Third-Party Vendor Cybersecurity Due Diligence

FINRA expects broker-dealers to perform risk-based cybersecurity due diligence on third-party vendors before granting them access to firm systems or customer data, then enforce those expectations through contracts, ongoing monitoring, and contingency planning. To operationalize this quickly, build an inventory, tier vendors by access/criticality, run a standardized security review, close gaps contractually, and retain audit-ready evidence. (FINRA Rule 3110; FINRA Regulatory Notice 21-29)

Key takeaways:

• Treat third-party vendor cybersecurity due diligence as a supervisory control under your vendor management program. (FINRA Rule 3110)
• Do due diligence before onboarding, then monitor vendors and document outcomes with artifacts an examiner can reperform. (FINRA Regulatory Notice 21-29)
• Put security, recordkeeping, incident notice, and access control requirements into contracts and test your contingency plan for critical providers. (FINRA Regulatory Notice 21-29)

“Third-party vendor cybersecurity due diligence” is a requirement in practice because FINRA ties outsourcing and third-party access to your supervisory obligations and cybersecurity controls. If a vendor can touch firm systems, firm records, or customer information, FINRA expects you to know what you’re delegating, what risks you’re accepting, and what controls and contractual rights you have in place to manage that risk. (FINRA Rule 3110; FINRA Regulatory Notice 21-29)

For a CCO or GRC lead, the fastest path is to translate the requirement into a repeatable workflow: inventory third parties, categorize them by access and criticality, perform a risk-based security review before access is granted, memorialize requirements in the contract, and run ongoing monitoring based on the tier. Your output should be a file that tells a complete story for each in-scope vendor: what data they touch, what you reviewed, what you required, what you approved, and how you will detect and respond if they fail.

This page gives requirement-level implementation guidance designed for quick execution, clean delegation across InfoSec/Procurement/Legal, and exam-ready evidence.

Regulatory text

Excerpt (provided): “Broker-dealers must establish policies and procedures for conducting due diligence on third-party vendors with access to firm systems or customer data, including assessing the vendor's cybersecurity practices and contractual obligations.” (FINRA Rule 3110)

Operator interpretation: You need documented supervisory procedures that require cybersecurity due diligence before a third party gets access, and you must be able to show that the due diligence is risk-based, consistent, and results in enforceable obligations (contract terms) plus ongoing oversight. FINRA frames this as part of your overall supervision program and outsourcing governance. (FINRA Rule 3110; FINRA Regulatory Notice 21-29)

What FINRA is looking for in practice:

• A defined process for approving third parties that connect to systems, process customer data, or host firm records. (FINRA Rule 3110)
• Contract language that sets security expectations and preserves your ability to oversee the provider (for example, audit/assessment rights, incident notifications, and required controls). (FINRA Regulatory Notice 21-29)
• Ongoing monitoring and a contingency plan when a critical provider fails or becomes unavailable. (FINRA Regulatory Notice 21-29)

Plain-English requirement (what it means)

If a vendor can access your network, handle customer information, or host/operate systems that matter to your supervisory and recordkeeping obligations, you must:

1. Check their cybersecurity posture before onboarding, at a depth proportional to risk.
2. Put the requirements in the contract so you can enforce them and get notified of incidents.
3. Monitor performance and security over time, not only at onboarding.
4. Plan for failure of critical providers, including how you will continue operations and meet regulatory obligations. (FINRA Regulatory Notice 21-29)

Who it applies to

Covered entities

• Broker-dealers subject to FINRA supervision expectations under FINRA Rule 3110. (FINRA Rule 3110)

In-scope third parties (operational context)

Prioritize due diligence for any third party that:

• Has logical access to firm systems (SSO, VPN, admin consoles, support tools).
• Processes, stores, transmits, or can view customer data or sensitive firm data.
• Hosts core business applications or data (cloud providers, SaaS, managed service providers).
• Supports books-and-records relevant functions or other critical operations tied to your ability to supervise and operate. (FINRA Regulatory Notice 21-29)

What you actually need to do (step-by-step)

Step 1: Build and maintain a third-party inventory (scope control)

Outcome: A list of third parties with enough attributes to tier risk.

• Pull from AP, procurement, contract repository, SSO/app catalogs, and IT spend lists.
• Required attributes per third party:
  • Service description and business owner
  • Data types handled (customer info, firm confidential, public)
  • Access method (API, VPN, SSO, admin access, file transfer)
  • Subcontractors/fourth parties (if known)
  • Whether the service is “critical” to operations (business continuity impact) (FINRA Regulatory Notice 21-29)

Practical tip: Inventory quality is the gate for everything else. If you cannot name the systems/data each vendor touches, you cannot prove your due diligence is risk-based.

