Third-Party Vendor Management and NYDFS Regulation 500

The goal of the DFS Cybersecurity Regulation is to enhance the security of nonpublic information, maintain business continuity, and mitigate risk from potential cybersecurity breaches, by setting strong minimum standards that New York’s financial services industry must follow in order to strengthen controls and protect nonpublic information. The Regulation contains numerous provisions setting forth various requirements for a cybersecurity program, a cybersecurity policy, risk assessment, encryption, penetration testing, multi-factor authentication, incident response plan, training and governance. The final provision that went into effect on March 1, 2019 is section 500.11, the provision addressing third-party service providers. On an annual basis, each covered entity must certify to NYDFS that it is in compliance with the Regulation.

Part 500.11, entitled Third Party Service Provider Security Policy, is based on the principle that a DFS-regulated institution, mandated to comply with the Regulation, is responsible for the security of the covered entity’s nonpublic information accessible by third-party vendors. Put another way, a covered entity cannot reduce its security protections by permitting third-party vendors with inadequate security protections to have access to the covered entity’s information systems and nonpublic customer and business information. The third parties that are addressed by the Regulation are any person or entity that provides services to the covered entity and is permitted access to nonpublic information through such services.

In order to comply with the Regulation, a DFS-regulated entity must, at a minimum, (1) periodically identify and assess the risks associated with its third-party vendors, (2) design and implement policies and procedures to address the cybersecurity risks of its third-party vendors, (3) conduct due diligence to evaluate the adequacy of each vendor’s cybersecurity practices, including the third party’s access controls, use of encryption, personnel and training; and (4) consider contractual representations and warranties regarding security protections and notice of cybersecurity events.

Cybersecurity is a company-wide responsibility, and compliance with Part 500 must therefore follow a company-wide process that includes the assessment of third-party vendors. This process should include, on a periodic basis, an assessment of the risks of the company’s third-party vendors, based on the individual vendor’s access to nonpublic information and the strength of its cybersecurity policies and programs. The assessment should include a review of the third-party vendor’s access controls, use of encryption, testing, personnel and training. Just as the covered entity must have an incident response plan, so too must the third-party vendor that holds the covered entity’s business and customer information. Such efforts are critically important to mitigate the risk of any damage flowing from a cybersecurity breach.

We are in a world today where we must recognize that cybersecurity is an existential threat that likely cannot be eliminated, but it surely can be mitigated. Cyber criminals look for vulnerabilities, and such vulnerabilities can exist in a company’s provision of nonpublic information to third-party vendors. In the event of a breach, the covered entity cannot simply point the finger at a vendor. Though the vendor might share responsibility, Part 500 makes clear that the regulated company’s vendor management and due diligence must include cybersecurity protections. In this way, those third-party vendors with strong cybersecurity programs will have a leg up on the competition for providing services to New York’s regulated financial services industry. As it should be.