Great question!
Implementing Executive Order 14117 in Third-Party Risk Management Programs
Executive Order 14117 introduces specific national security risks related to data-sharing with foreign adversaries that extend beyond the basic sensitive data risk management covered in FFIEC Interagency Guidance. Here's a comprehensive framework for incorporating these requirements into existing TPRM programs:
Policy and Program Updates
- Update the Third Party Risk Policy to explicitly include compliance with Executive Order 14117
- Ensure consistent focus on identifying and mitigating risks related to data-sharing with foreign adversaries
- Review and enhance data use policies to prevent sensitive data access by prohibited entities
Initial Due Diligence
- Add specific questions to identify vendors and subcontractors operating in countries of concern
- Require comprehensive disclosure of:
- Complete third and fourth-party lists with address information
- Detailed data-sharing practices
- Subcontractor access to sensitive data
- Data handling procedures and locations
Contract Management
- Include specific provisions prohibiting data sharing with unvetted fourth or Nth parties
- Require prior approval for new data-sharing arrangements, especially in jurisdictions of concern
- Ensure contracts address compliance with applicable laws and regulations
Ongoing Monitoring and Compliance
- Establish robust monitoring mechanisms for continuous compliance
- Implement regular vendor performance reviews
- Exercise audit rights to verify compliance
- Cross-reference data-sharing disclosures with OFAC lists and other high-risk jurisdiction resources
- Conduct regular audits of third-party due diligence and monitoring materials
Industry-Specific Considerations
While traditional financial institutions may not commonly sell data directly, certain sectors require additional scrutiny:
- Mortgage companies
- Registered Investment Advisors (RIAs)
- FinTech companies
- Organizations sharing client data with:
- Data brokers
- Marketing firms
- Analytics companies
These arrangements must align with:
- Financial institution data-use policies
- Regulatory expectations for customer privacy
- Executive Order 14117 requirements
- Existing OFAC restrictions
The implementation of Executive Order 14117 emphasizes the need for more granular data risk management, particularly regarding data access and location. Success requires a comprehensive approach that integrates these requirements into existing due diligence, contractual arrangements, and monitoring processes while maintaining special vigilance over Nth party relationships.
I welcome other thoughts and suggestions.