Navigating Regulatory Changes in 2024: What TPRM Professionals Need To Know

Regulations change rapidly, particularly in the arena of third-party risk management (TPRM). Staying in the know is the best way to manage these risks, protect your organization, and confirm your suppliers’ compliance.

New regulations and updates to existing laws cover data protection, cybersecurity, operational resilience, and more. As we speed through 2024, TPRM professionals should be aware of these key regulation changes and how they impact an organization and its industry.

1. General Data Protection Regulation (GDPR)

Since its implementation, the General Data Protection Regulation (GDPR) has been the European Union’s foundational data protection governance. If a company operates within the EU or handles data from EU citizens, it must comply with the GDPR. Recent updates introduce new guidelines impacting how organizations manage third-party data processors.

Data Protection Impact Assessments (DPIAs)

The GDPR already requires these assessments when a company plans to process data in a way that could pose a high risk to people’s privacy. However, the 2024 updates address important issues, such as:

• Clearer and stricter guidelines regarding when and how to conduct DPIAs
• More specific criteria for identifying a “high-risk” processing activity
• Increased scrutiny on DPIA thoroughness
• Mandatory consultation with data protection authorities (DPAs) when a DPIA indicates a high risk the company cannot mitigate
• Increased focus on managing risks surrounding new technologies, such as artificial intelligence (AI)

Data Subject Rights

The European Data Protection Board (EDPB) prioritizes data subject access rights. Organizations must comply with GDPR requirements, allowing consumers to access and understand how companies use their data. National data protection authorities will collaborate on this effort, using questionnaires and investigations to assess compliance. Organizations should review existing procedures to align with the new standards.

Cross-Border Data Transfers

Transferring personal data outside the EU/UK now requires the destination country to provide adequate data protection. If that country has no adequacy decision, use approved mechanisms like standard contractual clauses (SCCs) or binding corporate rules (BCRs). 

Conduct risk assessments, such as transfer risk assessments (TRA) or transfer impact assessments (TIA), to confirm adequate protection. In the U.S., recent adequacy decisions have allowed data transfers under the EU-U.S. Data Privacy Framework.

2. California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

The CPRA is a wide-ranging amendment to the existing CCPA. The CCPA gave California consumers increased control over the personal information (PI) companies collect, and the newly implemented CPRA expands the CCPA’s protections. 

Consumer Opt-Out Rights/Third-Party Sharing Regulations

Under CPRA, consumers can control whether companies and their third-party suppliers sell and share their personal information. CCPA only regulated selling, not sharing, data.

Data Minimization

Companies may only collect, use, retain, and share the specific PI that is adequate, relevant, and limited to the necessary data.

3. SEC Cybersecurity Disclosure Rules

The U.S. Securities and Exchange Commission (SEC) has adopted new cybersecurity rules for 2024. These changes cover procedures American companies must implement regarding cybersecurity.

Disclosure Requirements for Material Cybersecurity Incidents

The new rules require U.S.-listed companies to follow mandatory cyber-incident reporting requirements. They must disclose each material cybersecurity incident, assess the incident, and declare its impact on the company’s operations and finances.

Incident Response Strategies

Companies must establish protocols to identify and assess quickly whether a cybersecurity incident is material.

Third-Party Risk Assessments

Organizations must extend their internal cyber policies to all third-party suppliers.

4. The INFORM Consumers Act

The INFORM Consumers Act, a relatively new regulation in the U.S., targets fraudulent online sales by requiring greater transparency from online sellers. This law has significant implications for e-commerce and retail TPRM.

Verification of Seller Identity

Online marketplaces that allow high-volume third-party sellers to conduct sales must collect, verify, and disclose certain information about each seller.

Compliance With Data Collection and Transparency Requirements

This new regulation makes online sales more transparent and attempts to discourage bad actors from selling stolen, counterfeit, or unsafe items through online marketplaces.

