The New York Division of Financial Services (NYDFS) recently issued new cybersecurity guidance to assist covered entities in understanding and responding to the heightened risks posed by third party service providers (TPSP). NYDFS emphasized that covered entities must acknowledge and account for these risks and offer assistance in addressing them.

Based upon NYDFS’ enforcement activities it has:

“Identified the need for more robust due diligence, contractual provisions, monitoring and oversight, and TPSP risk management policies and procedures. Moreover, DFS has observed a trend in which some Covered Entities outsource critical cybersecurity compliance obligations to TPSPs without ensuring appropriate oversight and verification by Senior Governing Bodies or Senior Officers. As noted in previous guidance, Covered Entities may not delegate responsibility for compliance with the Cybersecurity Regulation to an affiliate or a TPSP.”

“Additionally, Covered Entities should develop a tailored, risk-based plan to mitigate risks posed by each TPSP. The following is a non-exhaustive list of considerations that Covered Entities should assess when performing due diligence on TPSPs:

  • The type and extent of access to Information Systems and [Nonpublic Information] NPI.
  • The TPSP’s reputation within the industry, including its cybersecurity history and financial stability.
  • Whether the TPSP has developed and implemented a strong cybersecurity program that addresses, at a minimum, the cybersecurity practices and controls required by the Covered Entity and Part 500.
  • The access controls implemented by the TPSP for its own systems and data, as well as to access the Covered Entity’s Information Systems, and the proposed handling and storage of Covered Entity data, including whether appropriate controls, such as data segmentation and encryption, are applied based on the sensitivity of the data.
  • The criticality of the service(s) provided and the availability of alternative TPSPs.
  • Whether the TPSP uses unique, traceable accounts for personnel accessing the Covered Entity’s systems and data and whether it maintains audit trails meeting the requirements of Section 500.6.
  • Whether the TPSP, its affiliates, or vendors are located in, or operate from, a country or territory jurisdictions that is considered high-risk based on geopolitical, legal, socio-economic, operational, or other regulatory risks.
  • Whether the TPSP maintains and regularly tests its incident response and business continuity plans.
  • The TPSP’s practices for selecting, monitoring, and contracting with downstream service providers (fourth parties).
  • Whether the TPSP undergoes external audits or independent assessments (e.g., ISO/IEC 27000 series, HITRUST) or can otherwise demonstrate, in writing, compliance with Part 500 or industry frameworks such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.”

Companies subject to NYDFS regulations may wish to consider reviewing and adhering to the guidelines.