Sample Vendor Management Policy for [RIA Firm Name] Purpose This Vendor Management Policy establishes the framework for [RIA Firm Name], a Registered Investment Advisor, to oversee third-party service providers handling nonpublic personal information (NPI), ensuring compliance with SEC Regulation S-P (17 CFR Part 248.30), the Gramm-Leach-Bliley Act (GLBA), and applicable state data protection laws, while mitigating cybersecurity and operational risks. Scope This policy applies to all third-party service providers (e.g., cloud providers, custodians, IT vendors) who access, process, or store NPI on behalf of [RIA Firm Name]. NPI includes client names, Social Security numbers, account numbers, financial details, or any information that could identify a client or access their accounts. Definitions Nonpublic Personal Information (NPI): Information about clients, including names, Social Security numbers, account numbers, or financial data, as defined by Regulation S-P. Third-Party Service Provider: Any external entity contracted to perform services that involve handling NPI. Covered Institution: [RIA Firm Name], as a registered investment adviser under the Investment Advisers Act of 1940. Policy 1. Due Diligence Pre-Engagement Assessment: Before engaging a third-party service provider, [RIA Firm Name] will evaluate their cybersecurity practices, including: Security policies and procedures (e.g., encryption standards, access controls). Compliance with Regulation S-P and GLBA. History of data breaches or security incidents. Financial stability and reputation. Documentation: Due diligence findings are documented and reviewed by the Chief Compliance Officer (CCO). 2. Contract Requirements Contracts with third-party providers must include: Data Protection: Requirements for AES-256 encryption at rest and TLS 1.3 in transit for NPI. Breach Notification: Obligation to notify [RIA Firm Name] within 72 hours of a suspected or confirmed breach involving NPI. Compliance: Agreement to adhere to Regulation S-P, GLBA, and applicable state laws. Access Controls: Use of unique user IDs, strong passwords, and multi-factor authentication (MFA). Termination: Provisions for secure data return or destruction upon contract termination.Contracts are reviewed by legal counsel and approved by the CCO. 3. Ongoing Monitoring Annual Reviews: Vendors are assessed annually for compliance with this policy and regulatory requirements, including audits of cybersecurity practices. Performance Metrics: Vendors must provide regular reports on security incidents, system uptime, and compliance status. Risk Assessments: Conduct risk assessments for vendors handling sensitive NPI, focusing on alignment with business risks. 4. Incident Response Coordination Breach Response: In the event of a vendor-related breach, [RIA Firm Name] will: Coordinate with the vendor to assess the breach within 24 hours. Ensure client notifications are issued within 30 days if sensitive NPI is accessed, per Regulation S-P. Document the incident and response per Rule 204-2. Vendor Cooperation: Vendors must provide full cooperation, including access to logs and forensic data. 5. Recordkeeping All vendor-related documentation (due diligence, contracts, reviews, incident reports) is retained for at least 5 years, per Rule 204-2. Records are maintained in a secure, encrypted system and available for SEC inspections. 6. Training and Oversight The CCO oversees vendor management and ensures staff are trained on this policy annually. Training includes procedures for reporting vendor non-compliance to the CCO. 7. Compliance and Enforcement The CCO is responsible for administering this policy. Violations by vendors (e.g., failure to notify of a breach) may result in contract termination. Internal violations (e.g., failure to follow due diligence) may result in disciplinary action, up to termination. Approval This policy is approved by [CCO Name], Chief Compliance Officer, and effective as of [Date]. Annual reviews are documented and maintained for regulatory inspections.