Our institution works with a third-party that has recently engaged with a company in a foreign county to begin assisting them in taking care of our institution’s IT matters. Do we need to perform a review on this new foreign third-party?
When evaluating this situation, the first step is to understand the parties involved:
- Your Financial Institution
- Your current provider (your institution’s third-party)
- The foreign company your provider outsources to (fourth-party to your institution)
Typically, your institution would manage your third-parties through your vendor management program, and your third-party is responsible for managing their providers. This works well when the third-party has had a SOC 2 using the SSAE 18 standard. There is a section in the SOC 2 called Complementary Subservice Organization Controls (CSOC), which describes how the provider manages their providers. If the third-party has a SOC 2 on their provider that follows the SSAE 18 standard, your institution should have the necessary assurances that your current provider is effectively managing their third-parties.
However, without this assurance, your institution is on its own to determine what risks are presented by the fourth-party, and how best to address them. When performing the risk assessment process, your institution should ask yourselves – Does the foreign fourth-party have any (even incidental) access to our customer or confidential information? In other words, is any of our customer or confidential information transmitted, stored, or processed outside the U.S.?
At this point, foreign providers present all the same risks as any other outsourced relationship, PLUS a whole additional layer of risks. The FFIEC states:
So in addition to the risks you already consider for your other outsourced relationships, foreign providers may also include issues such as choice-of-law and jurisdictional considerations, as these parties may not fall under the jurisdiction of domestic laws and regulations. This could present regulatory problems complying with consumer protection, privacy (Section 501(b) of GLBA), and information security laws. They may also have other contractual concerns such as data-breach notification issues, if the third-party contract stipulates a procedure the fourth-party can’t (or won’t) comply with. Finally, there’s also this.
In short, third-party relationship management is challenging, and managing fourth-parties is even more so. Add a foreign provider (third or fourth) into the mix and the challenge goes way up. I would strongly recommend your institution try to obtain assurances (via the CSOC section of the SOC 2) that your third-party provider is adequately managing their relationships, but even with that (and certainly without it) you may want to establish increased ongoing monitoring of this relationship.