Effective March 1, 2017, first-in-kind regulations issued by the New York Department of Financial Services (New York DFS) will begin to affect a wide array of both depository and non-depository financial institutions. The new regulations will cascade certain requirements upon these financial institutions’ third-party service providers, requiring the financial institutions to take a close look at their vendor relationships.
Who Is Covered?
The new regulations will specifically apply to “Covered Entities,” meaning any financial services firm that operates (or is required to operate) under a “license, registration, charter, certificate, permit, accreditation or similar authorization” by the New York DFS. Just to name a few, this includes banks, credit unions, insurance companies, licensed lenders and loan servicers, money transmitters, and even those operating under New York’s new virtual currency license.
What Do The Regulations Do?
Certain aspects of the regulations legally formalize what most financial institutions are most likely already doing—for example, maintaining a written cybersecurity policy tailored to the findings of periodic risk assessments. Other aspects of the regulations, however, enter into a new territory of granularity that will seem striking for many financial services firms that may have at best considered these to be informal best practices.
Among other things, the new regulations will formally require Covered Entities to protect not only sensitive customer information (the prevailing standard under federal data security regulations), but crucial business-related information, as well. Covered Entities will also be required to appoint a specifically designated Chief Information Security Officer (although such person may be outsourced to a third party), and must report certain “Cybersecurity Events”—which term even extends to unsuccessful attempts to access an information system—to the New York DFS within 72 hours of occurrence.
Unlike prevailing cybersecurity regulations, which tend to be technology-agnostic, the regulations will require Covered Entities to adopt certain specified controls including multi-factor authentication systems and encryption technologies (or suitable alternatives) in specified circumstances.
The regulations formally make cybersecurity a C-suite level priority, requiring senior management to certify compliance with the regulations to the New York DFS on an annual basis.
How are Vendor Relationships Impacted?
Cognizant of the fact that most financial services firms operate through a diverse web of outsourced technology relationships, the new regulations require Covered Entities to adopt written policies and procedures designed to ensure the security of information systems and nonpublic information (again, including not just consumer information, but important business information, as well) that are accessible to, or held by, third-party service providers. Such policies and procedures must be based on a Covered Entity’s required risk assessment, and must address, to the extent applicable:
- Identification and risk assessment of third-party service providers;
- Minimum cybersecurity practices required for such third-party service providers to do business with the Covered Entity;
- Due diligence processes used to evaluate the adequacy of such third-party service providers’ cybersecurity practices; and
- Periodic assessment of such third-party service providers based on the risk they present and the continued adequacy of their cybersecurity practices.
These policies and procedures must include relevant guidelines for due diligence and/or contractual protections relating to third-party service providers including, to the extent applicable, guidelines addressing the regulations’ required compliance with multi-factor authentication and encryption requirements, as well as the third-party service providers’ obligations to notify the Covered Entity of a Cybersecurity Event impacting information systems or nonpublic information.
The compliance obligations under the new regulations will roll out on a staggered basis, over a two-year period, beginning March 1. Although Covered Entities will technically have until March 1, 2019, to have adopted the required third-party service provider oversight and contractual requirements indicated above, implementing these policies and conforming third-party contracts will necessarily be a lengthy process requiring a great deal of buy-in both from the Covered Entity itself and the third party on the other end of the vendor relationship.
With the two-year clock ticking effective March 1, financial institutions subject to the new regulations are advised to begin taking a careful look at their vendor relationships, and begin conforming their policies, procedures and third party agreements as soon as possible. The New York DFS itself has underscored this point, stating in the regulation that “it is critical for regulated institutions that have not yet done so to move swiftly and urgently … Adoption of the program outlined in these regulations is a priority for New York State.”