Compliance in Focus is a content series, produced in collaboration with Eventus, about regulatory topics for financial markets and the challenges compliance officers face.
Cybersecurity is mission-critical for institutional trading and investing firms. Not only does the data within the firm’s four walls need to be secure, but any technology vendor who works with the firm also needs to be vetted and monitored to ensure they’re not bringing any risk in with them.
In this article, Markets Media spoke with Brad Nassau, Founder, of Global Compliance Group, about the evolving landscape in vendor due diligence and cybersecurity.
Briefly discuss your professional background and current role / responsibilities?
I bring 20 years’ experience, having started my career at institutional firms including Goldman Sachs and KKR in the areas of risk management and compliance. About ten years ago I founded Global Compliance Group (GCG) with the goal of helping multiple clients across multiple platforms. Early on our team was asked to support a large project focused on compliance with cybersecurity controls, and our focus on the intersection of compliance and cybersecurity continued from there.
We provide regulatory compliance and cybersecurity consulting services for clients ranging from large multinational companies across the financial services spectrum: broker-dealers, hedge funds, trading platforms and financial technology and regulatory technology startups.
One of our focus areas is compliance for ATS platforms, where the SEC has initiated or enhanced rules around cybersecurity. There is a big overlap between compliance and cybersecurity and we understand that nexus very well.
One of our first cybersecurity engagements was for a large financial institution, who wanted help building out their cybersecurity audit plan globally, enterprise-wide. We did the initial assessment, wrote the plan, and helped them implement it. More recently, we’re helping startup FinTech and RegTech vendors get onboarded with the big banking institutions, in both compliance and cybersecurity. For smaller firms, this process can be overwhelming, and we help them navigate the regulatory landscape.
What’s most important in the area of vendor due diligence and cybersecurity?
There are regulatory requirements across the board, both for large institutions and the startups that want to work with those firms. For example, dark pool platforms and ATSs have certain regulatory obligations as it relates to cybersecurity and vendors.
To help startups and vendors get onboarded at big institutions, we can develop, test, and document their compliance and cybersecurity controls. Many startups don’t even know what they need to have, so we provide the roadmap to be approved as vendors. We understand exactly what their clients, those large institutions, need because we’ve worked with them for years. We’re providing our intellectual capital as an economy of scale, which helps us more easily get the next client onboarded…and the one after that.
Helping clients seize the opportunity to get it right upfront is critical. Having to backpedal and backfill your controls suggests you’re not able to look after these institutions’ front-page risk of managing personal identifiable information (PII), client accounts, or the movement of assets.
What are some of the main concerns that large banking institutions have with vendors, and how are the concerns addressed?
The largest institutions have dozens or even hundreds of workstreams they evaluate when assessing a vendor – antivirus software, password security, mobile device management, software development processes, asset transfer or informational chain of custody – any number of things. The compliance questionnaires from big institutions are hundreds if not thousands of line items, which are very daunting for vendors.
Big banking institutions want to know how you control for every single aspect – how you store data, how you track changes to your IT systems, what technology is used for encryption, how you ensure technology providers have the necessary controls in place and are operating effectively, how your backups are stored, how you prevent ransomware, etc. Each of those must be disclosed, and we help vendors answer these questions because that is our primary business – to analyze and understand and advise on cybersecurity and regulatory compliance. In theory, a big banking firm’s concerns can span the entirety of cybersecurity – and for a vendor, trying to solve that on their own can be a non-starter.
Is the bar that big banks have for vendors in cybersecurity higher than it was five or 10 years ago? How has this evolved?
The bar is much higher today and there are more players in the compliance and cybersecurity space. But they don’t all have the same level of expertise. Our knowledge has been iterative, and we’ve evolved as we’ve gained more experience and worked with more clients.
Today, some of the questions banks ask are: “What are the documented controls? What does testing around it look like?” In addition, there are external tests like SOC 2 from an auditor, or a bank might follow up with an existing technology vendor to audit those controls.
We see how banks are looking at new areas and want additional assurances and as we learn more from them, we share that information with clients.
How do you see vendor due diligence in cybersecurity evolving in the future?
To say it will be interesting is an understatement. It will depend on the needs of customers using the banks and financial services firms. It might be that all vendors will be subject to SOC 2 before opening day at these big banks. Today you can use a vendor with the right controls in place who hasn’t been subject to an external audit, and they may be onboarded. But we expect that may change over time. Which is why we recommend, based on our risk analysis, that all vendors understand what it is to be SOC 2 compliant and have everything locked down, controlled, tested, and validated – and to come out with the right mark in order to be onboarded.
If there isn’t a pool of SOC 2-compliant vendors to choose from, then a vendor solution to plug in may not be an option. So, the more vendors that are SOC-2 compliant, the better off the whole financial services industry will be.
What would be your “elevator pitch” in terms of the main things people should be thinking about?
Your firm only gets one chance to provide its credentials to be a preferred vendor. Do it once, and do it right.