Data Security Law Blog

NYS Cyber Regulation: New Rules for Third-Parties

It’s been almost two years since New York’s top banking regulator implemented one of the nation’s most stringent cybersecurity regulations.  Since then, thousands of financial institutions have recruited chief information security officers, implemented cybersecurity programs, performed penetration testing, and imposed encryption requirements on their most sensitive information.

But financial institutions still aren’t quite finished satisfying their obligations under New York’s cyber regulation.  On March 1st, the regulation’s final – and conceivably the most challenging – requirement goes into effect: the implementation of written policies and procedures to ensure that an organization’s third-party vendors and service providers are carrying their weight and are practicing safe cyber hygiene.

The banks and insurance companies subject to the cyber regulation were given two years to comply with the third-party rules, perhaps in recognition of the varying complexities presented in dealing with third-parties.

The regulation requires that financial institutions put their most important vendors to the test by meeting a series of requirements that, depending on the risks involved, might include the following precautions:

  • minimum cybersecurity requirements as a prerequisite for doing business with the financial institution;
  • a due diligence process to evaluate whether a vendor’s cybersecurity practices are adequate; and
  • “[p]eriodic assessment” of vendors “based on the risk they present” to the financial institution and whether their cybersecurity practices continue to be “adequate.”

The regulation requires that each vendor be evaluated based on the specific risks it presents rather than a broad-brushed “one-size-fits-all” approach. In its 2016 responses to industry comments, the New York Department of Financial Services (DFS) stressed that the “requirements in Section 500.11 regarding third parties” were amended so as to be “explicitly based on the Covered Entity’s Risk Assessment.”  Likewise, in its interpretative guidance, DFS said that “appropriate controls” will be “based on the individual facts and circumstances” posed by the particular vendor and that detailed safeguards – such as access controls, multi-factor authentication, encryption, notification in the event of a cyber-attack, and contractual representations covering security policies and procedures – might be considered when assessing the risk presented by a third-party vendor.

In the same guidance, DFS has also stressed “the importance of a thorough due diligence process in evaluating the cybersecurity practices” of a third-party vendor, and has made clear that “[s]olely relying” on a compliance certificate does not suffice as adequate diligence.  “Covered Entities must assess the risks each Third Party Service Provider poses to their data and systems and effectively address those risks.”

It’s not surprising that third-party risk is an important theme of the New York cyber regulation.  In a study conducted by DFS in advance of the cyber regulation, only 46% of surveyed institutions performed “pre-contract on-site assessments of at least high-risk third party vendors.”  And 44% of those institutions did not require third-party vendors to guarantee that their data and products are free of viruses.  Similarly, only half of the surveyed institutions required indemnification clauses for information security failures in their agreements with third-party vendors.