5. European Union’s Digital Operational Resilience Act (DORA)

DORA, a new regulation affecting EU financial institutions, focuses on these organizations’ operational resilience. 

Operational Resilience Requirements

Under DORA, covered financial entities must be able to withstand, respond to, and recover from cybersecurity incidents. 

Third-Party Risk Management Frameworks

DORA also requires financial institutions to manage risks related to third-party service providers within their information and communication technologies (ICT) risk management framework. 

Incident Reporting

Financial institutions must include procedures in their ICT risk management framework to monitor, detail, and report significant cyber incidents to DORA authorities. 

6. Banking and Financial Services Regulations

The American financial services sector is heavily regulated. Financial institutions must observe regulations in the following areas, among others:

• Anti-money laundering (AML)
• Countering the financing of terrorism (CFT)
• Know your customer (KYC)

In 2024, the Financial Crimes Enforcement Network (FinCEN) proposed several amendments to the existing AML/CFT regulations. 

Enhanced Due Diligence

Under the Bank Secrecy Act (BSA), financial institutions must establish AML/CFT programs that include at least the following actions:

1. Developing policies, procedures, and controls
2. Designating an AML/CFT compliance officer
3. Conducting ongoing employee training
4. Independent auditing to test these programs

FinCEN’s recommended changes would subject some financial institutions to additional obligations, including provisions related to:

• Customer identification programs (CIP)
• Customer due diligence (CDD) regarding legal entity customers 

Risk Assessments

Under FinCEN’s recommended changes, financial institutions must incorporate periodic risk assessments into their AML/CFT programs. These risk assessments would review and consider financial institutions’ illicit finance activity risk based on their business activities. 

Ongoing Monitoring

FinCEN’s proposed amendment would require financial institutions to appoint at least one qualified employee as an AML/CFT officer. The officer must coordinate and monitor the institution’s day-to-day AML/CFT compliance. 

Automated KYC Processes

Technology, especially AI, will inevitably continue playing a larger role in KYC processes. Financial institutions can use AI to create digital KYC profiles as part of a largely technology-driven KYC process. 

7. ISO 27001 and 27002 Updates

ISO 27001 and 27002 are international information security management standards. The International Organization for Standardization (ISO) published its original standards, ISO 27001 and ISO 27002, in 2013. To keep up with rapid technological advancements, the ISO published a revised version of these standards in October 2022, mandating organizations transition to the new controls by October 2025.

Information Security Controls

The changes emphasize integrating advanced technologies for better data protection. The new and amended controls are more flexible, accommodating various organizational sizes and structures.

Risk Management Practices

The updated standards emphasize continuous risk assessment rather than periodic reviews. They encourage a collaborative framework in which organizations share risk management responsibilities across departments. 

Supplier Assessments

The new guidelines recommend evaluating suppliers’ security practices using stricter criteria and continuously monitoring supplier security postures to confirm compliance.

8. Environmental, Social, and Governance (ESG) Regulations

ESG regulations require U.S.-based organizations to conduct socially and environmentally responsible operations. In 2024, the SEC implemented new rules to improve public companies’ transparency.

ESG Reporting Requirements

The new regulations enhance mandated climate-related disclosures. Public companies must provide more detailed and standardized information about their business operations’ environmental and social impact.

Third-Party Assessments

The SEC recommends conducting independent evaluations to assess third-party providers’ environmental and social practices and confirm their reporting accuracy and credibility.

Sustainability and Social Impact

The new rules establish stricter guidelines for measuring and reporting on sustainability initiatives and their effectiveness in driving positive social change.

Strengthen Your TPRM Compliance With Evident

Staying ahead of changing regulations is no small feat, so your company needs the right tools for the job. Evident’s comprehensive platform ensures your company stays compliant with the most up-to-date rules and regulations by:

• Verifying third-party insurance and data compliance
• Providing real-time regulation updates
• Automating compliance checks
• Creating audit-ready reports

Request a demo today to learn more about how Evident can keep you ahead of the compliance curve.