On 12 November 2025, SitusAMC, a real estate technology vendor serving hundreds of banks and lenders across the United States became aware of a cyber incident. The breach potentially exposed client data from some of the world’s largest financial institutions, including JP Morgan, Citigroup, and Morgan Stanley. This incident serves as a stark reminder of the interconnected risks within financial services and how your organization’s security perimeter extends far beyond your own walls – your vendors are extensions of your firm, and their vulnerabilities become yours.
Supply chain cyberattacks have surged by 431% between 2021 and 2023, with projections indicating continued dramatic increases through 2025. In 2024 alone, software supply chain attacks doubled compared to previous years, with attackers recognizing that compromising a single vendor can provide access to thousands of organizations simultaneously.
The Illusion of Arms-Length Relationships
Many fund managers treat vendor relationships as transactional: negotiate service levels, sign contracts, monitor deliverables. This approach is dangerously outdated. When your administrator, cloud provider, or IT service partner has access to your systems, data, or networks, they’re not just a vendor – they are a critical component of your operational infrastructure.
The regulatory landscape in APAC already recognizes this. The Alternative Investment Management Association (AIMA), Hong Kong’s Securities and Futures Commission (SFC), and Singapore’s Monetary Authority (MAS) have all developed comprehensive frameworks that treat vendor management as a core ongoing risk management function, not an administrative checkbox.
Existing Frameworks as a Baseline
AIMA’s vendor due diligence questionnaires, particularly the AITEC-AIMA DDQ for cybersecurity, represent the industry’s collective wisdom distilled into actionable frameworks. Created in 2014 and continuously updated by senior technologists from alternative investment firms, these questionnaires have been adopted by over 250 alternative asset management firms and 200 global vendors.
The MAS Technology Risk Management Guidelines, impose stringent requirements on financial institutions, mandating comprehensive vendor categorization, risk-based due diligence, and continuous monitoring. The framework explicitly addresses outsourcing arrangements and third-party services, requiring financial institutions to maintain inventories of information assets, conduct ongoing third-party risk assessments, and ensure vendors meet acceptable security standards.
The SFC’s 2023/24 Thematic Cybersecurity Review identified persistent vulnerabilities in vendor risk management and cloud security governance. The findings revealed inadequate third-party provider management, weak due diligence processes, and insufficient service level agreements around cybersecurity – gaps that directly contributed to the eight major cybersecurity incidents documented between 2021 and 2024. The regulators aren’t just looking for documentation – they are expecting evidence of genuine oversight and control.
The Due Diligence Questions You’re Not Asking
Standard vendor assessments focus on uptime guarantees, error rates, and response times. These metrics matter, but they are insufficient. The next generation of due diligence must examine the vendor as if they were part of your firm, because functionally, they are.
Ownership Structure and Financial Health
Who owns your vendor? If they’re backed by private equity, what’s the investment horizon and exit strategy? The concerns extend beyond just ownership structure – you need to understand their complete financial health beyond the basic metrics.
This is where alignment of interests becomes critical. Your service provider should be incentivized to deliver secure, reliable service at scale over the long term.
When their incentives are misaligned – focused on short-term profitability, aggressive growth metrics, or preparing for a liquidity event – your security can become collateral damage. Request audited financials and understand their capital structure and financial health.
Sometimes there’s no alternative vendor available – the market has concentration risk, or switching costs are prohibitive. In these cases, you must formally accept the risk while implementing compensating controls.
The Vendor’s Vendors as a Fourth-Party Risk
Your IT service provider likely relies on dozens of their own vendors – cloud infrastructure providers, monitoring tools, communication platforms and backup services. Each represents a potential attack vector. The compromise of SolarWinds in 2020 demonstrated how attackers can weaponize trusted software supply chains to reach thousands of organizations simultaneously.
Demand visibility into critical fourth-party relationships. Which subcontractors have access to your data? What third/fourth party solutions are integrated into the offering? How are they vetted? What access do they have? How are those solutions deployed? What contractual obligations exist regarding data handling and security? If they are deployed and managed by your IT provider, do they have the expertise and training to configure and secure those solutions adequately?
If your vendor can’t answer these questions comprehensively, they don’t understand their own attack surface—and neither do you.
Beyond Certifications and Accreditations
SOC 2 reports and ISO 27001 certificates are table stakes, not proof of security. Dig deeper into the operational reality behind these frameworks.
Request evidence of penetration testing – not just that it happens, but the findings and remediation timelines. Are their penetration testers CREST accredited? How do they handle vulnerability disclosure? What’s their patch management cadence? Can they provide metrics on mean time to detect and mean time to respond to security incidents? Most importantly, can they provide that information to you in an easy to understand, accurate format rather than a meaningless, unactionable data dump?
Enquire about their security operations centre capabilities. Do they have 24/7 monitoring? What threat intelligence feeds do they use? How do they correlate security events across their infrastructure? The sophistication of these answers will reveal whether security is genuinely embedded in their operations or merely an annual compliance exercise.
Incident Response: The Test of Preparedness
When – not if – a security incident occurs, the quality of the response determines whether it becomes a manageable disruption or an existential crisis. Evaluate your vendor’s incident response plan with the same rigor you would your own.
Request their incident response runbooks. How quickly will they notify you of a breach? What information will they provide, and in what timeframe? Do they conduct regular tabletop exercises? Most critically, have they actually executed their plan during real incidents, and what were the outcomes?
