New York’s DFS Cybersecurity Regulations in a Nutshell
The NY Department of Finance recently cast stringent and wide-reaching Cybersecurity regulations on banks, insurance companies, other financial services institutions, and anyone that does business with these types of entities in the state of New York.Recent high-profile data breaches affecting the financial and healthcare sectors highlight the unexpected or unintended consequences that can arise when organizations outsource IT, support and processing activities.
The new regulatory requirement 23 NYCRR 500 mandates that organizations must manage risks commensurately with the level of complexity, as well as the risks inherent in each third party relationship.
What you need to know
In summary, the law requires all business institutions to prove that they have:
- Established a Cybersecurity Program
- Adopted relevant Cybersecurity Policies and Procedures
- Hired and empowered a Chief Information Security Officer
- Implemented governance measures for Cybersecurity risks of Third-Party Service Providers, Partners, and Customers
The legislation is effective as of March 1st, 2017, and compliance is mandatory within 180 days.
For companies it basically says, “make sure your vendors are secure, that they securely access your data, and that their third parties and vendors are compliant, too.” Managing your vendors is a challenge, fourth party management is an even bigger hurdle to overcome if you look at the current landscape and available solutions.
What does this mean for your vendor risk management program?
We at ThirdPartyTrust are singularly focused on third party risk management. As such, let us highlight what this means for your vendor risk management program.
You will be required to:
- Perform a thorough risk assessment of third party service providers; and
- Assess minimum security expectations and requirements of third parties; and
- Perform due diligence that your third parties and their third parties are following requirements; and
- Perform periodic security assessments of third parties; and
- Use multi-factor authorization for third parties; and
- Use encryption in transit and at rest; and
- Require third parties to notify your company of real or suspected security issues.
Ultimately, the use of third parties suppliers and outsourcing will not absolve organizations of responsibility for that risk nor will it allow deflection of a security breach to the outsourced entity. Violations can be assessed as “willful misuse” carrying fines of $50,000 or more per instance.
For many companies, the process of gathering and managing Third Party risk profiles is laborious and time-intensive, with spreadsheets and file cabinets being the historical method of choice. Gleaning insights and patterns from this information is difficult, at best.
It’s clear that regulators are now requiring all companies to actively be apprised of their third-party entities’ cyber risk profiles and methods. Establishing a line of sight with each third-party entity’s Vendor Management and/or Compliance department is even more difficult. Similarly, establishing a formalized framework for the purpose of acquiring third-party cyber risk intelligence is extremely difficult. Regardless of the difficulty, the regulators will hold you accountable, and the penalties will carry hefty monetary fines (as well as adverse effects to your reputational and operational risk).
It is imperative that organizations implement a controllable, pragmatic risk management strategy. The most efficient strategy incorporates converged practices, collaboration, and relationship building at the third and fourth party levels. This strategy applies for domestic dependencies as well as global dependencies, where the challenge of managing third party security is compounded by distance, legal, and cultural variables.
Anders Norremo | ThirdPartyTrust | CEO