By Andrew M. Baer, Esq., Contributor
Financial institutions are required by their regulators to evaluate and manage the risk associated with sharing non-public customer and consumer information with third-party vendors. Generally speaking, as a critical component of their overall information security program, they must implement and maintain vendor management policies and procedures that include: pre-contract due diligence to verify each vendor maintains reasonable and appropriate security protections; a written contract with the vendor that mandates use of such protections and optimally reserves certain other rights for the financial institution; and periodic monitoring of the vendor after the contract is signed to verify its security.
This learning guide from SearchFinancialSecurity.com focuses on the second element of vendor risk management: What needs to be in vendor contracts? Or, more precisely, what information security-related clauses should a financial institution include in its contracts with high-risk vendors (i.e., those who will have access to a significant amount of sensitive non-public personal information, such as names combined with account or Social Security numbers) to conform to regulatory guidance and industry best practices for managing vendor risk?
HOW TO MANAGE SECURITY RISKS IN VENDOR CONTRACTS
Vendor contract management: Regulatory guidance is risk-based
Vendor audit and monitoring contractual rights
Data breach protection: Implementing vendor breach safeguards
Vendor risk management: process and documentation