Third-Party Technology Risk: The Governance Gap Most Funds Are Missing

Third-party technology is now deeply embedded in how funds operate — but so is the risk that comes with it. Funds, like any other financial firm, rely on several technology solutions in their everyday operations. 

Whether it's cloud providers, CRMs, or AI platforms, these providers are an essential part of the way funds operate. 

But despite the many benefits that come with relying on third-party tools, there are risks that funds need to be aware of when depending on external technology solutions. A 2025 Verizon DBIR study found that over 30% of breaches involved third parties.

Such numbers make it clear that integrating third-party tools into operations comes with a significant level of risk that needs to be understood and managed — and in this article, we explore these risks and how exactly funds can deal with them. 

Cybersecurity Risk

When a fund uses a third-party tool or platform, it indirectly inherits all the security vulnerabilities that platform carries. Supply chain attacks are now the preferred method used by threat actors, with 62% of network intrusions originating with a third party — often someone in the software supply chain.

When a vendor you rely on is breached, your fund's data, investor information, and operational systems can all be compromised — even if your own infrastructure was never touched. In some industries, third-party breaches account for more than 50% of all incidents. 

It is therefore crucial to conduct thorough due diligence on any vendor you intend to partner with — paying particular attention to their security reputation and track record — before making any commitments.

Operational Risk

Technology tools and platforms are prone to failure, and when that happens, operations of those that rely on them are significantly affected. Such failures may include a vendor outage, a cyberattack that brings down a critical system, or a vendor's failure to deliver contracted services.

This is why most platforms offer service level agreements (SLAs) — to give clients assurance of how much uptime they can guarantee annually. When choosing a vendor, take time to review their SLA for each service offered. 

The goal should always be to seek the highest available uptime guarantees, but also to carefully examine the terms of the SLA — particularly what remedies are available if the vendor fails to meet their commitments.

Vendors, especially those offering cloud infrastructure services, typically have different SLAs depending on the services selected and how those services are combined. Make sure you understand all of these and make a choice based on the level of operational resilience your fund requires, while keeping your budget in mind.

Compliance Risk

Regardless of the region you operate in, your fund will be subject to several regulations, and non-compliance will always result in penalties. Beyond the financial penalties, non-compliance can also cause reputational damage that is sometimes more impactful than the fines themselves.

It is important to remember that regulators do not accept vendor failure as an excuse. If a third party working on your behalf experiences a breach, violates a law, or harms investors, regulators will hold the fund accountable for poor oversight — not the vendor. 

Your responsibility is to partner with vendors that have a strong compliance track record, particularly with regard to the regulations that apply to your jurisdiction.

Reputational Risk

Reputational risk is the risk that a relationship with a third party leads to controversy, a security breach, or a legal entanglement that damages public opinion of the fund. If a partner engages in unethical activity, your fund may be affected — particularly if the association is publicly known.

The 2022 collapse of FTX illustrates this well. Several major institutional investors, including Sequoia Capital, SoftBank, and the Ontario Teachers' Pension Plan faced not only direct financial losses but significant reputational damage simply by virtue of their association with a platform later found to have been systematically misappropriating customer funds.

For investment funds, where investor confidence is foundational, this risk is particularly acute. A vendor that mishandles investor data, suffers a public breach, or becomes embroiled in regulatory action can reflect directly on the fund that engaged them. 

Some of these events are difficult to foresee, but taking time to do your homework can surface cultural red flags that help distinguish a reliable vendor from one that may act unethically when put under pressure.

Strategic Risk

When a fund relies on a given vendor — particularly for core operations — there is a risk that any disruption to that vendor could affect the fund's short- and long-term strategy. 

Over-reliance on a single vendor for critical functions such as fund administration, data management, or compliance reporting can create lock-in that limits flexibility and exposes the fund to significant disruption if that relationship ends.

It is therefore important for funds to always have alternatives ready. If your fund relies on Microsoft Azure for its infrastructure, for example, ensure that AWS or Google Cloud Platform are viable alternatives, and that your technical teams have a clear documented plan for executing a migration if one becomes necessary. 

This makes your operations more self-reliant and reduces the risk of being entirely dependent on any single vendor.

Concentration Risk

Concentration risk is one of the least-discussed but most systemic risks in third-party management. Many organisations discover that several of their third-party vendors depend on the same underlying provider — often a major cloud platform or payment processor.

If that shared provider fails, the impact multiplies because multiple vendors go down simultaneously. We are already seeing this dynamic play out with AI.

Many platforms rely on a small number of foundational model providers, meaning that if any one of those providers is affected, the operations of thousands of platforms built on top of them could be disrupted at the same time. 

To avoid being vulnerable to this risk, take time to understand the dependencies of your vendors and explore the option of maintaining alternative providers that do not share the same underlying infrastructure.

What Boards Should Do

Effective oversight of third- and fourth-party vendors is essential to managing your fund's overall risk profile. This risk cannot be reduced to zero — that would only be achievable by relying on no vendors at all, which is not practical. 

However, with thorough risk assessments and sound strategic planning, it can be meaningfully minimised. Funds should treat vendor risk as a standing governance matter, not an IT issue. 

This means maintaining tiered vendor classification, ensuring contractual protections extend to subcontractors, running regular reassessment cycles, and having a clear incident response plan in place before something goes wrong. 

Regular reporting on vendor risk should also be a fixture at board level, allowing the fund to track progress and demonstrate continuous improvement in how it identifies and manages third-party exposure.

At Daymer, we work with fund boards and independent directors to strengthen governance frameworks and ensure operational risks are identified and properly managed. Get in touch to find out how we can support your board.