The New York State Department of Financial Services (NYDFS) recently published the results of its cybersecurity survey of more than 150 regulated small, medium, and large banking organizations. The survey asked for information the bank’s use and management of third-party service vendors with access to sensitive information. In particular, the survey asked banks whether they conducted initial or periodic due diligence assessments of third-party vendors, and what measures vendors took to safeguard sensitive information and/or to protect against loss due to security incidents. Less than half of the banks surveyed required due diligence assessments of potential third-party vendors prior to a contract. About one-third conducted periodic assessments during the term of the vendor’s contract. A third of the respondents did not require the vendor to notify them in the event of a security incident or breach.

NYDFS announced it will use the results to help it develop and adopt threshold cybersecurity standards for regulated banking organizations and their vendors. The anticipated standards will likely include due diligence, suggested or mandated vendor cybersecurity representations and warranties as well as a reporting mandate on security incidents.

Regulators, including NYDFS, continue to focus on requiring minimum cybersecurity standards to be in place when companies provide third-party vendors access to their IT systems and sensitive data. These minimum standards target identified areas of risk and are intended to reduce the number and severity of a cybersecurity incident. The particular focus on third party vendors reflects the recognition that a number of recent large scale breaches, such as those  suffered Target and Home Depot,  occurred in whole or part because credentials of a third-party vendor were apparently stolen.

NYDFS’ survey results are available in the report “Update on Cyber Security in the Banking Sector: Third Party Service Providers,” which updates its 2014 “Report on Cybersecurity in the Banking Sector” that emphasized bank’s widespread reliance on third party vendors for important banking functions, such as trading and settlement operations, check and payment processing.

NYDFS is the principal regulator for state-licensed and state-chartered financial entities and other financial institutions operating in the State of New York, as well as insurance companies.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kathleen Porter Kathleen Porter

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and…

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. Kathy prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. She also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies’ privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathy often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators. Read her rc.com bio here.