This message was posted by a user wishing to remain anonymous
We are in the process of revamping our VM program, defining critical and high risk vendors and oversight requirements. In the past, a vendor who stores or has access to any level of customer NPI would automatically trigger as high risk either as information security or GLBA and thus be subject to critical vendor/high risk annual oversight requirements.
I recognize that the regulatory definitions of NPI are very broad but I am wondering if other banks have created tiers of NPI vendors within their VM program based on the amount of information they receive and types of NPI.
I tend to want to view NPI from the data breach rule perspective and the standpoint of asking if there were a data breach is it reasonably likely to cause substantial harm to the individuals. For example - a compliance data and analytics vendor that aggregates CRA/fair lending information. They have access to a wide swath of information (loan number, address, etc) that is technically NPI however this information does not include the customers name/ssn. If a breach occurred I would think the likelihood of substantial harm to the individual is minimal. I view this vendor much differently that a core vendor, CRM vendor or loan processing software vendor who might store all of the same info plus name, ssn, credit information etc. I had a similar thought recently w/regard to an insurance company that provides BOLI policies w/regard to only a very small number of employees/directors.
Are all NPI vendors created equal in terms of oversight/due diligence?