Home › Industries › Wealth Management
Third-Party and Vendor Risk for Canadian Wealth-Management Firms
Last updated: May 2026 · Reviewed by Mike Pearlstein, CISSP
Wealth-management firms run on vendors: custodians, portfolio platforms, and outsourced IT. CIRO expects firms to understand and manage the risk those vendors introduce. This is what a practical vendor-risk posture looks like for a small or mid-size Canadian firm.
- CIRO expects firms to manage the risk introduced by the vendors that touch their systems and client data.
- The core artifacts are vendor due diligence, clear data-residency answers, and access records.
- You can meet the expectation without a large compliance team by keeping the evidence current.
When a wealth firm hands us its vendor list during onboarding, the surprise is almost always how many third parties can reach client data that no one had inventoried.
Why vendor risk is a regulator question
A wealth firm’s data and operations depend on third parties. CIRO expects registered firms to understand and oversee that dependency, because a vendor incident can become the firm’s incident. OSFI Guideline B-13 sets parallel third-party risk expectations for federally regulated entities.
The point is not to eliminate vendors. It is to know what each one does, what data it holds, and what the firm would do if that vendor failed or was breached.
Want this reviewed against your firm’s current setup?
The artifacts to keep
A practical posture rests on three documents kept current: vendor due diligence that records who the vendor is and what security it attests to, a clear answer to where client data lives and whether it stays in Canada, and access records showing who can reach what. the Canadian Centre for Cyber Security guidance maps well to a small firm’s reality.
These are the artifacts a firm produces during a CIRO examination or an institutional partner’s vendor review. Keeping them current turns a stressful scramble into a short retrieval.
Making it manageable for a small firm
A small firm does not need an enterprise vendor-management platform. A maintained list of vendors, their data access, and their attestations, reviewed once or twice a year, covers most of the expectation.
A security-led managed IT provider can own much of this, producing the control summaries and access reviews so the firm has evidence ready when it is asked for.
Frequently asked questions
What does CIRO expect on third-party risk?
What vendor-risk documents should a wealth firm keep?
Can a small firm meet this without a compliance team?
Is Fusion Computing the same as Fusion Cyber Group?
Talk to Fusion about your firm’s security
If your firm wants a security-first managed IT partner that understands CIRO expectations and protects client data, talk to us. We can review your current posture and show where the evidence gaps are.
Book a consultation or call (416) 566-2845
Written by Mike Pearlstein, CISSP, founder of Fusion Computing, a Canadian managed IT and cybersecurity provider serving regulated SMBs since 2012.
Regulated industries we secure: law firms · accounting firms · financial services · wealth management · all industries
Related: the CIRO cybersecurity guide for wealth firms · compare IT providers for wealth-management firms · IT and cybersecurity for wealth-management firms.
