Great question!
Implementing Executive Order 14117 in Third-Party Risk Management Programs
Executive Order 14117 introduces specific national security risks related to data-sharing with foreign adversaries that extend beyond the basic sensitive data risk management covered in FFIEC Interagency Guidance. Here's a comprehensive framework for incorporating these requirements into existing TPRM programs:
Policy and Program Updates
- Update the Third Party Risk Policy to explicitly include compliance with Executive Order 14117
- Ensure consistent focus on identifying and mitigating risks related to data-sharing with foreign adversaries
- Review and enhance data use policies to prevent sensitive data access by prohibited entities
Initial Due Diligence
- Add specific questions to identify vendors and subcontractors operating in countries of concern
- Require comprehensive disclosure of:
- Complete third and fourth-party lists with address information
- Detailed data-sharing practices
- Subcontractor access to sensitive data
- Data handling procedures and locations
Contract Management
- Include specific provisions prohibiting data sharing with unvetted fourth or Nth parties
- Require prior approval for new data-sharing arrangements, especially in jurisdictions of concern
- Ensure contracts address compliance with applicable laws and regulations
Ongoing Monitoring and Compliance
- Establish robust monitoring mechanisms for continuous compliance
- Implement regular vendor performance reviews
- Exercise audit rights to verify compliance
- Cross-reference data-sharing disclosures with OFAC lists and other high-risk jurisdiction resources
- Conduct regular audits of third-party due diligence and monitoring materials
Industry-Specific Considerations
While traditional financial institutions may not commonly sell data directly, certain sectors require additional scrutiny:
- Mortgage companies
- Registered Investment Advisors (RIAs)
- FinTech companies
- Organizations sharing client data with:
- Data brokers
- Marketing firms
- Analytics companies
These arrangements must align with:
- Financial institution data-use policies
- Regulatory expectations for customer privacy
- Executive Order 14117 requirements
- Existing OFAC restrictions
The implementation of Executive Order 14117 emphasizes the need for more granular data risk management, particularly regarding data access and location. Success requires a comprehensive approach that integrates these requirements into existing due diligence, contractual arrangements, and monitoring processes while maintaining special vigilance over Nth party relationships.
I welcome other thoughts and suggestions.
Original Message:
Sent: 01-07-2025 04:03 PM
From: Natalia Weems
Subject: The rule to block sale of Americans' bulk data to adversaries
Hello! There is a new rule finalized earlier this month, attaching the link below. Do you see this rule impacting your TPRM program? If so, how do you plan to address it in the risk review process?
Biden administration finalizes rule to block sale of Americans' bulk data to adversaries
Therecord | remove preview |
| Biden administration finalizes rule to block sale of Americans' bulk data to adversaries | The rule, proposed under an executive order in late February and finalized Friday, is intended to address the "urgent and extraordinary national security threat" created by U.S. adversaries acquiring personal data that can be used for espionage, blackmail, influence campaigns and other malicious activities. | View this on Therecord > |
|
|