Vendor Due Diligence: Evaluating the Security of Third-Party Providers By: Fidelity Investments

Before choosing a solution provider, do your homework to ensure your clients and your firm are protected. For many firms, services provided to clients are dependent on third-party solutions. As such, vendor due diligence evaluations are a critical component of your risk management program. 

There are a number of factors to consider when reviewing a third-party provider. Typical due diligence reviews cover a range of topics, including:

  • Basics— the underlying elements of the partnership with the provider (cost, number of users, bandwidth, etc.) 
  • Data security— details around the protection of your sensitive information (encryption, availability of backup systems, etc.) 
  • System availability and business continuity— contingency plan to support the business in case of systems failure/process breakdown 
  • Privacy policies— the protection parameters and legalese around securing sensitive data 
  • Overall visibility of provider— details around what makes the provider the right partner for you (financial backing, number of employees, etc.)

While these are all meaningful pieces of an effective review, many of our clients are especially concerned about data security in this environment. They understand that, because a security system is only as strong as its weakest vulnerability, improving your cybersecurity program requires the evaluation, selection, and monitoring of vendors with access to your systems and data. With that in mind, consider whether the vendors you are relying on have industry compliant measures in place to ensure the security and confidentiality of your data. There are several industry-recognized standards you can evaluate as you perform due diligence on a provider’s security practices. By working with providers that meet these security standards, you may be able to leverage the benefits of streamlined technology while also protecting sensitive information about your clients and your firm. Additionally, as there may be other risks and considerations specific to your firm and practice, it is suggested to seek the input of professional legal and compliance advisors during a vendor evaluation.

Protecting Client Data

The security of providers should be part of a rigorous vendor evaluation process. After all, financial services firms operate in a regulatory environment that requires them to safeguard client information, while many solution providers may not share those same industry-specific concerns or the internal standards articulated by a firm’s compliance policies. 

As part of a due diligence review, Fidelity suggests that firms ask providers if they are familiar with regulatory requirements specific to the financial services industry, including policies on data retention and encryption, and how their solution satisfies those requirements. 

Relevant regulations may include, but are not limited to, Privacy of Consumer Financial Information from the Securities and Exchange Commission (Regulation S-P}, which requires registered advisors to establish appropriate standards to protect customer information. 

Rule 204-2 of the Investment Advisers Act of 1940 requires the retention of all books and records relating to an advisor’s written communications. There may be state and international regulations to adhere to as well. For example, the California Consumer Privacy Act (CCPA) enhances the privacy rights for residents of California and is being looked at as a model by other states. And, for anyone doing business, or with clients based, in the European Union, the General Data Protection Regulation (GDPR) would apply. 

FINRA also issued a Notice to Members 05-48, which outlines responsibilities when outsourcing activities to third-party service providers.

Evaluating Security

Providers may not only want to consider the relevant industry regulations, but also understand how to provide evidence of successful security audits. When conducting due diligence, firms should ask for the provider’s audit reports, such as an SOC 2 report, and review the document for discussions of compliance and security. 

The System and Organization Controls 2: SOC for Service Organizations: Trust Services Criteria or, simply “SOC 2,” is an audit report issued in accordance with standards set by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). The SOC 2 replaced the Statements on Standards for Attestation

Engagements No. 16 (SSAE 16) standard and reports on the effectiveness of an organization’s controls around security, availability, processing integrity, confidentiality or privacy. The report has two types, with Type I addressing how accurately and thoroughly the provider describes internal controls. Type II contains the Type I report plus an auditor’s determination of operational effectiveness during the review period, typically six months to one year. The AICPA also recently released an “SOC for Cybersecurity” report that would be relevant, but is not yet widely in use. 

It’s also important to research whether the provider has an ISO/IEC 27001 certification, which certifies compliance with information security controls published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). 

Other certifications, such as PCI DSS, HIPAA, and FIPS 140- 2, while not as broad as SOC 2 and ISO 27001, nevertheless demonstrate a provider’s high level of commitment to security. 

Firms may want to determine what type of data encryption is applied by a solutions provider with a hosted model. Encryption means that the contents of files and documents are scrambled and encoded using a computer algorithm. Users who have permission to view the files can decode them, but anyone else who attempts to view the files would see only incomprehensible information. 

The U.S. government evaluates and approves these encryption algorithms, and the Advanced Encryption Standard with a level of 256 bits (AES-256) is an example of one widely used to protect sensitive information. AES-256 is relevant to data, both in transit and at rest, and is used by financial institutions, banks, and e-commerce websites. 

When Rahul Shah, principal and co-founder of Peninsula Wealth, LLC in San Francisco, moved much of his firm’s technology infrastructure to the cloud, he had concerns about the providers’ ability to protect his data. 

But after investigating their security practices, he concluded that it would actually be easier for someone to break into his offices and steal a server than attempt to break into the security systems employed by the cloud providers he was evaluating. From Shah’s perspective, “These providers have reputations to uphold, so if users hear news that their systems aren’t secure, they would quickly lose customers,” says Shah.

User Access Management

While a provider may employ security controls and high grade encryption, intruders often attempt to exploit weaknesses in user accounts and passwords rather than attack the provider directly. Therefore, another area you may want to inquire about is a provider’s policies regarding user passwords, such as requiring eight or more characters in length or the use of non alphanumeric characters. Some additional areas to consider evaluating include how inactive user accounts are handled and how much time is allowed to pass before the account is automatically logged out. 

Advanced user account access management includes the use of multifactor authentication, where an additional code is required in addition to a username and password when logging in. These codes are typically generated by a physical token device. Sometimes, a random code is sent to a mobile phone via text message. Without this second code, intruders will have less chance of cracking a user account and gaining access. 

