Risk Assessments

Hello,

I have a question regarding NPI and NPI access. I work for a community Bank, and many of our vendors have access to NPI.

Should we automatically consider every vendor a high risk, regardless of their level of access or the number of customers or employees NPI?

Right now, we ask the question:

1- Will/does this vendor in any way host or store NPI or PII of customers, clients, or employees? 

Is there a way of distinguishing the level of access, so that not every vendor is high risk? 

As an example, we consider a file sharing vendor a high risk, even though we rarely use them, but since we share client files, we consider this vendor a high risk. 

Any input would be greatly appreciated.

We create a data tier rating for all vendors. If NPI is involved, then that vendor has to meet strongest due diligence (SOC2 Type 2) and clearly demonstrate transparency, ability to protect our NPI, evidence of external audits, cybersecurity and ransomware training, termination handling, etc. -- all the goodness in a cybersecurity program.

Since you mentioned NPI, that seems to have been defined by NY DFS.  A brand new resource from NY Dept of Financial services (May 2024) has helpful sections on Risk Assessment and Third party risk management

• Risk Assessment: see top of page 4, Appendix 1 (Risk Assessment definition) and especially the Appendix 3 (pages 10-11) which provides a great checklist on how you have controls to protect against risks
  • The very first is NPI 
  • I would ensure your third parties can at least answer all the items in the checklist on controls to protect NPI
    
    
• Third Party Service Provider -- skip right to Appendix 4 TPSP (page 13) that states:
  • Confirm TPSP uses multi-factor authentication when accessing my organization's information.
  • Confirm TPSP uses encryption policies and procedures to protect nonpublic information
  • Confirm TPSP contact includes requirement to notify me if there is a cybersecurity incident
  • Overall assessment that the TPSP is appropriate to provide the service, considering the type of service provided and the TPSP's position in the market (such as size, reputation, cybersecurity program [maturity]).
  • Other (describe): [_______________________________]
    
    
• The TPSP has a useful table with columns to track your third party service providers
  • TPSP (Name and Contact)
  • Level of Risk Posed (L, M, H)
  • Due Diligence Performed to evaluate their Cybersecurity practices
  • Frequency of Assessment (based on level of risk posed)
  • Other

See: https://www.dfs.ny.gov/system/files/documents/2024/05/Cybersecurity-Program-Template_05.2024.pdf

We also use an extensive 9 page cyber questionnaire -- that we fill out internally once a year to confirm nothing has changed; after we have vendor complete and sign during onboarding -- which is desired pre-contract so we can easily communicate gaps for SLA and conditions in contract for Legal/Contracts to review before initial engagement and contract signing. 

Best of luck,

Larry

FYI - for on-premises expertise from third parties, it is handled differently since its our infrastructure. Besides required training, MFA, obtaining TPSP's employee training certificates (info sec, phishing, HIPAA) to validate TPSP employee should access our systems, we typically have weekly meeting and review runbooks, etc. frequently.   THIS IS MANDATORY since our policies force all accounts to expire every 90 days (for interactive accounts, or require password changes every 90 days for any on-premise service accounts, etc.). This causes the operations team to assist with verifying same primary personnel (i.e., DBA, secondary DBA) remain current and employed and still assigned full time to our account).  It might be inconvenient, but reduces gaps that a annual termination audit of the TPSP would not cover to protect our NPI.