Make sure the terms and conditions in your service provider agreements align with the requirements of the Safeguards Rule.
5/9/2023 12:00 P.M.
Because many vendors connect to internal organizational systems—and therefore connect to sensitive employee and customer information—third parties can be a serious risk to data breaches. The Ponemon Institute found that nearly two-thirds of data breaches that companies experienced occurred via lax third-party security systems.
The Federal Trade Commission issued the “Final Rule” to amend the Standards for Safeguarding Customer Information (Safeguards Rule), with the requirements coming into effect on June 9, 2023.
The FTC’s Safeguards Rule requires financial institutions, including banks and other organizations that handle sensitive customer information, to have a comprehensive information security program in place.
This includes managing and overseeing third-party vendors that have access to customer information. The rule requires that financial institutions take reasonable steps to ensure third-party vendors protect customer information in their custody or control.
It states specifically: “When a vendor accesses the financial institution’s data or information systems, the financial institution must ensure appropriate access controls are in place. Separately, under paragraph (f), the financial institution must reasonably oversee the vendor’s safeguards, which would necessarily include access controls for the vendor’s system.”
Specifically, you should:
- Evaluate the safeguards used by third-party vendors to protect customer information.
- Require third-party vendors to implement appropriate safeguards to protect customer information.
- Monitor and regularly review the safeguards used by third-party vendors.
- Take appropriate action if a third-party vendor does not comply with the safeguarding of customer information.
If this seems overwhelming, TPx can help. We can review the terms and conditions of your third-party service providers to make sure they align with the requirements of the rule. Go to tpx.com/aca to get started