Third-party vendor management is a critical function for the protection of customer and business information. The third-party service provider security policy requirements set forth in the New York Department of Financial Services (“DFS”)’s Cybersecurity Regulation Part 500 were groundbreaking, and, if complied with, go a long way towards achieving fundamentally stronger cybersecurity protections for New York’s financial services industry.
NYDFS Part 500 went effective on March 1, 2017, with a two-year implementation period for its various provisions. The Regulation applies to any person or entity that is operating under a license, charter or similar authorization by DFS, under New York’s Banking, Insurance and Financial Services Laws. This includes all state-chartered banks, mortgage brokers and mortgage lenders, insurance companies and agents, money transmitters and cryptocurrency exchanges, licensed to do business in New York. The Regulation aims to protect all nonpublic information held by such companies, including personal consumer information, healthcare information, and business-related information the disclosure of which would cause a material adverse impact to the business operations or security.
On-Demand Webinar: Third-Party Cybersecurity Protections and Compliance with NYDFS and NY SHIELD
Join Maria T. Vullo, former superintendent of financial services of the state for New York, for this complimentary webinar covering NYDFS Part 500 and its most recently implemented provision for third-party vendor management.
The goal of the DFS Cybersecurity Regulation is to enhance the security of nonpublic information, maintain business continuity, and mitigate risk from potential cybersecurity breaches, by setting strong minimum standards that New York’s financial services industry must follow in order to strengthen controls and protect nonpublic information. The Regulation contains numerous provisions setting forth various requirements for a cybersecurity program, a cybersecurity policy, risk assessment, encryption, penetration testing, multi-factor authentication, incident response plan, training and governance. The final provision that went into effect on March 1, 2019 is section 500.11, the provision addressing third-party service providers. On an annual basis, each covered entity must certify to NYDFS that it is in compliance with the Regulation.
Part 500.11, entitled Third Party Service Provider Security Policy, is based on the principle that a DFS-regulated institution, mandated to comply with the Regulation, is responsible for the security of the covered entity’s nonpublic information accessible by third-party vendors. Put another way, a covered entity cannot reduce its security protections by permitting third-party vendors with inadequate security protections to have access to the covered entity’s information systems and nonpublic customer and business information. The third parties that are addressed by the Regulation are any person or entity that provides services to the covered entity and is permitted access to nonpublic information through such services.
In order to comply with the Regulation, a DFS-regulated entity must, at a minimum, (1) periodically identify and assess the risks associated with its third-party vendors, (2) design and implement policies and procedures to address the cybersecurity risks of its third-party vendors, (3) conduct due diligence to evaluate the adequacy of each vendor’s cybersecurity practices, including the third party’s access controls, use of encryption, personnel and training; and (4) consider contractual representations and warranties regarding security protections and notice of cybersecurity events.
Cybersecurity is a company-wide responsibility, and compliance with Part 500 must therefore follow a company-wide process that includes the assessment of third-party vendors. This process should include, on a periodic basis, an assessment of the risks of the company’s third-party vendors, based on the individual vendor’s access to nonpublic information and the strength of its cybersecurity policies and programs. The assessment should include a review of the third-party vendor’s access controls, use of encryption, testing, personnel and training. Just as the covered entity must have an incident response plan, so too must the third-party vendor that holds the covered entity’s business and customer information. Such efforts are critically important to mitigate the risk of any damage flowing from a cybersecurity breach.
We are in a world today where we must recognize that cybersecurity is an existential threat that likely cannot be eliminated, but it surely can be mitigated. Cyber criminals look for vulnerabilities, and such vulnerabilities can exist in a company’s provision of nonpublic information to third-party vendors. In the event of a breach, the covered entity cannot simply point the finger at a vendor. Though the vendor might share responsibility, Part 500 makes clear that the regulated company’s vendor management and due diligence must include cybersecurity protections. In this way, those third-party vendors with strong cybersecurity programs will have a leg up on the competition for providing services to New York’s regulated financial services industry. As it should be.