Software vendor selection: what to ask and why it matters

When partnering with an outside vendor, especially in financial technology, the stakes are high. Investment advisors need secure, reliable solutions for their IT infrastructure, making the selection process a critical component of maintaining client trust and driving operational efficiency. This is challenging enough, but the rate at which software tools change and cybersecurity risks grow greatly exacerbates the situation. We find that family offices and small advisors feel the pressure particularly acutely as they tend to have less IT resourcing to call on.

Here are key questions that we recommend asking during software vendor due diligence and a breakdown of certifications that matter.

Questions to Ask

1. What problem does this vendor solve for us?

This seems basic, but clarity on your specific needs ensures you’re evaluating vendors against the right criteria, rather than getting swayed by flashy features that don’t align with your goals.

A related question: Do we really need another vendor to accomplish this? We find that fewer moving pieces to track (and less surface area to defend) is worth optimizing for.

2. What’s their security posture?

Cybersecurity isn’t optional in financial technology. To get a sense of a company’s security practices, you can ask:

• Where are you storing my data?
• How do you make sure my data is being transferred securely?
• Who will have access to my data and under what circumstances?
• Who is responsible for your security and IT, and what are their qualifications?
• What encryption do you use?
• How do you keep your software up to date?
• What’s your approach to Incident Response?
• What are your support levels? Do you have service level agreements (SLAs) that outline expected response times and resolution commitments?
• What happens if there is a disaster? When will you tell me if there has been a problem?

While you may not be able to thoroughly assess this yourself, even a non-expert can get a very good sense of whether the vendor takes security seriously or not. For example, if their Chief Information Security Officer is also an administrative assistant - this would be a big red flag.

If you want to streamline vendor selection, create a standard questionnaire tailored to your organization. Consider including sections on security practices, certifications, technical integrations, and support policies.

3. What certifications do they hold?

A “cheat code” to answering many of the questions above - and more - is to ask for what security standards and audit certifications the vendor holds. Even if you’re not an expert, asking about these certifications and understanding whether they are up to date helps gauge the vendor’s reliability. Many organizations also offer standard due diligence checklists that can guide these conversations.

There are a number of certifications that provide valuable signals about a vendor’s commitment to strong security and operational standards. While SOC 2 compliance is often a baseline for vendors handling sensitive financial data, demonstrating adherence to security, availability, and confidentiality standards, it’s not the only certification to look for. ISO 27001 certification shows they follow an internationally recognized framework for information security management. If they’re working with payment processing, you want to see PCI compliance.

With SOC 2 audits, be mindful of whether they have achieved Type 1 and/or Type 2 certification - Type 1 simply means that necessary controls are in place but doesn’t verify ongoing operational effectiveness! Also - you should check for which controls they have “exceptions” on. These are the failures that you want to review. As my boss likes to say: just because they have a report doesn’t mean they pass!

Finally, inquire whether they’ve undergone regular penetration tests and vulnerability scans, and ask to see a copy of the report. These tests and scans mimic what a hacker will do to try to break into their software, and can reveal a lot of holes that need to be patched. Remember - the findings don’t matter as much as the fact that they’re conducting these important tests and learning from them.

Conclusion

Vendor selection is about more than finding the right features. It’s about trust, security, and long-term partnership. By asking the right questions and prioritizing certified vendors, you’re setting your organization up for success.

Opto takes vendor evaluation extremely seriously, and information security is existentially important to us. For more insights into how Opto supports its clients with cutting-edge tech, visit our website.

For disclaimers, please visit our disclaimers page.