FINRA, like other regulators globally, has recognized the “increasingly important role” that third-party vendors play in the financial industry, according to a blog post by Greg Ruppert, Executive Vice President, Member Supervision at the self-regulatory organization.
According to Ruppert, member firms are “gradually expanding their use of third-party vendors to perform a wide range of critical activities and functions.” In response to this, FINRA is continuing its efforts to obtain as much information on these relationships and to map out the interdependencies between third-parties and member firms.
The 2025 Third-Party Vendor Request questionnaire was published in January. Firms were asked to provide up-to-date information on critical third-party vendors and banks, in particularly those providers essential to their operations, processes or functions. Insight from this information gathering effort will be published by FINRA “at a later date.”
The blog post, however, also draws attention to the new third-party risk landscape section in the 2025 Regulatory Oversight report also published in January. The new section included examples of effective practice in the management of third-party vendors as observed by FINRA and represents important guidance for firms managing vendor relationships within an increasingly complex and interconnected ecosystem.
FINRA has “leveraged” the information that it has obtained from member firms in order to “proactively conduct targeted member firm outreach” in relation to events that have affected third party vendors including:
| Event | Date | Details |
| MOVEit | June 2024 | Vulnerability permitting unauthorized access |
| Crowdstrike | July 2024 | Major outage as a result of code change |
| Ivanti | February 2025 | Vulnerabilities in gateways permitting unauthorized access |
| Oracle | March 2024 | Alleged large-scale data breach |
In addition to notifying member firms of critical issues affecting vendors, FINRA also uses the information to assess potential concentration risk in the industry and to “provide mitigation tactics, guidance or next steps” to help member firms affected by vendor issues.
In concluding the blog, Ruppert issues a call to action, pointing out that FINRA advocates for members to report, on an ongoing basis, not only cybersecurity events, but also any changes to third party vendors supporting critical activities.
