Request Demo

Third-Party Risk Management and the Gramm-Leach-Bliley Act Safeguards Rule

Consider these best practices to ensure third-party service providers adequately protect your customer NPI data.
By:
Scott Lang
,
VP, Product Marketing
September 04, 2024
Share:
2024 Blog GLBA Compliance

The Standards for Safeguarding Customer Information, also known as 16 CFR Part 314, is a regulation issued by the U.S. Federal Trade Commission (FTC) that implements key provisions introduced in the Gramm-Leach-Bliley Act (GLBA). The regulation outlines the standards for financial institutions to follow in order to protect the security, confidentiality, and integrity of customer nonpublic personal information (NPI).

Because the law requires service providers or affiliates (such as third parties) to maintain an information security program that protects your customer data, third-party risk management teams should be aware of the provisions in the Safeguards Rule and be prepared to report on its controls.

This post examines the key provisions in the GLBA Safeguards Rule and recommends best practices for ensuring that third-party service providers maintain the security, confidentiality, and integrity of your organization’s customer data.

The GLBA Safeguards Rule and Third-Party Risk Management

The GLBA Safeguards Rule applies to all financial institutions under the jurisdiction of the FTC. It aims to ensure these institutions have robust systems to safeguard customer information. As part of the Rule, financial institutions are required to develop, implement, and maintain a comprehensive written information security program. The program must be appropriate to the institution's size, complexity, and the level of sensitive customer information it handles. Additionally, financial institutions must designate one or more employees to coordinate their information security program, including with third-party service providers. Non-compliance with the standards can lead to penalties and corrective actions.

In general, the Safeguards Rule requires information security programs to include the following elements:

Risk Assessment

Financial institutions must identify and assess risks to customer information in each relevant area of their operations. They must evaluate the effectiveness of current safeguards in place to control these risks.

Design and Implementation of Safeguards

Based on the risk assessment, financial institutions must design and implement safeguards to control the identified risks. These safeguards should be regularly tested and monitored to ensure their effectiveness.

Overseeing Service Providers

Financial institutions must take reasonable steps to ensure that their service providers (e.g., third parties) maintain appropriate safeguards for customer information. This includes requiring service providers by contract to implement and maintain such safeguards.

Adjusting the Program

The information security program should be adjusted based on the results of ongoing risk assessments, monitoring, and changes in the institution's business operations or structure.

Key Third-Party Risk Management Provisions in the Safeguards Rule

According to section 314.3, financial institutions are required to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.”

The objectives of the program are to:

  • “Insure” the security and confidentiality of customer information;
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.”

The table below examines key third-party service provider-related provisions in the Safeguards Rule and suggests best practices to address the requirements.

NOTE: This table includes select provisions in section 314.4. For a complete examination of requirements, please review the full Safeguards Rule with your internal audit team or external auditor.

16 CFR Part 314 Standards for Safeguarding Customer Information
Safeguards Rule Best Practices

(f) Oversee service providers, by:

(1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue;

Centralize and automate the distribution, comparison, and management of requests for proposals (RFPs) and requests for in-formation (RFIs).

Examine a potential third-party service provider’s risks – including business, operational, reputational, financial, and prior data breaches – to inform and add context to third-party selection decisions and ensure that the selected service provider meets not only technical requirements but also acceptable risk thresholds.

A comprehensive third-party risk management (TPRM) platform will then automatically move a selected third party into the contracting phrase and will kick off further due diligence.

(2) Requiring your service providers by contract to implement and maintain such safeguards;

Centralize the distribution, discussion, retention, and review of third-party service provider contracts to ensure key contractual provisions are included and enforced throughout the third-party lifecycle.

Key capabilities in a contract lifecycle management solution should include:

  • Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views.
  • AI-based document profiling that enables the extraction of key provisions for automated tracking.
  • Workflow capabilities (based on user or contract type) to automate the contract management lifecycle.
  • Automated reminders and overdue notices to streamline contract reviews.
  • Centralized contract discussion and comment tracking.
  • Contract and document storage with role-based permissions and audit trails of all access.
  • Version control tracking that supports offline contract and document edits.
  • Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access.

As with (1) above, Prevalent includes automated workflows that move contracted vendors into further due diligence steps as appropriate.

(3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

Look for a solution that features a large library of pre-built templates for tthird-party risk assessments. Assessments should be conducted at the time of supplier onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes in the relationship.
Key data security and privacy assessment capabilities should include:

  • Scheduled assessments and relationship mapping to reveal where personal data exists, where it is shared, and who has access – all summarized in a risk register that highlights critical exposures.
  • Privacy Impact Assessments to uncover at-risk business data and personally identifiable information (PII).
  • Risk and response mapping to controls. Includes percent-compliance ratings and stakeholder-specific reports.

Assessments should be managed centrally and be backed by workflow; task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle.

Importantly, a TPRM solution should include built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.

As part of this process, continuously track and analyze external threats to third parties. Monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data should be correlated to assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

How Prevalent Can Help Address GLBA Safeguards Rule Requirements

The Prevalent Third-Party Risk Management (TPRM) Platform automates the critical tasks required to assess, monitor, and manage third-party service providers against security, privacy, and other critical risks. The Prevalent Platform enables third-party risk teams to centrally:

  • Automate third-party service provider sourcing, selection, and onboarding with built-in risk insights and scoring.
  • Profile, tier, and score inherent and residual risks to accurately categorize third-party service providers based on criticality and prescribe additional due diligence.
  • Assess third-party service providers using more than 750 risk assessment templates across multiple risk domains with built-in AI-driven auto questionnaire completion, workflow, task and evidence management, and remediation recommendations.
  • Continuously monitor third-party service provider cyber, business, reputational, and financial risks to validate controls against assessment results and fill gaps between regular assessments.
  • Address complex regulatory reporting requirements with AI and machine learning analytics that normalize and correlate findings from multiple sources.

This regulation is essential for maintaining trust between financial institutions and their customers by ensuring that personal and financial information is adequately protected from unauthorized access and breaches. With 61% of companies reporting a third-party data breach or security incident in the last year, financial institutions must take adequate precautions to ensure third-party service providers are protecting their customer data.

For more on how Prevalent can help you understand your GLBA Safeguards Rule third-party service provider requirements, request a demonstration today.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

Related Posts
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo