Hi there,
When it comes to an offshore vendor with NPII, it is especially important to validate all cybersecurity and information security controls both internally and of the vendor. This includes the physical security controls of the location where data is being accessed, transmitted, processed, or stored. And while cybersecurity controls may seem obvious, you should also have controls for the following factors:
Country risk: It is absolutely crucial to remember that the economic, social, and political conditions and events in a foreign country can have a significant impact on your organization. These factors have the potential to disrupt the operations of a foreign-based service provider and directly influence your organization's success. Therefore, actively assessing and monitoring these conditions is paramount. Your organization must closely monitor foreign government policies, as well as political, social, economic, and legal conditions in countries where your organization has a contractual relationship with a service provider. This involves not only considering relevant country risk factors in your risk assessment process, but demonstrating how you monitor these factors.
Contingency and Exit Plans: Well developed contingency and exit strategies are important controls for managing unforeseen circumstances and situations requiring an unplanned exit from the vendor. These should include how data will be destroyed or returned, how you will revoke vendor access, etc.
Compliance: Whereas laws and regulations vary in different jurisdictions, its important to validate the vendor's understanding and application of compliance risk management practices and controls, as they pertain to your data, the regulatory framework governing your organization and the laws of your country. This means reviewing all compliance policies and procedures, employee compliance training, and researching for any compliance violations. Both the vendor and your organization should have controls addressing compliance with all relevant privacy laws, cross boarder data movement and storage, as well human rights protections.
The vendor's third-party risk management practices: The vendor's third-party risk management practices must be reviewed, and evidence of those practices should be made available to you. You need to know that the vendor is identifying, assessing, and mitigating vendor risk especially if they rely on fourth parties to provide services to you. Your controls should include monitoring the vendor's TPRM practices and requiring them to disclose relevant fourth parties to you.
Contractual: Contracts with foreign entities should include specific language and provisions to reinforce data security, privacy, and compliance controls.
Choice of Law. Prior to entering into an agreement or contract with a foreign-based service provider, your organization should thoughtfully consider which country's law they would like to govern the relationship.
Local laws may differ significantly from U.S. laws when it comes to the application and enforcement of choice of law covenants, data security and privacy requirements, and customer rights and protections. Therefore, as part of the due diligence process, an organization looking to enter into a contract with a service provider based in a foreign country should seek legal review from someone experienced in the laws of that particular country. This review should encompass the enforceability of all aspects of the contract and any other legal implications.
Choice of law and jurisdictional covenants must be included in the contract, outlining that any disputes between the parties will be resolved under the laws of a specific jurisdiction.
Monitoring and Oversight are important controls for effectively managing offshore relationships. And to ensure the provider maintains adequate physical and data security controls, transaction procedures, business resumption and continuity planning and testing, contingency arrangements, insurance coverage, and compliance with applicable laws and regulations.
On a final note, please ensure that you keep copies of your organization's due diligence results, regular risk management oversight, risk management and monitoring reports on the foreign-based third-party service provider, as well as all contracts, policies, procedures, and other important documentation related to the service provider's relationship, in English, at US offices, for review by regulatory examiners.
I hope that helps, but I would love to hear additional thoughts from other members
Original Message:
Sent: 06-21-2024 02:05 PM
From: Anonymous Member
Subject: Offshore Vendors
This message was posted by a user wishing to remain anonymous
Hi,
This question relates mainly to mortgage lenders.
The Fannie Mae vendor management self-assessment asks if you have "additional controls" in place to manage offshore third parties.
We are investigating using an offshore vendor that would have access to NPPI. Is anyone willing to share what "additional controls" they have added besides what is normal for critical vendors with NPPI access?