Tips for Tackling Third-party Risk Management
FINRA published its Annual Regulatory Oversight Report on January 28, 2025. The report includes critical insights into what financial firms must be aware of to remain compliant. One of several new sections covers the third-party risk landscape.
Over recent years, FINRA has observed increased cyberattacks and outages at third-party vendors (also known as third-party providers).
Adhering to FINRA regulations regarding third-party risk can be particularly challenging for smaller financial firms, which may not have dedicated compliance and/or security resources. We asked Smarsh risk management and compliance experts for advice on how firms can begin their journey toward effective third-party risk management.
Here are their top tips for getting started:
1. Start with a list
One of the first things to do is make a list. Start compiling SaaS solutions that your firm may use or IT vendors that interact with your networks or other information systems. You should also include third parties that provide physical security or support services, such as security guards and janitorial services. Depending on the size of your firm, you may need to enlist help from other departments, such as legal, procurement, and accounting, to ensure that you have a comprehensive list of third parties that interact with your data.
2. Prioritize
After you’ve compiled a comprehensive list, you must understand what type(s) of data your third parties interact with from your organization. Some may pose the potential for more risk than others. For example, if a third party has access to your business-critical data via an API, they may pose more risk than others. In their 2025 report, FINRA also highlights special considerations and questions to ask third-party vendors that are using AI/ML. You will want to evaluate each of these vendors — starting with the ones you’ve categorized as posing greater risk — with a questionnaire based on different risk tiers. Check out some of FINRA’s ‘effective practices’ for additional summarized guidance.
3. Remember that it’s a journey — not a destination
It’s best to think of security and compliance initiatives as a journey — not a destination. This means you can never be “done” with assessing third-party risk or other vulnerabilities. It’s an ongoing process, not a box that can be checked. The tips shared in this article are foundational. For more comprehensive guidance, you can check out our guide, 7 Steps to Effective Vendor Risk Management. This resource includes ideas for types of questions to ask, how to develop risk tiers, how to implement controls, and more.
4. Don’t go it alone
It can be time-consuming, frustrating, and, depending on the scope of your third parties, nearly impossible to effectively manage third-party risk with only internal resources. Smarsh offers an automated third-party risk management solution that is cost-effective, efficient and effective. Whether you’re an existing Smarsh customer or new to Smarsh, contact us today to learn more about our cyber and risk management solutions. We can help point you in the right direction based on your organization’s needs and help you easily manage vendors that have access to business-critical data from one centralized database.
Learn from the experts
Financial firms of all sizes are invited to watch a Smarsh-hosted webinar, What You Need to Know About FINRA’s Priorities in 2025. Our compliance experts shared additional insights and guidance pertaining to the latest report, including third-party risk management.
Watch the on-demand webinar or contact Smarsh about enhancing and automating your approach to risk management today.
Share this post!
Scalable for organizations of all sizes, the Smarsh platform provides customers with compliance built on confidence. It enables them to strategically future-proof as new communication channels are adopted, and to realize more insight and value from the data in their archive. Customers strengthen their compliance and e-discovery initiatives and benefit from the productive use of email, social media, mobile/text messaging, instant messaging and collaboration, web, and voice channels.
Smarsh serves a global client base that spans the top banks in North America and Europe, along with leading brokerage firms, insurers, and registered investment advisors. Smarsh also enables state and local government agencies to meet their public records and e-discovery requirements. For more information, visit www.smarsh.com.
- California Public Records Act: What You Need to Know - March 17, 2025
- 3 Unexpected Benefits of a Communications Archive - March 13, 2025
- New York Freedom of Information Law: How to Effectively Manage Public Records - March 12, 2025
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
FEATURED CONTENT
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
More Resources
Watch it Work
Contact Us
Chat
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US