that even the smaller member dealers can learn the ropes. Also, in having guidance on interpreting the answers, smaller clients can deal with a complex response from a vendor. 4. Though it’s intended to start with "cyber", this can be extended to a broader vendor management standard including availability and fundamental vendor assessments (financials, ownership, current legal actions, the usual).
We also discussed the idea that the industry association can use this as a germ of a service of perpetually vetting vendors on behalf of the industry. "Yes, that vendor was a founding vendor and have been in good standing ever since." Between the bank's current undertaking and SIFMA’s initiative, it’s clearly the way that the financial industry will be dealing with third party risk in the future.