Kyanite Blue
Security Solutions

Vendor Risk Management for Financial Services: Custodians, Data Providers and Software Vendors

A wealth manager's technology and service supply chain is deeper than most realise: a custodian holding assets, a portfolio management platform processing trades, a market data provider feeding valuations, a financial planning tool storing client goals, a compliance platform monitoring suitability, and a dozen SaaS applications in between. Each of these vendors has its own security posture, and that posture directly affects the firm's risk exposure. The Ion Group attack demonstrated what happens when that chain breaks: 40 financial institutions disrupted simultaneously by an attack on a single shared supplier.

Ion Group (Jan 2023): a single ransomware attack on one supplier disrupted 40+ financial institutions globally — the supply chain attack model at scale.

The Financial Services Vendor Ecosystem: What You Are Exposed To

Financial firms typically have three tiers of vendor exposure:

  • Critical infrastructure vendors: Custodians, clearing firms, payment processors, core banking/portfolio platforms — disruption stops the business immediately
  • Operational vendors: CRM, financial planning tools, compliance platforms, regulatory reporting systems — disruption causes significant operational friction within hours
  • Supporting vendors: HR systems, document management, communication platforms, marketing tools — disruption is manageable but still creates data risk

What FCA SS2/21 and DORA Require from Your Vendor Programme

Both FCA SS2/21 and DORA require firms to maintain a structured vendor risk programme that goes beyond annual questionnaires:

  • A maintained register of all material outsourced arrangements, updated when new vendors are onboarded or existing arrangements change
  • Due diligence before engagement: Security assessment, financial stability review, regulatory compliance confirmation
  • Contractual provisions: Audit rights, SLA definitions, data return and deletion rights, business continuity obligations, exit provisions
  • Ongoing monitoring: Regular review of vendor security posture — not just annual questionnaire review
  • Concentration risk: Assessment of where multiple critical functions depend on the same vendor or vendor group
  • Exit planning: Documented and tested plan for each material vendor relationship

Why Questionnaire-Based Vendor Risk Fails in Financial Services

The Ion Group and Finastra incidents share a common feature: both companies had vendor risk management programmes at the financial institutions they served. Annual questionnaires were completed, security policies reviewed, assessments filed. None of this detected the vulnerabilities that attackers exploited. Annual questionnaires assess a vendor's security posture at one moment in time, rely entirely on self-reporting, and provide no visibility into the changes that create vulnerability — a new subcontractor, an unpatched server, a misconfigured cloud storage bucket. Panorays provides what questionnaires cannot: continuous, independent, external monitoring of your vendors' actual security posture.

Panorays in Practice: Building a Compliant Vendor Risk Programme

Panorays builds your vendor risk programme in three layers: first, it discovers and inventories your supply chain — including vendors you may not have formally registered; second, it provides a continuous external security score for each vendor, updated daily as their posture changes; third, it generates the structured assessment documentation — risk scores, evidence of monitoring, change history — that FCA SS2/21 and DORA require. For the Kyanite Blue clients who implement Panorays, the outcome is a vendor risk programme that satisfies regulators, generates real-time alerts when vendor risk increases, and replaces a manual, annual process with a continuous, automated one.

Frequently Asked Questions

How many vendors should we be managing through a formal programme?

FCA SS2/21 requires enhanced management for material outsourced arrangements. Materiality is assessed by the impact of disruption — if a vendor's failure would prevent you from delivering an important business service, they are material. Most wealth managers and IFAs have 10–30 material vendors. Panorays scales from this baseline upward and can monitor your entire supply chain, prioritising material vendors for enhanced scrutiny.

We do not have a procurement team. How do we build a vendor risk programme?

Kyanite Blue provides the programme framework as part of the Panorays implementation: a vendor register template, a risk assessment methodology, model contractual provisions, and an ongoing monitoring cadence. The technical monitoring is automated by Panorays; the governance framework is established in the implementation phase. Smaller firms typically have a functional vendor risk programme within 6–8 weeks of starting the implementation.

Build a compliant vendor risk monitoring programme

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Panorays

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides