The New York State Department of Financial Services (NYDFS) recently published the results of its cybersecurity survey of more than 150 regulated small, medium, and large banking organizations. The survey asked for information the bank’s use and management of third-party service vendors with access to sensitive information. In particular, the survey asked banks whether they conducted initial or periodic due diligence assessments of third-party vendors, and what measures vendors took to safeguard sensitive information and/or to protect against loss due to security incidents. Less than half of the banks surveyed required due diligence assessments of potential third-party vendors prior to a contract. About one-third conducted periodic assessments during the term of the vendor’s contract. A third of the respondents did not require the vendor to notify them in the event of a security incident or breach.
NYDFS announced it will use the results to help it develop and adopt threshold cybersecurity standards for regulated banking organizations and their vendors. The anticipated standards will likely include due diligence, suggested or mandated vendor cybersecurity representations and warranties as well as a reporting mandate on security incidents.
Regulators, including NYDFS, continue to focus on requiring minimum cybersecurity standards to be in place when companies provide third-party vendors access to their IT systems and sensitive data. These minimum standards target identified areas of risk and are intended to reduce the number and severity of a cybersecurity incident. The particular focus on third party vendors reflects the recognition that a number of recent large scale breaches, such as those suffered Target and Home Depot, occurred in whole or part because credentials of a third-party vendor were apparently stolen.
NYDFS’ survey results are available in the report “Update on Cyber Security in the Banking Sector: Third Party Service Providers,” which updates its 2014 “Report on Cybersecurity in the Banking Sector” that emphasized bank’s widespread reliance on third party vendors for important banking functions, such as trading and settlement operations, check and payment processing.
NYDFS is the principal regulator for state-licensed and state-chartered financial entities and other financial institutions operating in the State of New York, as well as insurance companies.