Risk Assessments

 View Only

  • 1.  NPI - inherent risk

    This message was posted by a user wishing to remain anonymous
    Posted 02-14-2020 08:18 AM
    This message was posted by a user wishing to remain anonymous

    We are in the process of revamping our VM program, defining critical and high risk vendors and oversight requirements.  In the past, a vendor who stores or has access to any level of customer NPI would automatically trigger as high risk either as information security or GLBA and thus be subject to critical vendor/high risk annual oversight requirements.

    I recognize that the regulatory definitions of NPI are very broad but I am wondering if other banks have  created tiers of NPI vendors within their VM program based on the amount of information they receive and types of NPI. 

    I tend to want to view NPI from the data breach rule perspective and the standpoint of asking if there were a data breach is it reasonably likely to cause substantial harm to the individuals.  For example - a compliance data and analytics vendor that aggregates CRA/fair lending information.  They have access to a wide swath of information (loan number, address, etc) that is technically NPI however this information does not include the customers name/ssn.  If a breach occurred I would think the likelihood of substantial harm to the individual is minimal.  I view this vendor much differently that a core vendor, CRM vendor or loan processing software vendor who might store all of the same info plus name, ssn, credit information etc.  I had a similar thought recently w/regard to an insurance company that provides BOLI policies w/regard to only a very small number of employees/directors.  

    Are all NPI vendors created equal in terms of oversight/due diligence?


  • 2.  RE: NPI - inherent risk

    Posted 02-14-2020 08:58 AM

    Just because a vendor has NPI access does not rate them as high risk for us. We primarily consider how they are getting that information and how secure the method is. We have vendors that get some level of NPI (loan number/address like you mentioned) that are still low risk for us based on a collaborative review with our information security dept. 

    I modified a Venminder risk assessment to suit our needs and use that to rate all vendors on risk - so there are more factors than just NPI that determine how we rate them and what due diligence we require. 

    We have a list of documents we request based on how we risk rate a vendor. Hope that helps!


    Original Message


  • 3.  RE: NPI - inherent risk

    Posted 02-14-2020 09:07 AM
    Comment re Denise's response:
    While the residual risk may be mitigated by controls you review (i.e., method for sharing information, other controls your InfoSec dept may review), does that change the inherent risk represented by the type of information (in this case, NPI) that may be shared with the vendor?  Is the list of documents you request from the vendor based on the inherent risk rating for that vendor (ex:  would you ask for a SOC report from the vendor engaged to repave your parking lot?)  Just wondering.

    Rosalie Stremple, MS-MIS, CTPRP, CBCP
    Westfield Bank (Ohio)
    Original Message


  • 4.  RE: NPI - inherent risk

    Posted 02-14-2020 09:14 AM
    We don't look at residual risk when giving a vendor an inherent risk rating. But when InfoSec reviews a vendor's SOC report, the findings are going to impact the vendor's inherent risk rating. We generally don't get to choose how a vendor is going to obtain NPI (for example, is this via a login to the vendor's website? InfoSec reviews the website's security). 
    Our document destruction vendor is considered low risk based on how they destroy our shred documents. However, we had previous vendor for this same service who was not considered low risk. Both vendors access the same information, but they handle it in different ways.
    Original Message


  • 5.  RE: NPI - inherent risk

    Posted 02-14-2020 12:27 PM
    Access to NPI is only one of 6 risk factors we consider when classifying a vendor, so it does not automatically bump them up to our critical/high risk classification.  That said, if they have access to NPI, we do review their controls through a SOC 2 or something similar... annually for vendors with NPI for high volume NPI or high risk, and biennially for vendors with NPI for a smaller number of members or lower risk factors.  For example, the investment banker who handles employee 401ks has employee (member) NPI, but there is heavy regulatory oversight for the industry and they have NPI for less than 600 people, so we only review their controls every 2 years.
    Original Message


  • 6.  RE: NPI - inherent risk

    Posted 02-20-2020 04:04 PM
    For me, difference in NPI inherent risk is whether the data will be accessed by or stored on a vendor's network. If yes, then the security of our data is a function of the security of the network, which is tough to accurately assess even with a SOC.  AWS for instance can be secure (clean SOC), but nothing stops a customer from disabling the security settings made available by AWS, and a SOC report will never see that. So high inherent risk because of the inherent uncertainty. If the network isn't involved, for me = not high.
    Original Message


  • 7.  RE: NPI - inherent risk

    This message was posted by a user wishing to remain anonymous
    Posted 02-14-2020 03:03 PM
    This message was posted by a user wishing to remain anonymous

    I recommend a tiering table wherein Critical vendors are defined by access to (Category 1) System and SSN or DOB or Financial Information and  one or more of (Category 2) name, address, phone, biometric, PHI,  and/or direct interaction with consumer  or  (Category 3) a risk exposure greater than 1 million.  For High risk I recommend reducing to system and/or name and 2 pieces of info from Category 2, reducing the risk exposure to 500- 1m but exclude vendors that are not critical to operations and those vendors that do not touch upon NPI (they can be placed into a Moderate or Low risk tier).  Throw in a Moderate category where Category 1 would include vendors with no NPI but has data share points, such as some tech vendors or consultants.  Then have a Low tier for your subscription vendors, etc.  Change up your criteria within your tiers to meet the risk appetite of YOUR company.  Then align and build out the boarding requirements and questionnaire for each tier by consulting with your IT and Security teams.

    The methodology is that even if a person doesn't have an exact piece of identification of an individual (e.g. SSN, Driver's License, etc.), can a person determine the identity of an individual if they have access to 2 or 3 pieces of additional information.  If so, then combined, those pieces of information become NPI. 

    Be sure to account for GDPR, if applicable, as well as CCPA when determining your risk rating tiers.  Certain corporations/financial institutions that are global, will automatically place any vendor who has access to consumer NPI into a critical or high risk category.  Remember that your initial tiering is based upon information provided to you and may change as you start your research and review of a vendor.
    Original Message