THIRD- PARTY COMPLIANCE
WHAT IS THE THIRD-PARTY ASSESSMENT?
The Third-Party Assessment collects essential data from all of your third-parties regarding access to and handling and usage of your sensitive information. This data provides you with the information necessary to identify and mitigate risks, ensure compliance with key regulations, and prepare for litigation or an audit.
WHY DO I NEED IT?
Cybersecurity and privacy regulations like the GDPR, 23 NYCRR 500 and Federal Acquisition Requirements require companies to conduct periodic, logically scheduled third-party diligence on any third-parties with access to sensitive information. Companies must now routinely and systematically assess all vendors – including presumed low-risk vendors – to demonstrate effective diligence and document evidence of controls.
23 NYCRR 500.11(a) requires covered entities to evaluate the adequacy of their third-party’s cybersecurity practices with periodic assessments to ensure the security of systems and Non-Public Information (NPI).
Companies operating in the Dubai International Financial Center (DIFC) should only use data processors that provide sufficient data security guarantees. The Dubai Financial Services Authority expects companies to assess their key third-party providers’ cybersecurity posture.
Article 28 of the GDPR requires controllers to only engage third-party processors who provide sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
Companies cannot simply claim ignorance of vendors’ inappropriate practices as a defense. Contracts must stipulate privacy and security requirements, but companies must take sufficient action to ensure that those contractual requirements are being fulfilled. Make sure service providers implement reasonable security measures. Put it in writing. Verify compliance.
The SEC has made it clear that material cybersecurity risks and incidents, including those caused by third-parties, should be disclosed to investors. Risks from vendors need to be addressed and constantly vetted and assessed.
Companies doing business with the U.S. federal government must comply with NIST SP 800 171 framework. FAR includes flow down provisions for subcontractors with Confidential Unclassified Information (CUI) or Federal Contract Information (FCI) in their information systems.
HOW DOES IT WORK?
We offer the only solution that quickly identifies which third-parties require comprehensive assessment according to key regulations like the GDPR, 23NYCRR 500, FARs and more.
The Third-Party Assessment is built upon globally recognized frameworks and regulatory guidelines and delivered through our unique service delivery model. This powerful solution eliminates manual, resource-intensive processes, enabling you to broaden the scope of your third-party risk management program while documenting and automating the entire process.
We provide the best practice standards and streamlined processes necessary to assess all vendors and surface hidden risks.
This service enables legal and compliance officers to comply with regulatory guidelines, while supporting IT efforts. The Third-Party Assessment is the most essential due diligence solution available.