This message was posted by a user wishing to remain anonymous
I recommend a tiering table wherein Critical vendors are defined by access to (Category 1) System
and SSN or DOB or Financial Information
and one or more of (Category 2) name, address, phone, biometric, PHI,
and/or direct interaction with consumer or (Category 3) a risk exposure greater than 1 million. For High risk I recommend reducing to system and/or name and 2 pieces of info from Category 2, reducing the risk exposure to 500- 1m but exclude vendors that are not critical to operations and those vendors that do not touch upon NPI (they can be placed into a Moderate or Low risk tier). Throw in a Moderate category where Category 1 would include vendors with no NPI but has data share points, such as some tech vendors or consultants. Then have a Low tier for your subscription vendors, etc. Change up your criteria within your tiers to meet the risk appetite of YOUR company. Then align and build out the boarding requirements and questionnaire for each tier by consulting with your IT and Security teams.
The methodology is that even if a person doesn't have an exact piece of identification of an individual (e.g. SSN, Driver's License, etc.), can a person determine the identity of an individual if they have access to 2 or 3 pieces of additional information. If so, then combined, those pieces of information become NPI.
Be sure to account for GDPR, if applicable, as well as CCPA when determining your risk rating tiers. Certain corporations/financial institutions that are global, will automatically place any vendor who has access to consumer NPI into a critical or high risk category. Remember that your initial tiering is based upon information provided to you and may change as you start your research and review of a vendor.
Original Message:
Sent: 02-14-2020 08:58 AM
From: Denise Dalrymple
Subject: NPI - inherent risk
Just because a vendor has NPI access does not rate them as high risk for us. We primarily consider how they are getting that information and how secure the method is. We have vendors that get some level of NPI (loan number/address like you mentioned) that are still low risk for us based on a collaborative review with our information security dept.
I modified a Venminder risk assessment to suit our needs and use that to rate all vendors on risk - so there are more factors than just NPI that determine how we rate them and what due diligence we require.
We have a list of documents we request based on how we risk rate a vendor. Hope that helps!
Original Message:
Sent: 02-13-2020 06:07 PM
From: Anonymous Member
Subject: NPI - inherent risk
This message was posted by a user wishing to remain anonymous
We are in the process of revamping our VM program, defining critical and high risk vendors and oversight requirements. In the past, a vendor who stores or has access to any level of customer NPI would automatically trigger as high risk either as information security or GLBA and thus be subject to critical vendor/high risk annual oversight requirements.
I recognize that the regulatory definitions of NPI are very broad but I am wondering if other banks have created tiers of NPI vendors within their VM program based on the amount of information they receive and types of NPI.
I tend to want to view NPI from the data breach rule perspective and the standpoint of asking if there were a data breach is it reasonably likely to cause substantial harm to the individuals. For example - a compliance data and analytics vendor that aggregates CRA/fair lending information. They have access to a wide swath of information (loan number, address, etc) that is technically NPI however this information does not include the customers name/ssn. If a breach occurred I would think the likelihood of substantial harm to the individual is minimal. I view this vendor much differently that a core vendor, CRM vendor or loan processing software vendor who might store all of the same info plus name, ssn, credit information etc. I had a similar thought recently w/regard to an insurance company that provides BOLI policies w/regard to only a very small number of employees/directors.
Are all NPI vendors created equal in terms of oversight/due diligence?