At one time or another, member firms will likely need the services of an outside vendor. This may be particularly true for smaller member firms. Outside vendors have their place, but FINRA's Report on Cybersecurity Practices details that level of vigilance needed when it comes contracting with vendors who have access to your IT systems.
The first thing that firms must do to protect themselves is to perform due diligence on the prospective vendor. When it comes to cybersecurity in particular, FINRA has noted that vendors should have a number of controls in place when it comes to, among other things, limits on data access by vendor employees, virus protection, and encryption of data while at rest and in transit to name a few. The key for firms is to make sure that these controls are covered in your vendor contract.
FINRA noted that a number of firms that were reviewed had language in their contracts that included provisions on the following subject areas:
- Non-disclosure agreements/confidentiality agreements.
- Data storage, retention and delivery.
- Breach notification policies.
- Right to audit clauses.
- Vendor employee access limitations.
- Use of subcontractors.
- Vendor obligations upon contract interpretation.
Best practices would certainly dictate including these areas in any contract with a vendor, especially those who have access to your IT systems. If your contracts do not cover these areas, it is time to revisit your vendor contracts and bring them up to date to account for cybersecurity.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
