GLBA and Third-Party Risk Management
The Standards for Safeguarding Customer Information, also known as 16 CFR Part 314, is a regulation issued by the U.S. Federal Trade Commission (FTC) that implements key provisions introduced in the Gramm-Leach-Bliley Act (GLBA). The regulation outlines the standards for financial institutions to follow in order to protect the security, confidentiality, and integrity of customer nonpublic personal information (NPI).
Because the law requires service providers or affiliates (such as third parties) to maintain an information security program that protects customer data, third-party risk management teams should be aware of the provisions in the Safeguards Rule and be prepared to report on its controls.
Identify and assess risks to customer information in each operational area.
Ensure that service providers (e.g., third parties) maintain appropriate safeguards for customer information; require service providers by contract to implement and maintain safeguards.
Design and implement safeguards to control identified risks; regularly test and monitor safeguards.
Adjust the program based on results of ongoing risk assessments, monitoring, and changes to operations or structure.
Align Your TPRM Program with CCPA, GDPR, HIPAA and More
Download this guide to review specific requirements from 6 data privacy authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.
Meeting GLBA TPRM Requirements
The table below examines key third-party service provider-related provisions in the Safeguards Rule and maps capabilities in the Prevalent Third-Party Risk Management Platform to address the requirements.
NOTE: This table includes select provisions in section GLBA 314.4. For a complete examination of requirements, please review the full Safeguards Rule with your internal audit team or external auditor.
16 CFR Part 314 Standards for Safeguarding Customer Information |
---|
Safeguards Rule | Prevalent Capabilities |
---|---|
(f) Oversee service providers, by: |
|
(1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; |
Prevalent centralizes and automates the distribution, comparison, and management of requests for proposals (RFPs) and requests for in-formation (RFIs). With this capability, you can examine a potential third-party service provider’s risks – including business, operational, reputational, financial, and prior data breaches – to inform and add context to third-party selection decisions and ensure that the selected service provider meets not only technical requirements but also acceptable risk thresholds. Prevalent then automatically moves selected third parties into the contracting phrase to kick off further due diligence. |
(2) Requiring your service providers by contract to implement and maintain such safeguards; |
Prevalent centralizes the distribution, discussion, retention, and review of third-party service provider contracts to ensure key contractual provisions are included and enforced throughout the third-party lifecycle. Key capabilities include:
As with (1) above, Prevalent includes automated workflows that move contracted vendors into further due diligence steps as appropriate. |
(3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards. |
The Prevalent TPRM Platform features a large library of pre-built templates for third-party risk assessments. Assessments can be conducted at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes in the relationship.
Assessments are managed centrally and backed by workflow; task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle. Importantly, Prevalent includes built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors. As part of this process, Prevalent continuously tracks and analyzes external threats to third parties. Prevalent monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data is correlated to assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives. |
Consider these best practices to ensure third-party service providers adequately protect your customer NPI data.
Mitigate privacy risks and comply with GDPR requirements by assessing third-party data protection controls with these...
If your vendors handle data on California residents, then you'll want to focus on 4 key...