New York DFS Proposals Focus on Third-Party Vendor Risk
Earlier this month, the New York State Department of Financial Services (“DFS”) announced that it will propose new cybersecurity regulations for financial institutions. The DFS made the announcement in a letter to the Financial and Banking Information Infrastructure Committee — an eighteen member organization headed by the Treasury Department that has already begun tackling cybersecurity issues.
The announcement itself comes as no surprise. Last May, the Superintendent of the DFS signaled that he would propose new cybersecurity regulations by the end of this year. And other financial regulators, including the Securities and Exchange Commission, have ramped up their enforcement efforts with regard to cybersecurity issues.
The exact details of the regulations will be hashed out through notice-and-comment rulemaking. But the DFS letter identified a number of areas in which the DFS intends to act: Cyber Security Policies and Procedures, Third-Party Service Provider and Management, Multi-Factor Authentication, Appointment of Chief Information Security Officers, Application Security, Cyber Security Personnel and Intelligence, Annual Auditing, and Procedures for Noticing Cyber Security Incidents.
Whether any new regulations end up codifying “best practices” in the finance and insurance industries remains an open issue. But in a May 2014 report, the DFS found that almost 90% of surveyed depository institutions “reported having an information security framework in place that includes what are considered to be the key pillars of such programs.” Key pillars include a written information security policy, security education and training, risk management, information security audits, and incident monitoring and reporting. A February 2015 report by the DFS also noted that 98% of insurers surveyed had a cybersecurity framework in place. And both insurers and depository institutions reported that they notify law enforcement officials and regulators of data breaches as a matter of course.
Several of the proposals in the DFS letter, however, may foretell changes as to how financial firms approach cybersecurity. For example, the DFS letter proposed that “covered entities be required to implement policies and procedures to ensure the security of sensitive data or systems that are accessible to, or held by, third party providers.” New regulations could also require firms to “perform cyber security audits” of their third-party vendors or require third-party vendors to make “representations and warranties” about the state of their information security.
The DFS’s focus on third-party vendor relationships isn’t unexpected. An April 2015 report by the DFS found that only 46% of surveyed institutions conduct “pre-contract on-site assessments of at least high-risk third party vendors.” And 44% of those institutions do not require third-party vendors to guarantee that their data and products are free of viruses. Similarly, only half of the surveyed institutions require indemnification clauses for information security failures in their agreements with third-party vendors.
That the DFS would focus its proposed regulations on third-party vendors reflects many of the most recent headline-grabbing breaches. The Target data breach started after an employee at the retailer’s internet-connected heating, ventilation, and air conditioning (“HVAC”) vendor clicked through a phishing e-mail. And a malware attack on one of Goodwill’s third-party vendors caused a data breach that compromised more than 800,000 credit cards.
It’s too soon to tell the details of the forthcoming DFS cybersecurity regulations. But the DFS letter gives us a glimpse into the areas in which it plans to regulate. We will continue to monitor and report on the rulemaking process.