Step 2: Tier vendors by inherent risk (so diligence depth is defensible)

Define a simple tiering model that maps to required diligence actions. Example:

Tier	Typical criteria	Minimum diligence package
High	Admin access, customer data, or critical systems	Full security review + contract controls + enhanced monitoring
Medium	Limited data, limited integration, non-critical	Standard security review + baseline contract controls
Low	No system access, no sensitive data	Basic screening + standard terms

Document the tier decision for each vendor and who approved it. This supports the “policies and procedures” expectation under supervision. (FINRA Rule 3110)

Step 3: Perform pre-onboarding cybersecurity due diligence (risk-based)

Goal: Determine whether the vendor’s controls are acceptable for the access you plan to grant.

A practical diligence checklist for High/Medium tiers:

• Security governance: security ownership, policies, employee security training program.
• Access controls: MFA, privileged access management approach, account lifecycle controls for vendor staff.
• Data protection: encryption practices, data segregation, secure deletion, DLP approach where applicable.
• Vulnerability management: patching approach, scanning cadence, remediation workflow.
• Incident response: documented IR process, ability to detect/report incidents affecting your data.
• Business resilience: backups, recovery testing, disaster recovery approach for critical services.
• Physical/security controls: relevant if they host or handle on-prem assets.
• Independent assurance: request SOC report or similar assurance artifact if available (requesting it is a diligence action; you still must evaluate fit for your risk).

FINRA’s cybersecurity practices materials and outsourcing guidance support the expectation that you assess controls aligned to the service risk and access. (FINRA Report on Cybersecurity Practices (2015); FINRA Regulatory Notice 21-29)

Decision rule: If you cannot explain why you accepted a control gap, you have not finished due diligence. Record the rationale and compensating controls.

Step 4: Translate diligence results into contractual obligations (make it enforceable)

Your contract should reflect the cybersecurity expectations and oversight rights for the tier. Contract clauses to standardize:

• Security requirements: baseline controls appropriate to the service (for example, MFA for admin access).
• Incident notification: require prompt notification of security incidents affecting your data/systems and cooperation obligations.
• Right to assess/audit: ability to obtain security documentation and perform periodic reviews.
• Subcontractor controls: flow-down requirements to material subcontractors where they can access your data.
• Data handling: permitted use, retention, secure disposal, and return of data at termination.
• Business continuity: commitments for critical services and communication during outages.
• Recordkeeping and access to records: align to your supervisory and record obligations when the vendor holds relevant records. (FINRA Regulatory Notice 21-29; FINRA Rule 3110)

Operational note: Legal language without an owner and a monitoring plan fails in exams. Tie each “must” clause to a control owner and a monitoring activity.

Step 5: Control access during onboarding (make the approval real)

Before granting access:

• Confirm diligence completion and approval.
• Apply least-privilege access: scoped roles, time-bound access where possible, separate admin accounts, IP restrictions when appropriate.
• Require vendor user listing and ensure accounts are tracked and reviewed.

This closes the common gap where diligence is done “eventually” but access is granted immediately.

Step 6: Ongoing monitoring (prove you supervise after go-live)

Set monitoring by tier:

• High: periodic security reassessment, incident/tabletop coordination, key control attestations, review of major changes (ownership, architecture, material incidents).
• Medium: annual questionnaire refresh or updated assurance artifact request, performance and incident checks.
• Low: track contract renewal and material scope changes.

FINRA’s outsourcing guidance emphasizes oversight and monitoring of vendor performance and planning for provider failure. (FINRA Regulatory Notice 21-29)

Step 7: Contingency planning for critical vendors

For critical providers, document:

• Service dependency map (what breaks if this vendor is down).
• Workarounds, alternate providers, data export/portability plan.
• How you maintain supervision/operations if the vendor fails.
• Escalation and communications plan with the vendor. (FINRA Regulatory Notice 21-29)

Required evidence and artifacts to retain (exam-ready file)

Maintain a retrievable “vendor due diligence packet” per in-scope vendor:

• Vendor inventory entry with tier and business owner
• Completed security questionnaire and vendor responses
• Supporting artifacts (SOC reports if provided, security policy excerpts, incident response summary if shared)
• Internal risk assessment memo: identified gaps, remediation plan, compensating controls, acceptance rationale, approver
• Contract and security addendum with required clauses
• Access approval record (ticket/workflow evidence) and access listing (at onboarding)
• Ongoing monitoring logs (reassessments, reviews, performance notes, incident communications)
• Contingency plan for critical vendors and evidence it is reviewed (FINRA Rule 3110; FINRA Regulatory Notice 21-29)

Daydream fit (earned mention): If your team struggles to keep tiering decisions, questionnaires, approvals, and monitoring evidence in one place, Daydream can act as the system of record for third-party diligence, with standardized workflows and an audit-ready evidence trail mapped to your supervisory procedures. (FINRA Rule 3110)

Common exam/audit questions and hangups

Expect examiners to probe:

• “Show me your policy/procedure for third-party due diligence. Who owns it and how is it enforced?” (FINRA Rule 3110)
• “Which vendors have access to customer data or firm systems? How do you know your list is complete?”
• “Walk me through one high-risk vendor: what did you review, what issues did you find, and who approved acceptance?”
• “Where in the contract do you require incident notification and cooperation?” (FINRA Regulatory Notice 21-29)
• “How do you monitor vendors post-onboarding?”
• “What is your plan if your critical provider goes down or terminates service?” (FINRA Regulatory Notice 21-29)

Hangups that slow teams down:

• No shared definition of “access” (support access, API access, and log access count).
• A questionnaire exists, but there is no documented decision and no tie to contract controls.
• Monitoring is ad hoc and not evidenced.