The SitusAMC incident revealed that even major financial services vendors can be compromised, and the investigation process can take weeks to understand the full extent of exposure. During that time, your clients, regulators, and stakeholders will be asking you questions. Your vendor’s communication protocols during an incident become your communication protocols.
Business Continuity: Their Problem Becomes Your Problem
What happens if your vendor’s operations are disrupted by ransomware, natural disaster, or business failure? Their business continuity plan directly impacts your ability to serve clients and meet regulatory obligations.
Review their backup and recovery capabilities. Where are backups stored? How frequently are they tested? What’s the recovery time objective and recovery point objective? A vendor who can’t restore operations within your risk tolerance timeframe leaves you exposed.
Consider concentration risk. If your administrator, custodian, and reporting provider all use the same cloud platform or data centre, a single point of failure could disable multiple critical functions simultaneously.
Making This Actionable: A Practical Approach
The comprehensive nature of proper vendor due diligence can seem overwhelming, particularly for smaller funds with limited resources. Prioritization is essential.
Tier your vendors based on data access, operational criticality, and regulatory sensitivity. Your prime broker, administrator, and core IT infrastructure providers warrant the deepest scrutiny. Secondary vendors with limited data access or lower criticality can be assessed with lighter-touch processes.
Establish a regular review cadence – not just at contract renewal, but throughout the relationship. Quarterly security updates from critical vendors should be standard practice, with annual deep-dive reviews that reassess their risk profile.
Leverage industry resources. The AIMA DDQs, MAS guidelines, and SFC circulars provide ready-made frameworks. Rather than starting from scratch, adapt these proven approaches to your specific context and don’t just rely on complying with your local regulator – utilize the tools from other jurisdictions to your advantage.
Consider engaging third-party specialists for the most critical vendor relationships. The cost of expert assessment is trivial compared to the potential consequences of a significant breach.
Due Diligence as Business Continuity
The traditional view treats due diligence as a one-time hurdle before vendor onboarding. The modern reality demands treating it as ongoing risk management integral to business continuity.
For APAC hedge funds and family offices, the stakes are particularly high. Regional regulators are increasingly aggressive about vendor risk management, with substantial penalties for failures. More fundamentally, your reputation – built over years with high-net-worth clients and institutional allocators – can be irreparably damaged by a single vendor-related breach.
The SitusAMC incident affecting some of the world’s largest financial institutions proves that no organization is immune. Scale and resources don’t guarantee security. What matters is whether you’ve asked the hard questions, demanded substantive answers, and built relationships with vendors who treat your security as indistinguishable from their own.
If your vendor cannot provide transparent, substantive answers to your due diligence questions—about their financial health, ownership structure, security practices or incident response capabilities—that’s not just a concern. It’s a signal that they either don’t know or don’t want you to know. Both scenarios are unacceptable for a critical service provider.
Your vendor due diligence process should answer one fundamental question: if this provider were actually part of our firm, would we accept their security posture, governance standards, and risk management practices? If the answer is no, you shouldn’t accept them as a vendor either.
The attack vectors are multiplying, the threat actors are professionalizing, and the regulators are watching. Comprehensive vendor due diligence isn’t just good practice – it’s the difference between resilience and crisis when the next breach inevitably occurs.
Sources:
Business Standard (November 23, 2025). “JPMorgan, Citi, Morgan Stanley client data may be exposed by hack: Report.” https://www.business-standard.com/amp/world-news/jpmorgan-citi-morgan-stanley-client-data-may-be-exposed-by-hack-report-125112300147_1.html
TipRanks (November 23, 2025). “SitusAMC Cyber Hit Puts JPMorgan (JPM), Citi (C), and Morgan Stanley (MS) Data Under Review.” https://www.tipranks.com/news/situsamc-cyber-hit-puts-jpmorgan-jpm-citi-c-and-morgan-stanley-ms-data-under-review
Insurance Business America (February 19, 2025). “Supply chain cyber attacks surge over 400%, expected to continue rising.” https://www.insurancebusinessmag.com/us/news/cyber/supply-chain-cyber-attacks-surge-over-400-expected-to-continue-rising–cowbell-report-525369.aspx
Sonatype (2024). “State of the Software Supply Chain Report: 10 Year Look.” https://www.sonatype.com/state-of-the-software-supply-chain/2024/10-year-look
AITEC. “The AITEC-AIMA Due Diligence Questionnaire (DDQ).” https://www.aitec.org/ddq
The Hedge Fund Journal. “AITEC and AIMA launch cybersecurity DDQ.” https://thehedgefundjournal.com/news/aitec-and-aima-launch-cybersecurity-ddq/
Monetary Authority of Singapore (January 18, 2021). “Technology Risk Management Guidelines.” https://www.mas.gov.sg/regulation/guidelines/technology-risk-management-guidelines
Monetary Authority of Singapore (January 2021). “Guidelines on Risk Management Practices – Technology Risk” (PDF). https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/TRM-Guidelines-18-January-2021.pdf
Deacons Law Firm (January 30, 2024). “Hong Kong SFC licensing and compliance hints – January 2024.” https://www.deacons.com.cn/2024/01/30/hong-kong-sfc-licensing-and-compliance-hints-january-2024/
Waystone Compliance (July 18, 2025). “SFC’s Cyber Security Review of Licensed Corporations.” https://compliance.waystone.com/sfcs-cyber-security-review-of-licensed-corporations/
