Beware Outsourcing’s Security Risks, Finra Says

Financial services firms must establish procedures to ensure that their day-to-day operations and regulatory compliance are not interrupted in the event of a cybersecurity issue involving a third-party vendor, Finra says.

Third-party vendors are key sources of support in many areas for financial services firms, but a growing frequency of cyberattacks and outages affecting such vendors has led the Financial Industry Regulatory Authority to issue guidance for firms relying on those providers.

The third-party risk landscape is among the new areas of focus in the 2025 Finra Annual Regulatory Oversight Report, released Tuesday. Finra in the report said it has observed an increase in cybersecurity issues among third-party vendors in recent years, and the frequency of these issues increased in the first half of 2024, according to recent Finra advisory guidance.

Finra requires its member firms to establish and maintain supervisory systems — including written supervisory procedures — for any activities or functions performed by third-party vendors. Commonly outsourced functions include legal and compliance services, information technology, administrative tasks, and accounting and finance services, such as payroll and expense-account reporting, according to Finra.

Finra in the annual report recommends several practices that firms should have in place throughout the life cycle of any relationship with a third-party vendor. Among other recommendations, the agency said firms should maintain a list of all services, systems and software components provided by third-party vendors; evaluate how their ability to meet regulatory obligations would be affected if a vendor failed to provide an outsourced service; and adjust default features in technology provided by their vendors, such as by enabling the capture of communications that must be preserved for supervisory review.

Finra further suggests asking potential third-party vendors if they incorporate generative artificial intelligence in their products and, if so, ensuring that the service contract complies with regulatory obligations. For example, contracts should include language that prohibits sensitive firm and customer information from being ingested in a third-party vendor's open-source generative AI tool.

Finra also delved more deeply into the topic of the security risks potentially arising from the use of artificial intelligence.

According to Finra, firms contemplating the use of generative AI tools and technologies should consider how to supervise and use generative AI on enterprise and individual levels; how to identify and mitigate associated risks, such as bias or inaccuracy; whether the firm's cybersecurity program considers generative AI's associated risks, such as leakage of sensitive data; and whether the firm's cybersecurity program considers the use of technology tools, data provenance and processes to identify the use of AI or generative AI by threat actors.

Firms contemplating the use of a third-party-driven generative AI tool may want to consider how to ensure compliance with applicable regulatory requirements and undertakings, Finra added.

"Third-party vendors can pose significant cyber threats to firms by introducing vulnerabilities that can lead to loss of customer information, firm information and other sensitive data," according to Carlo di Florio, president of ACA Group, a New York–based compliance advisory firm. "Firms have an obligation to establish and maintain a supervisory system that is reasonably designed to achieve compliance and protect against these cyber risks, including safeguards for the protection of customer records and information, incident response plans and business continuity plans," di Florio told FA-IQ. SOURCE