Identifying a provider’s policies when user accounts are terminated is also something you may want to consider reviewing. One process may be for user access for accounts in question to be revoked immediately, and any attempts to use a terminated account to be communicated to the advisor immediately. It’s up to you to determine what that vendor’s process is in the course of your evaluation.

Data Backup and Disaster Recovery

Many service providers may leverage the use of outside servers and network infrastructure, opting to outsource those functions to a professional data center provider. 

It’s important to understand what other vendors a provider might be using and to get audit reports from those key providers as part of your due diligence. 

Large data centers often maximize hardware efficiency by using virtualization technology. This means that one powerful, high-capacity server can perform the work of multiple, smaller servers. Virtualization technology makes it appear that each small server runs independently, when in reality, it is combined with other small servers that all use the same powerful server. 

In a virtualized environment, each client’s unique content should be isolated from all other content on the servers to enhance security. Advisors who are not experienced in virtualization technology should consider obtaining an appraisal of the provider’s description and identify how their content is kept separate from that of other data center clients. 

Another advantage these large data centers offer is that service can quickly be switched to a backup if the primary data center experiences a failure. It is important to understand how frequently data is synchronized to the backup system, since data can be lost in the time between the backup system update and the primary data center failure. 

Regardless of the provider, advisors also should consider understanding how their data is protected in the event of an interruption or failure of the provider’s service. Not all providers use multiple data centers in different locations, so learning about a vendor’s disaster recovery and business continuity plans is one part of the evaluation. 

The fact that providers offer backup and business continuity services doesn’t necessarily mean advisors should abandon their own data backup procedures. “We still keep a backup drive in a secure, off-site location that we update once a month, just in case we need it,” says Shah. 

Due diligence in selecting a third-party provider is key to ensuring the safety of your business and the sensitive information you manage on behalf of your clients. In the appendix, you can find a list of proposed questions to guide the conversation with third-party providers during the evaluation process.

Appendix: Sample Questions To Consider Asking Your Providers*


  • What drives the cost of the solution? Users? Transactions? Bandwidth or storage consumed? 
  • How often can the pricing change and by how much?
  • What is the length of the standard contract? What terms exist around cancelation? Are there severance charges or any long-term costs?
  • Can your provider supply a total cost of ownership model?

Data Security 

  • How do you protect your data? Is encryption used? Is industry standard encryption used (AES 128 or AES 256)? Is it proprietary encryption?
  • How and where is your data stored? What is the data backup and off-site storage schedule?
  • Do you operate your own data center? What level is the center? How secure is the facility?
  • How do they ensure that only authorized personnel have access to your data?
  • Do you have any data security qualifications or certifications? Who is responsible for data security?
  • Who else shares the same cloud environment? Other financial providers? Consumers?

System Availability and Business Continuity

  • Do you have a business continuity plan? How are you supported in case of an outage?
  • What are your support hours? How quickly will problems and issues be resolved?
  • When and how often is routine maintenance scheduled?
  • If I cancel my subscription, what happens to my data?
  • Is there a Service Level Agreement (SLA)? Do you guarantee 99.9% uptime and spell out financial penalties should the promised level of service not be delivered?

Privacy Policies 

  • What are the privacy policies in place? How are customers notified if policies change?
  • What law governs your service provider? Is that law as stringent as the rules that govern your organization?
  • Can you use, disclose, or make public your individual firm’s information?
  • Who is liable in a breach? How will you respond? Are you obligated to notify me? If so, in what time frame?
  • Does the system meet my compliance and regulatory requirements? How will disposal of sensitive data be handled?

Overall Viability of Provider

  •  Do you have strong financial backing? 
  • How many employees do you have overall? How many provide support?
  • Do you have adequate employee screening and background check procedures?
  • Do you use sub-vendors? If so, what is the full chain of activities and responsibilities in the event of an issue with a sub-vendor?
  • What happens if you go out of business or are acquired?

Information provided in this document is for informational and educational purposes only. To the extent any investment information in this material is deemed to be a recommendation, it is not meant to be impartial investment advice or advice in a fiduciary capacity and is not intended to be used as a primary basis for you or your client’s investment decisions. Fidelity and its representatives may have a conflict of interest in the products or services mentioned in this material because they have a financial interest in them, and receive compensation, directly or indirectly, in connection with the management, distribution, and/or servicing of these products or services, including Fidelity funds, certain third-party funds and products, and certain investment services. The third-party providers listed herein are neither affiliated with nor an agent of Fidelity, and are not authorized to make representations on behalf of Fidelity. Their input herein does not suggest a recommendation or endorsement by Fidelity. This information was provided by the third-party providers and is subject to change. The content provided and maintained by any third-party Web site is not owned or controlled by Fidelity. Fidelity takes no responsibility whatsoever nor in any way endorses any such content. There is no form of legal partnership, agency, affiliation, or similar relationship among an investment professional, the third-party service providers, and Fidelity Investments, nor is such a relationship created or implied by the information herein. Third-party trademarks and service marks are the property of their respective owners. All other trademarks and service marks are the property of FMR LLC or its affiliated companies. Fidelity InstitutionalSM provides investment products through Fidelity Distributors Company LLC; clearing, custody, or other brokerage services through National Financial Services LLC or Fidelity Brokerage Services LLC (Members NYSE, SIPC); and institutional advisory services through Fidelity Institutional Wealth Adviser LLC. © 2021 FMR LLC. All rights reserved.

Fidelity Investments
Sign up for our Newsletter

More Articles From This Issue

Sign up for our Newsletter