There is no question that technology is crucial to a firm’s success; financial firms across the globe are adding more and more to their tech stacks, but with this technology comes more significant risks and opportunities for cyberattacks.
With recent events like the huge Equifax and Home Depot cyberattacks, cybersecurity has moved to the top of everyone’s priority list, including regulatory firms like FINRA and the OCIE. Here are four questions you should be asking your software vendors when deciding to use their service.
Do you have a service-level agreement (SLA) in place with customers?
SLAs are great to have, although one can argue that it is not the most important when it comes to cybersecurity and risk management. It is important to understand what your vendor’s service commitment is to you, as some companies will even offer 99 percent uptime in a SLA over a month-long period. It may also benefit you to ask what would happen if your service provider misses their SLA.
Do you make audit reports like SSAE 16 available to customers?
This is an area that many people outside of the IT world do not know much about, so I will go in to detail what this jargon means. There are three standard formats of SSAE 16 reports: SOC1, SOC 2, and SOC 3. Within each standard report, there is type I and type II.
Here is a breakdown of the three reports:
- SOC 1 report is restricted to controls relevant to an audit of a user entity’s financial statements
- SOC 2 report is performed in accordance with AT 101 and covers what is known as Trust Services Principles, which are based on four broad tools: policies, communications, procedures, and monitoring.
- SOC 3 report is also performed in accordance with AT 101 and covers what is known as Trust Services Principles, primarily focusing on topics known as WebTrust and SysTrust. This report only states if the criteria are met (with no description of tests and results or opinion on description of the system) and can be freely distributed.
A Type I report will only give the auditor’s opinion on the fairness of the management’s presentation of the description of the system(s) being audited, and on the suitability of the design of the controls to achieve the control objectives in the description.
A Type II SSAE 16 report covers everything in a Type I report, and also includes the auditor’s opinion on the operating effectiveness of the controls. Obviously, for an auditor to give this opinion, they need to take a deep look into the operations and records of the organization. As a practical matter, the only reports that are relevant and usually done are SOC 1 Type II.
Are they insured for data breaches?
Data breaches cannot be taken lightly, and if a vendor you are using does become breached, you need to ask if they have enough insurance to cover your losses. Can they be sued for this? If so, how much can they be sued for? It is also wise to ask the things for which they are liable. If they use third party vendors in their systems or if they use third parties in the software, they might not take ownership if one of the third parties is hacked.
What certifications or accreditations do they have specific to cybersecurity?
You should inquire about two areas: where the data is stored and how the data is transferred. The storage, or “data centers,” is where personal and confidential data can be stored, and is a likely target for attacks.
One of the most popular certifications is the ISO 27001, which is the highest certification for data center security. The other point of vulnerability is during the data transfer process, which includes items like sign on, passwords, and data encryption. When it comes to the data encryption, you are looking for vendors to carry a 256-bit encryption or higher.
I am sure there are many more questions that can be asked but this is a good starting point. These are some of the most popular questions I have gathered when getting vendor due diligence questionnaires.
To learn more about Advicent technology can help you remain relevant to your clients, click here.