Are some of your employees account holders at your institution?
It is my thought that yes, they are high risk... however I do not think specifically under GLBA... with maybe the exception of payroll.
At our institution any vendor with whom we share covered personal information gets the full due diligence, risk assessment process, whether they are performing those duties at an account level or on our employees or customers in general.
In life, there is a lot less that could get better and a lot more that could get worse.
MBA Fin/MBS HR
My views only!