by Adam Hill

Privacy regulators increasingly are prescribing rules around third-party vendor and data processing management.[1] As of March 1, 2019, for instance, New York’s Department of Financial Services (NYDFS) requires that Covered Entities establish policies and procedures for assessing the risks posed by vendors, determining minimum cybersecurity and privacy practices, conducting due diligence, and following up with periodic assessments.[2] However, the NYDFS does not go so far as to prescribe a “one-size-fits-all” approach to these third-party management requirements.[3] Nor do other financial regulators, such as the Financial Industry Regulatory Authority, leaving the decision as to the appropriate form of third-party management largely to the entities themselves.[4]

How, then, should companies implement NYDFS-style third-party risk management rules? The leading approach taken by compliance functions is to invest heavily in upfront due diligence of third-party vendors and data processors. This “point-in-time” approach is premised on the idea that third-party risks are best identified by asking an exhaustive list of questions prior to the onboarding of a third party and recertifying those answers on a future date. A Gartner survey of 195 chief privacy and compliance officers shows that 72% of the effort allocated to identifying and monitoring third-party privacy risks happens during upfront due diligence and recertification. Continue reading →