SEC Due Diligence Demands - Documenting Your Results & Regulatory Guidance

The results of the initial and annual reviews should be documented and shared with senior management. This can be in the form of a memo or PowerPoint presentation. You should also save all the questionnaires and supporting documentation through future reference and as evidence of review. Next, slide.

The SEC has repeatedly brought up the importance of vendor management in it's cybersecurity and business continuity plan guidance letters. The SEC indicates that examiners may assess how vendor relationships are considered as part of the firms ongoing risk assessment process, as well as how the firm determines the appropriate level of due diligence to conduct on a vendor. Furthermore, the SEC believes that firm's should have a written contingency plan for managing the response to potential disruptions under various scenarios, such as conflicts of interest, systems failures, or bankruptcy or business failure of the service provider. The review process we discussed to day of identifying your firm's critical service providers, and conducting due diligence will help you prevent business disruptions, and be prepared when they do happen, as well as be ready to demonstrate this to regulators. Next, slide.

In creating their guidance, the SEC has noted that some of the largest data breaches over the last two years have resulted form the hacking of third-party vendor platforms. In addition, in August 2015, hundreds of mutual funds and exchange traded funds, or ETF's, were affected by a systems malfunction at a financial institution that prevented it from calculating accurate NAV's for thee funds. As a result, the critical service provider was unable to deliver timely system generated NAV's or to publish current ETF baskets for certain clients for several days. The SEC's guidance and potential business continuity plan rule, requiring vendor due diligence is designed to help prevent disasters like this.