The final, and many would say most onerous, phase of the New York Department of Financial Services (NYDFS) Cybersecurity Regulations goes into effect March 1, 2019. Banks, consumer lenders, mortgage brokers, finance agencies and insurance companies operating under New York’s Banking, Insurance or Financial Services Laws have mere weeks to demonstrate they are addressing third-party cyber risk.
Third-Party Deadline – March 1, 2019
While many financial and insurance companies have already met NYDFS requirements to improve security within their own organizations, they still face the final hurdle of securing the third parties they rely on to conduct business. By March 1, “covered entities” must be in compliance with the Third-Party Service Provider Security Policy (section 500.11).
Section 500.11 requires that covered entities:
- Create and implement written policies and procedures to ensure the security of information systems and information accessed or held by third-party service providers
- Based on the covered entity’s own risk assessment, identify and conduct risk assessments on third-party service providers
- Outline minimum cybersecurity practices that must be met by each
- Evaluate the adequacy of their cybersecurity practices and periodically assess continued adequacy
- Create guidelines that emphasize third parties’ use of access controls, multi-factor authentication, encryption, breach notification, and representations and warranties in vendor contracts
Not sure if the regulations apply to your organization? Depending on your size, activity, annual revenue and assets, they may. NYDFS provides guidance on who it supervises and whether you qualify for exemptions from the regulations. Even if you’re not regulated by NYDFS, its cybersecurity policies have become a model for other states and may well be standards you will soon have to meet.
Third-Party Risk an Increasing Concern
Financial organizations have outsourced noncore services for many years, however the risks of doing so are growing and must be managed as part of an organization’s overall risk management plan. Given increasing interconnectedness and the recognition by malicious actors of the resulting opportunities for backdoor entry, third-party service providers can represent significant risk to an institution if vendors do not maintain robust security controls.
As part of a third-party risk management program, financial organizations should be diligent in performing security assessments on third parties prior to entering into any agreement. As required by NYDFS, organizational policies should identify the baseline security measures that third parties must have in place, and the effectiveness of these measures should be periodically reviewed.
Steps to Meet the Third-Party Policy
With dozens or hundreds of vendors, it can be a daunting task to comply with the Third-Party Security Provider Policy. Recognizing this, NYDFS made it the final requirement in its regulation roll-out. Organizations struggling to meet the deadline should narrow their focus in the remaining weeks. The risk assessment you have already conducted on your own organization should have identified potential third-party risks.
- Create or update your vendor management policy to cover NYDFS regulations as well as those from the OCC, SEC, and FINRA
- Communicate the vendor management policy and its purpose to operations staff and vendors so that all involved parties are on the same page when contracts are being entered into or renewed
- Identify all vendors and prioritize by their criticality to business continuity, the type and quantity of data they access, and the access method
- For those most critical, assess their security program. It should meet the standards of your own
- Craft robust contracts that detail the security controls and continuous monitoring practices vendors must have, what types of records should be maintained, and required notification and incident response processes
- Be prepared to walk away if a provider cannot meet your needs
The NYDFS regulations underscore the growing desire by regulators to see that financial institutions are making risk-based decisions and are involving senior management and the board. Objective input from security specialists can improve board knowledge, better align security spending with business goals, and prepare you to meet compliance.