PODCAST
Vendor Vigilance: Navigating Third-Party Risk
Third-party risk is the most clicked-on topic in FINRA's 2025 Regulatory Oversight Report. But what is third-party risk and why are people so interested in it? What can FINRA member firms do to mitigate that risk? And how can FINRA help?
On this episode of FINRA Unscripted, FINRA’s Executive Vice President of Member Supervision Greg Ruppert shares valuable insights on why firms are facing heightened challenges with third-party vendors, the emerging risks posed by fourth-party relationships, and how FINRA's intelligence sharing is helping member firms protect themselves from vendor-related cybersecurity threats.
Resources mentioned in this episode:
Blog Post: Vendors, Intelligence Sharing and FINRA’s Mission
2025 Annual Regulatory Oversight Report
Cybersecurity Advisory—Increasing Cybersecurity Risks at Third-Party Providers
CEO Blog: New FINRA Initiatives to Support Members, Markets, and the Investors They Serve
Ep. 170: Using Data to Stay Ahead of Risk: Introducing FINRA’s StratIntel Team
Ep. 169: Unpacking FINRA’s 2025 Regulatory Oversight Report
Listen and subscribe to our podcast on Apple Podcasts, Google Podcasts, Spotify, YouTube or wherever you listen to your podcasts. Below is a transcript of the episode. Transcripts are generated using a combination of speech recognition software and human editors and may contain errors. Please check the corresponding audio before quoting in print.
FULL TRANSCRIPT
00:01 - 00:29
Ray Pellecchia: Third-party risk is the most clicked-on topic in FINRA's 2025 Regulatory Oversight Report. But what is third-party risk and why are people so interested in it? What can member firms do to mitigate that risk? And how can FINRA do to help? Those questions will be answered on this episode of the FINRA Unscripted Podcast by our returning guest FINRA's Executive Vice President of Member Supervision, Greg Ruppert.
00:39 - 01:32
Ray Pellecchia: Welcome to FINRA Unscripted. I'm your host, Ray Pellecchia, and I'm honored to again be joined by our guest, Greg Ruppert, head of FINRA's Member Supervision department. Greg joined FINRA in 2020 as our head of the National Cause and Financial Crimes Program. Before joining FINRA, Greg was a senior vice president in Charles Schwab's Risk Management department, leading teams responsible for several of the key operational and risk areas across the enterprise. And before that, he spent more than 17 years with the U.S. government, achieving the rank of Senior Executive Service. As a Special Agent in the FBI, he had investigator and leadership roles specializing in complex corporate and securities cases, financial crimes, terrorism and cyber. Thanks for joining us, Greg.
01:32 - 01:41
Greg Ruppert: Thanks, Ray. This is a very important topic, so I really appreciate the opportunity to talk about it. And as I've said many times, I'm a huge fan of FINRA Unscripted.
01:41 - 02:00
Ray Pellecchia: Thanks, Greg. We appreciate your sharing your expertise. But before we dive into today's topic, let's back up for a second. Why is FINRA talking with firms about third-party risk and other risks? What is FINRA's role here, and what can FINRA do to help firms attack these risks?
02:01 - 02:31
Greg Ruppert: Sure. Right. So FINRA wants firms have the flexibility to use third-party vendors for cost efficiency as well as to extend their capabilities. But we've also heard from firms that this is an area that's particularly challenging for them. So we thought it would be very important for us to help identify the risks and challenges that accompany those benefits. And we want to make sure that firms are addressing those risks so that customers and the firms themselves are protected. Our creation as a self-regulatory model is really built on industry expertise.
02:32 - 03:28
Greg Ruppert: Then adding into that, we have our ability to take our examinations, where we develop insights and intelligence about the emerging risks and trends that we're seeing, but we're also able to provide effective practices to combat those risks. So, we really want to be in a position where we start sharing back that intelligence to firms so that they can be able to effectively learn from each other, from others in the industry and really strengthen their own risk and compliance programs. We're also building out our own intelligence capabilities that we've talked about in recent podcasts with you and adding to that as we take in that information, but we also take in information from other governmental agencies as well as other entities that also track these risks. So we're able to share alerts and advisories across the entire landscape from what we're seeing, and then partner with law enforcement and other regulators to host educational events for our firms.
