Bad News: Few Vendor Checks
It's common knowledge in the information security community that the 2013 cyber-attack on retailer Target – one of the biggest reported breaches of customer data ever – came about because hackers stole credentials from Target's HVAC vendor.
Still, despite the attention they give themselves in determining their own cyber-attack risk and readiness, the companies examined by the OCIE are remiss in vetting their vendors and partners. While 84% of broker-dealers require cyber security risk assessments of vendors that have access to their networks, less than a third of investment advisers have any such requirements.
A slim majority of broker-dealers (51%) have cyber security training policies and procedures in place for third parties with network access. Investment advisers are yet again worse; only 13% have such policies. Investment advisers are also largely deficient in incorporating cyber security requirements into third-party contracts, with more than three quarters failing to do so.
(Image Source: Alan Light via Creative Commons license)