You are currently viewing NFA Member Responsibilities for Third Party (Vendor) Risk Management

NFA Member Responsibilities for Third Party (Vendor) Risk Management

One of the top priorities for any business is to protect its systems and data from cyber security threats. Many security attacks come through vendors which have access to critical systems and confidential data, and NFA Interpretive Notice 9070 (‘Information Systems Security Programs’) and NFA 9079 (‘Use of Third-Party Service Providers’) establish member responsibilities and guidelines for third party (vendor) risk management to help protect against these threats

To mitigate key risks associated with outsourcing, companies must have a written security policy tailored to their needs, and should implement a vendor risk management process which covers the lifecycle of their vendor relationship including the following stages:

  • Initial Vendor Risk Assessment: all risks associated with a particular function should be identified and evaluated to determine whether outsourcing is appropriate and beneficial to the business. The following aspects should be considered:
    • Data Protection: What critical systems and confidential data might the Third Party Service Provider have access to, and how will that be protected?
    • Information Security Program: What level of maturity is the Third Party Service Provider’s Information Security Program and is it appropriate for the type of services they provide and the data they will process?
    • Regulatory: What is the potential impact to the business and its customers if the Third Party Service Provider has a security breach or can no longer provide the services you intend to use?
    • Logistics: Does the vendor demonstrate that it has the resources and capabilities to perform its functions, including its security responsibilities?
  • Onboarding Due Diligence: When reviewing vendor capabilities, it is important to know if a Third Party Service Provider subcontracts any of the regulatory or regulated functions that are being outsourced to them, e.g., if they store data with another vendor. If so, take additional steps to make sure that they know the identity of the vendor’s subcontractor(s) so they can also be assessed for any potential risks as well. In addition to making sure that all contractors and subcontractors have the experience and capabilities to fulfill their outsourced functions, it is also important that they collectively conform with relevant NFA and CFTC rules and regulations such as data protection and retention.
  • Ongoing Monitoring: The frequency and extent of ongoing monitoring should be scaled to the risk associated with the protection of information involved in the outsourced function(s). Risk-based reviews are required and should include reviewing the accuracy of any reports generated by the Third Party Service Provider, their overall performance, compliance with regulations and if applicable, the stability and functionality of their business.
  • Vendor Termination: Written agreements with Third Party Service Providers should require that the vendor give proper notice of termination and outline the handling of all confidential information upon termination. Measures need to be outlined for removal of access to critical information (including system access) with reasonable timelines set for the preservation, return and / or destruction of any confidential data that was handled within the outsourced functions.
  • Record Keeping: Per NFA and CFTC regulations, records must be kept to demonstrate compliance with all regulations, even after termination, as applicable.

The key to effective and regulatory compliant third party risk management is to implement and follow a documented process throughout the vendor relationship. This includes considering which functions to outsource, and paying particular attention to vendors supporting business critical functions, with access to company system and confidential data, and which involve NFA and CFTC regulatory functions. Members who do not have the resources to monitor their vendors’ security controls should consider outsourcing that function to a security consulting firm or a specialized vendor management company. These protections are directly tied to the safety of your business, and will help ensure that you and your clients are appropriately protected.

For NFA members, vSEC offers a 9070 self-assessment through or directly at NFA 9070 Self-Assessment by vSEC. See how you are doing!

Contact us at [email protected] if you have questions about how we can help with your cyber security needs, including establishing or reviewing your third party risk management program.