03:29 - 03:55
Greg Ruppert: So, we've been seeing member firms find this a very valuable resource, and we'll continue to do this. But it's also important for us because we need to be positioned to understand and address risks. We need to adapt our regulatory standards to the current environments, and then we also need to be able to support innovation by member firms in technology, products and services that will ultimately benefit markets and investors. So we're here and we're focused on being able to do that.
03:55 - 04:03
Ray Pellecchia: Okay. Now on to the type of risk that we're discussing today. What is third-party risk and why is it an area of growing concern?
04:04 - 05:16
Greg Ruppert: Yes, it's definitely an area of growing concern, but I'll start out by saying that the practice of contracting with third-party service providers or vendors, if you will, to perform certain activities and functions on a continuing basis, is not new and it's not new to the securities industry. But what we are seeing that increasingly firms are relying on these vendors to perform key risk management functions and also to assist in supervising sales activity, trading activity, as well as customer communications. But third-party risks can extend beyond just outsourcing and include risks impacting a firm's banking partners, technology, as well as other infrastructure providers. So if we just took a standard definition that NIST defines "third-party providers" as service providers, integrators, vendors, telecommunications and infrastructure support that are external to an organization that operates the manufacturing system. So as we think of, in general, as third-party service providers, we're thinking of all the providers a firm might be using to assist with their day-to-day operations. Whenever those critical functions are outsourced, the firm is going to be forced to give up direct control over them.
05:16 - 05:49
Greg Ruppert: But we have to understand that they also maintain their responsibility. So, there is risk that something can occur under the third parties' watch, or an incident or issue at the vendor could impact the firm's ability to fulfill its regulatory obligations. We're seeing more cyber and computer-enabled fraud attacks now, specifically targeting those vendors for a variety of those reasons. So we really want to be able to remind firms the importance of conducting due diligence on third-party vendors through the entire lifecycle of the relationship, and prioritizing due diligence on vendors to support key systems.
05:49 - 06:12
Greg Ruppert: Second, maintaining effective third-party vendor risk management programs that include testing and frequent updates to your initial assessments. Like I said, firms are ultimately responsible for the protection of customer data and maintaining business continuity, regardless of reliance on the third parties. And something that might not currently be on your checklist is assessing fourth-party risk during the onboarding process.
06:13 - 06:31
Ray Pellecchia: Fourth parties? O.K., We'll come back and talk more about that. In our Regulatory Oversight Report this year, we highlighted third-party outsourcing as a risk. We noted there's been an increase in reliance on vendors. Have we seen any new areas of increased reliance on third-party vendors?
06:31 - 07:07
Greg Ruppert: Sure. Through our oversight activity, we've observed that member firms have really ramped up their use of the third-party vendors, perform key risk management, compliance and supervisory functions that I just mentioned. But we're also seeing the use of third-party vendor in key systems such as clearing, carrying and/or settlement functions. Then obviously cybersecurity and technology services is a huge area of expansion. So I'd like to point out, in addition to the report, FINRA also published a Cyber Advisory for third-party vendors that can be found on finra.org that shares more about the risk considerations as firms utilize third-party vendors.
07:08 - 08:18
Greg Ruppert: You specifically asked about kind of some of the emerging trends, and I want to address that. One of the emerging trends we've identified as a potential risk is where we have seen vendors introducing generative AI functionality, sometimes without even notifying firms. This is particularly a challenge when the vendor is already onboarded at a firm. So an effective practice, we'd like to call out, is that in the contracting process to account for the fact that even if the vendor isn't currently using any generative AI functionality, accounting for the vendors future adoption with specific notification requirements back to you if they decide to introduce those. This is a challenge for firms to stay on top of, and it can lead to situations where the firm is not aware of data privacy, cyber or other risks that might be introduced, especially where the generative AI tool might rely on an outside model. Then lastly, at FINRA, we have ongoing conversations with our firms around the use of vendors, including through our vendor questionnaires. This really helps us better understand the firms' businesses and allows us to alert them to issues with particular vendors as we identify them. And we then know that it might be likely to impact them.
