As of March 1, 2019, the New York State Department of Financial Services’ (NYDFS) cybersecurity regulation, 23 NYCRR Part 500, requires financial services institutions regulated by NYDFS to implement policies and procedures to address the cybersecurity risks posed by third-party service providers to the institutions’ nonpublic information (NPI).
While reaching the March 1 deadline has been a monumental task for many covered entities, it is only the first step in maintaining a compliant vendor management program in this new world of cybersecurity regulation. To manage the risks and potential liability that come with this “first of its kind” cyber regulation, covered entities must implement an ongoing program that in most cases will reflect a sea change from their prior practices. In particular, the required oversight and management of third-party service providers, or TPSPs, will expand well beyond traditional vendor management functions and deep into contracting, diligence and stakeholder review.
The Requirements of the NYDFS Regulation
The regulation requires covered entities to implement written, risk-based and consistently applied policies and procedures for managing the cybersecurity risks posed by TPSPs. In particular, the policies and procedures must:
- Describe how to identify relevant TPSPs, and assess their risks;
- Establish minimum cybersecurity standards for TPSPs;
- Define the entity’s due diligence process for TPSP cybersecurity practices; and
- Provide for periodic risk reassessment of TPSPs and their cybersecurity practices.
In addition, the policies and procedures must include particular guidelines for due diligence and contracting relating to cybersecurity. These guidelines must address:
- The TPSP’s access controls, including multifactor authentication;
- The TPSP’s use of encryption to protect NPI both in transit and at rest;
- Notification from the TPSP of cybersecurity incidents impacting the covered entity’s systems or information; and
- Contractual protections regarding the TPSP’s cybersecurity practices
While the regulation establishes clear requirements for the policies and procedures and what issues must (at minimum) be addressed in those policies and procedures, the regulation offers considerable flexibility to covered entities in determining their own approach to managing the cybersecurity risks posed by TPSPs. Thus, the policies and procedures need not conform to any particular standard or approach so long as they are reasonable and appropriate to the covered entity’s overall cybersecurity risk profile. And, importantly, so long as the covered entity follows these policies and procedures once implemented.
Maintaining Compliance Will Be Challenging
Number and Type of Vendors: A key challenge facing covered entities is the sheer number, diversity and complexity of applicable TPSPs. Specifically, the definition of a TPSP under the regulation is a “Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity.” 23 NYCRR § 500.01(n). For most covered entities, these TPSP relationships range from traditional vendors—such as IT and business process outsourcers, hosting providers, cloud and SaaS providers and application developers—to less apparent providers that are not part of traditional procurement processes, such as consultants, auditors, law firms and even independent agents. Further, with increased adoption of cloud computing and other innovations, the portfolio of vendors for most companies is expanding at an increasing rate.
Investment in Risk Management: As noted above, the NYDFS regulation places a significant emphasis on the contracting and diligence process, including to methodically and consistently evaluate and address the risks posed by TPSPs, with appropriate stakeholder involvement. These processes thus will require a large investment of time and process, applied to each TPSP relationship. Further, the new diligence requirements require periodic reviews throughout the term of the parties’ relationship. Thus, most covered entities are required to establish not only a whole new management infrastructure but also a new way of doing business that allows for the time and effort to incorporate these activities into the vendor management process.
Applicable Data and Information: A further challenge is that the definition of “Nonpublic Information” under the regulation is broader than what is generally considered to constitute applicable information under established privacy and cybersecurity laws. Specifically, the NYDFS definition includes not only personal and health information but also “business related information … the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity.” 23 NYCRR § 500.01(g). Thus, several vendor relationships that previously were not critical from a regulatory perspective—because, for example, no personal information was involved—may now be covered under the NYDFS regulation.
Not Just a Going-Forward Requirement: Covered entities must address not only new vendors and new services on a going-forward basis but also legacy vendors under legacy agreements. In many cases, these legacy agreements, and the programs in which the vendors were established and have been managed, will be inadequate under the new guidelines and changing market expectations of how financial institutions are to manage cybersecurity risks from third parties.
Achieving compliance by the March 1, 2019, deadline imposed by the NYDFS cybersecurity regulation was a crucial step for covered entities. But to overcome the challenges in maintaining compliance after the deadline, covered entities must implement a highly structured and organized approach to vendor management, with consistent application of thoughtful, risk-based rules, all within a third-party ecosystem growing in size, complexity and risk. This new approach to vendor management will mean not only a new level of focus and coordination for covered entities’ business owners, procurement groups and vendor management departments, but also an increasingly important and central role for their legal departments.