Frequent implementation mistakes (and how to avoid them)

1. Treating due diligence as a one-time questionnaire. Fix: require a decision memo and a monitoring plan per tier. (FINRA Regulatory Notice 21-29)
2. Approving vendors without knowing data flows. Fix: force a simple data/access diagram in intake and validate with IT.
3. Contracts that don’t match risk. Fix: use tier-based addenda and a clause library reviewed by Legal and InfoSec. (FINRA Regulatory Notice 21-29)
4. No contingency plan for critical vendors. Fix: add “exit and continuity” as a required deliverable for high-tier onboarding. (FINRA Regulatory Notice 21-29)
5. Evidence scattered across email. Fix: centralize the vendor packet and require upload before approval under your supervisory procedures. (FINRA Rule 3110)

Enforcement context and risk implications

FINRA has made clear through guidance that third-party risk and cybersecurity are examined through the lens of supervision, outsourcing governance, and the firm’s ability to protect customer information and continue operations. Weak diligence shows up as: unauthorized access, delayed incident notification, inability to produce records, and operational outages with no fallback. Your goal is to show a controlled process that identifies and manages these risks, with artifacts that can be re-performed by an examiner. (FINRA Rule 3110; FINRA Regulatory Notice 21-29; FINRA Report on Cybersecurity Practices (2015))

Practical 30/60/90-day execution plan

First 30 days (stabilize scope and stop uncontrolled access)

• Publish/update the written procedure for vendor cybersecurity due diligence, including tiering and approval gates. (FINRA Rule 3110)
• Build the initial vendor inventory and identify in-scope vendors with system/customer-data access.
• Freeze new high-risk onboarding until minimum diligence + contract clauses are in place (define what “minimum” means for your firm).
• Create standard templates: intake form, tiering rubric, security questionnaire, risk acceptance memo, contract clause set.

Next 60 days (make it repeatable and auditable)

• Triage existing vendors: start with the highest-risk and most critical providers. (FINRA Regulatory Notice 21-29)
• Remediate contracts at renewal or via addenda for priority vendors (incident notice, audit rights, data handling, subcontractors).
• Stand up a monitoring calendar by tier, assign owners, and implement a central evidence repository (or Daydream as the workflow and evidence system of record). (FINRA Rule 3110)

Next 90 days (prove ongoing supervision and resilience)

• Complete diligence packets for priority vendors and close or formally accept gaps with documented compensating controls.
• Run a contingency planning exercise for at least one critical provider and document results/actions. (FINRA Regulatory Notice 21-29)
• Implement access reviews for vendor accounts (especially admin/support access) and tie reviews to the vendor inventory.
• Prepare an exam-ready binder: policy/procedures, inventory, sample vendor packets, monitoring logs, contingency plans. (FINRA Rule 3110)

Frequently Asked Questions

Do we have to do the same due diligence for every vendor?

No. FINRA expects risk-based due diligence that scales with access to firm systems, firm records, or customer data. Document your tiering logic and apply it consistently. (FINRA Rule 3110; FINRA Regulatory Notice 21-29)

What counts as “access to firm systems”?

Treat logical access broadly: SSO app access, API integrations, VPN, remote support tools, and admin console access can all create cybersecurity and supervision risk. Your inventory should capture the access path and privilege level. (FINRA Regulatory Notice 21-29)

Can we onboard if the vendor won’t share a SOC report?

You can still perform due diligence using questionnaires, architectural explanations, and contractual commitments, but document what you requested, what you received, and why you accepted any remaining uncertainty. The decision record matters in an exam. (FINRA Rule 3110)

What contract terms do examiners care about most?

Terms tied to oversight and incident handling tend to matter: incident notification/cooperation, audit or assessment rights, data handling and return/deletion, subcontractor controls, and continuity expectations for critical services. (FINRA Regulatory Notice 21-29)

How do we handle cloud/SaaS vendors where we can’t negotiate much?

Treat it as a risk decision. Document the non-negotiable terms, apply compensating controls you control (least privilege, monitoring, data minimization), and get explicit risk acceptance for gaps that matter. (FINRA Regulatory Notice 21-29)

Who should own third-party vendor cybersecurity due diligence?

The CCO/GRC function typically owns the program and evidence under supervisory procedures, while InfoSec owns technical evaluation and Procurement/Legal own contracting workflow. Define RACI so approvals and escalations are clear. (FINRA Rule 3110)