08:19 - 08:23
Ray Pellecchia: Can you give us an example of that happening? An alert like that?
08:23 - 08:59
Greg Ruppert: While we have a number of these issues that do come up, one that hit a lot of firms and gained nationwide if not global attention was from the cybersecurity vendor CrowdStrike. CrowdStrike had an outage that impacted multiple industries but also included the securities industries. We were able to take the intelligence that we had—we had a number of firms that were using CrowdStrike as a critical vendor. So within minutes of the situation unfolding, we knew which firms were impacted, and we were able to appropriately reach out to them and ask them what impacts they were seeing.
08:59 - 10:07
Greg Ruppert: But then what we were also able to do is communicate with the myriad of governmental agencies that are focused on the securities industry and our trading and market areas, and they called us and asked us to kind of give an assessment of the situation, which we knew immediately how impacted we saw the industry. But more importantly, throughout the day, we were advised by the FBI of specific intelligence related to a criminal threat actor that was looking to target a phishing attack against firms that were using CrowdStrike, and by us having a relationship with them and them sharing that intelligence with us, we were able to specifically deliver that threat intelligence that was actionable to the firms before they were actually attacked by this threat adversary. So with that, we have the ability to use the entire intelligence cycle throughout an incident to be able to protect member firms, to be able to support member firms, but also to be able to serve as that centralized point of assessing what the impact to the entire securities industry would be with related to a particular vendor issue.
10:08 - 10:15
Ray Pellecchia: Greg, where can firms find guidance on considerations for due diligence for third-party vendors?
10:16 - 10:53
Greg Ruppert: Yeah. So as the self-regulatory organization model, or the SRO model, that we are, we're really prioritizing our ability to empower member firm compliance. And we have a number of initiatives, including this one where we're looking at, our priority is to share actionable information with our member firms so they can protect themselves and their customers in advance of our shared goal of investor protection and market integrity. So guidance for firms is included in our Annual Regulatory Oversight Report that can be found on finra.org. But additionally, we've issued Cybersecurity Advisories on this specific topic. So that's all available on our website.
10:53 - 10:58
Ray Pellecchia: Cybersecurity risk in connection with third-party vendors: Is that a thing?
10:59 - 11:39
Greg Ruppert: Yes. We've observed a troubling rise in cyberattacks and operational outages impacting the third-party vendors that are being used by our financial firms, with many firms relying on the same third-party for critical services, there actually can be a concentration of risks that magnifies the impact across our industry. Importantly, the interconnectedness of the financial system means that firms face risks from both third-party vendors and fourth-party vendors they might use. So we've noted that these cyber attacks largely stemmed from threat actors targeting vulnerabilities in the vendors' system management tools. So data breaches, zero day vulnerabilities, as well as social engineering campaigns.
11:40 - 12:08
Greg Ruppert: One least light of hope here is that our risk monitoring teams and the ability to conduct focused outreach to our firms, alerting them of potential issues or an event, and then sharing any mitigation tactics or providing information on how to protect against this event. So we encourage firms to engage with their risk monitoring analysts and focus on these issues. These cyber event impact assessments are one way that we're tailoring our activity toward specific firms to help them enhance their resilience against threats.
12:08 - 12:53
Greg Ruppert: As our CEO Robert Cook just touched upon in a recent blog post announcing the FINRA Forward Initiative, this is one of our priorities. But this only works if firms keep us updated on the third-party vendors they're using. So it's important that the firms report to their risk monitoring analysts any changes to their third-party providers that support key systems or cybersecurity events at third-party providers, because even that advance notice of what they're experiencing can also help the rest of the industry. For more information, our 2025 Regulatory Oversight Report and the Cyber Advisory for third-party vendors include specific examples of successful actions our firm has taken to respond to vendor-related cyber incidents, and that really enhances their ability to limit or prevent future damage.
12:54 - 13:18
Ray Pellecchia: Greg, you mentioned FINRA Forward, and that's a series of initiatives to modernize FINRA's rules, to help firms strengthen their compliance programs and to protect investors and member firms from fraud, bad actors, cyber threats. Can you give us a sense of the work being done in these areas, particularly as it relates to third-party risk.
