There are less than six months until the New York Department of Financial Services (NYDFS) Cybersecurity Vendor/Third Party Service Provider Requirements goes into Effect (March 1, 2019); Is your firm ready?
Eighteen months ago the NYDFS 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies went into effect, (March 1, 2017). The NYDFS regulation, which is touted as the most stringent cybersecurity regulation globally, was constructed with a series of requirements plotted on a two-year timeline. The final requirement, slated on the implementation requirements schedule for March 1, 2019, is the Vendor/Third Party Service Provider Security Policy requirement. NYDFS gave companies a two-year runway for this requirement due to the size and complexity of the challenge.
Even if your company is NOT under NYDFS supervision, you probably have increased vendor and third-party service provider oversight requirements due to other emerging regulations, or will soon. Regardless, of a regulatory mandate, having a solid Vendor/Third Party Risk Management Program is just good security and smart.
The specific section of the NYDFS Cybersecurity regulation is Section 500.11, and it includes the following details:
The entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Entity and shall address to the extent applicable:
- the identification and risk assessment of Third Party Service Providers;
- minimum cybersecurity practices required to be met by such Third Party Service Providers in order for them to do business with the Entity;
- due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third Party Service Providers; and
- periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.
Third-Party policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers including to the extent applicable guidelines addressing:
- Third Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication as required to limit access to relevant Information Systems and Nonpublic Information;
- Third Party Service Provider’s policies and procedures for use of encryption to protect Nonpublic Information in transit and at rest;
- notice to be provided to the Entity in the event of a Cybersecurity Event directly impacting the Entity’s Information Systems or the Entity’s Nonpublic Information being held by the Third Party Service Provider; and
- Representations and warranties addressing the Third Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.
There are many reasons the NYDFS felt they needed to give firms two years to satisfy the above requirements, here are a few:
- Organizations may not have the clearest visibility into their full inventory of third parties due to informal onboarding practices, which the regulation aims to rectify. If you don’t have full visibility, we suggest firms start with accounts payable and accounts receivable. Remember, “Third Parties” means more than just vendors. The business may have a reliance on services received from a third party that are critical to certain business processes.
- Leadership’s input on the company’s key and strategic Third Parties and their impact on the business may not be clearly communicated to the teams responsible for reviewing the third party. It’s imperative that the view from leadership, along with individuals in key roles, is obtained and factored in the Third Party risk assessment process.
- Completing a comprehensive and proper Third Party risk assessment requires input from many roles and departments with the organization. These functions include; Information Technology, Legal, Compliance, Finance, Procurement, Risk Management, Business and Process Owners, and Internal Audit. Orchestrating the coordination and communications among the departments, and the information required, is best managed with a sufficient vendor management tool, for most firms, spreadsheets and email are insufficient.
- Understanding your Third Party’s practices as it relates to information security directly impacts your organization’s cybersecurity resilience and readiness, particularly when they handle, process, transmit or receive confidential and/or personally identifiable information. Unless and until your organization knows the Third Party’s internal controls, confirms that they have been tested satisfactorily and that those controls align to or are greater than your organization’s minimum standards, your firm is flying blind.
Vendor and third-party risk management is not a one time, check the box exercise, it’s ongoing and perpetual. Firms must establish ongoing monitoring practices, and continually evaluate, measure, mitigate, and accept vendor and third-party risks, at a level commensurate to the firm’s risk appetite and resources.
This opinion piece was written by Michael Corcione, Managing Director of Cybersecurity and Privacy. Michael has advisory experience in Cybersecurity Business & IT Risk Assessments, Cyber Threats and Incident Response, Regulatory Compliance, and Third Party Due Diligence. Prior to Accume, Michael was a leader at Cordium.