Hi,
If your vendors are using BOX, they should have a contractual relationship with BOX. Therefore, BOX would be a 3rd party from your vendors' perspectives, and they are responsible for ensuring that BOX has the requisite security and privacy controls. If your vendors are obligated to provide you their SOC 2 reports, these reports should include narratives as to their vendor oversight programs; if the SOC 2 reports do not identify BOX as their 3rd party vendor, I suggest that a follow-up is necessary to ensure that BOX is included.
The BOX web site includes a "Trust Center" that has information on how BOX achieves compliance and security. This section of the web also has BOX's SOC3 report, which is public.
Sensitivity: Company-Internal
====================
This email/fax message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution of this
email/fax is prohibited. If you are not the intended recipient, please
destroy all paper and electronic copies of the original message.
Original Message:
Sent: 9/30/2024 3:03:00 PM
From: Karmin Thompson
Subject: 4th party or Nth party?
I am not sure where to post this question so appreciate additional guidance and/or redirection if needed.
I work within a financial institution and we have come across instances where an external entity (mortgage investor and SBA respectively) have sent us box.com links to upload files that contain NPI. The SBA or mortgage investor in turn get the files from there. In our program, mortgage investors and the SBA are not a traditional vendor and are carved out for most vendor oversight/monitoring functions. Box.com is not our vendor and we do not have an agreement with them so we have no information on them or their security measures and yet we are uploading NPI to them via the direction of these external parties. Would this be an Nth party, a 4th party or something else to us? Is there some level of inquiry with the SBA or the mortgage investor regarding their vendor monitoring expected in this scenario? Curious if anyone else encountered this and how you handle it within your program.
Thank you in advance for your time and insight on this line of inquiry.
Kind regards, Karmin Thompson