The Federal Financial Institutions Examination Council (FFIEC) requires financial institutions to have third-party management programs that effectively protect customer and financial institution information in accordance with section 501(b) of the Gramm-Leach-Bliley Act of 1999. The FFIEC Cybersecurity Assessment Tool and Examination Handbook set specific expectations regarding how a good information security risk management program should function and closely defines third party risk management at the board and senior management levels.

Hiperos 3PM Information Security helps financial institutions simplify and streamline third party information security (InfoSec) risk management by automating the:

  • identification of third parties with InfoSec risk
  • scoping of appropriate controls for each relationship
  • mapping questions and artifacts to controls
  • creation of audit work papers
  • tracking of agreed upon remediations
  • maintenance of a risk register on every in-scope relationship
  • monitoring of a third party’s security posture over time
  • reporting of risk rating and control effectiveness


As a result, third parties are managed in accordance with FFIEC cybersecurity audit guidelines. Learn more