13:18 - 14:25
Greg Ruppert: Sure. So third-party risk really crosses over the last two of those items of how do we help boost industry compliance, as well as how do we protect investors and member firms from the bad actors and cyber threats specifically. So we really start out with an initiative we started about two years ago where we were collecting from member firms information about the vendors they were relying upon, and then throughout the process of us assessing where those vendors were and what was happening with those vendors, we really started to build our capabilities to proactively alert firms when there's an issue with a particular vendor. Collecting the information allows us to be more specific and narrowly tailored so that we're not contacting firms about a vendor they don't even have. And we can also speed up our ability to move throughout the industry once we've identified a particular vendor, because we know the other firms that are impacted almost immediately. We're continually monitoring for information related to vendors and sharing that intelligence from different sources. We get it from the government, the FBI, DHS, CISA, and other organizations will put out alerts.
14:25 - 15:12
Greg Ruppert: We look at these alerts and then assess whether it's relevant for our membership. So either if it's a particular vendor we know our member is using or it's something we could particularly see that might be coming as a risk to our membership, we can proactively reach out. But we're trying to do is provide our level of intelligence and expertise internally to more specifically provide our membership with stuff that is specifically relevant for them. In some cases, we also receive reporting from member firms that are experiencing an event, and that is just a great way for us to take that information in and pay it forward to the other member firms that haven't been attacked yet or may not be experiencing the same issue yet, but we can anticipate that it's coming because it's already happening to existing members.
15:12 - 15:49
Greg Ruppert: We have a team, as I talked about earlier, that looks at this intelligence. We have cybersecurity specialists as well. And as we review this information and look at what's appropriate to share with the members. We do that. And for the past few months, we've shared several vendor related alerts. And just to give you a few examples, one was a phishing attack related to a customer support vendor. There's been some high-risk vulnerabilities and a network vendor that's been identified. And then we've also been able to remind firms of our expected use of bad actors, specifically around the holidays, as an opportunity to compromise system.
15:49 - 16:31
Greg Ruppert: So, a myriad of examples. And if you didn't receive these, it's also because you did not have a vendor that was particularly impacted. So we're really trying to keep down any type of false positive alerts or alerts that wouldn't be directly relevant to you. That's why it's so important to keep up with your list of which vendors you have, third-party and fourth-party, and then being able to advise us of what you're using, because we're really looking at how do we support our membership and support their compliance functions by leveraging the intelligence cycle and getting that information back. So, if you're interested in learning any more about this around vendor information for firms, I'm going to be publishing a blog soon on the topic at FINRA.org.
16:32 - 16:41
Ray Pellecchia: We look forward to seeing that and we'll make sure it gets out to the firms. You mentioned fourth parties and I should have followed up earlier. So those are the vendors to the vendors, am I right?
16:41 - 17:12
Greg Ruppert: That's correct. An effective practice there, Ray, is when you look at the onboarding process, you look at your contractual lists that you set out as you onboard these vendors, is asking them that next step of who do they rely on, if anyone and if they begin relying on somebody during the course of your contractual relationship with them. And we know some of these contractual relationships last for years, making sure that they have the requirement to positively notify you that they've onboarded new vendors that they rely on, that'll become part of your ecosphere.
17:13 - 17:40
Ray Pellecchia: Well, thank you, Greg, so much for joining us to talk about third-party risk. That's it for today's episode of FINRA Unscripted. Listeners, if you don't already, please be sure to subscribe to FINRA Unscripted wherever you listen to podcasts, and all of the resources mentioned in today's podcast will be included on the home page for the podcast episode. Today's episode was produced by me, Ray Pellecchia, and engineered by John Williams. Until next time.
17:40 – 17:46
Outro Music
17:46 - 18:14
Disclosure
Please note FINRA podcasts are the sole property of FINRA, and the information provided is for informational and educational purposes only. The content of the podcast does not constitute any FINRA Rule or amendment or interpretation to such rules. Compliance with any recommended conduct presented does not mean that a firm or person has complied with the full extent of their obligations under FINRA Rules, the rules of any other SRO or securities laws. This podcast is provided as is. FINRA and its affiliates are not responsible for any human or mechanical errors or omissions. Parties may not reproduce these podcasts in any form without the express written consent of FINRA.