Third-Party Provider Cybersecurity Risk Is Now a Core Financial IT Control

FINRA’s third-party provider cybersecurity advisory is one of the clearest signals financial firms can use to pressure-test vendor oversight. FINRA has observed an increase in cyberattacks and outages at third-party providers used by member firms since 2023 and warns that a provider incident can potentially affect many firms.¹

The 2026 FINRA report keeps third-party risk in the regulatory conversation and identifies effective practices such as ongoing due diligence, inventories of firm data types accessed or stored by vendors, and monitoring provider services for vulnerabilities or breaches.²

Why this is an IT control, not just procurement

Vendor risk management often starts as a contract review. But the operational risk sits inside IT: remote access, API connections, hosted platforms, backup dependencies, data exports, identity federation, support portals, and managed services.

If a critical provider is offline or compromised, the firm needs to know:

• which business functions are affected
• what customer or firm data is involved
• which systems depend on the provider
• who can contact the provider outside normal channels
• what alternate workflow exists
• whether customers, regulators, or counterparties may need communication

The fourth-party problem

Many financial firms understand their direct vendors but have weaker visibility into subcontractors and infrastructure dependencies. A SaaS provider may rely on cloud hosting, email delivery, analytics, outsourced support, or offshore development. Those fourth parties can affect data security and availability even if the firm never signed a contract with them.

FINRA’s guidance encourages firms to think beyond initial vendor selection and consider how vendor incidents affect continuity and supervisory obligations.¹

Datapath perspective

The most useful third-party risk programs connect vendor files to live operations. A spreadsheet of vendors is not enough if no one knows which providers support trading, client communication, billing, identity, backup, or compliance archiving.

Financial IT leaders should build a tiered provider map. Tier 1 vendors get deeper review, tested outage plans, named owners, incident notification validation, and access reviews. Lower-tier vendors still need data classification and contract ownership.

What to do next

Pick the 10 vendors most likely to disrupt operations or expose customer information. For each one, document access, data types, business function, fourth-party dependencies where known, incident notification terms, recovery expectations, and a backup communication path.

Then test one provider outage as a tabletop. The exercise will show whether third-party risk is a living control or only a procurement record.

Footnotes

1. FINRA, “Cybersecurity Advisory - Increasing Cybersecurity Risks at Third-Party Providers” ↩ ↩²

2. FINRA, “Third-Party Risk Landscape - 2026 Annual Regulatory Oversight Report” ↩