March 1, 2019 marked the expiration of a two-year grace period for regulated entities (Covered Entities) to come into compliance with the New York Department of Financial Services’ (DFS) first-of-its-kind “Cybersecurity Requirements for Financial Services Companies” (the Cyber Requirements), 23 N.Y.C.R.R. 500. Now that the implementation phase is complete, DFS will no doubt look toward enforcing the Cyber Requirements. Indeed, Linda Lacewell, a former state and federal prosecutor, has been selected to serve as DFS’s next superintendent and recently called cybersecurity “the number one threat facing all industries and governments globally.” Lacewell also put Covered Entities on notice that compliance with the Cyber Requirements is going to “take center stage.”
Questions remain, however, regarding what components of the Cyber Requirements DFS will scrutinize most closely and to what degree. One area of significant concern for Covered Entities involves “Third-Party Service Providers.” The Cyber Requirements mandate that Covered Entities, which include state-licensed insurance companies and banks, “implement written policies and procedures designed to ensure the security of” information that is “accessible to, or held by, Third-Party Service Providers.” The Cyber Requirements define a Third-Party Service Provider as any individual or non-government entity that is (1) not affiliated with a Covered Entity, (2) provides services to a Covered Entity, and (3) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the Covered Entity. DFS’s focus on third-party cyber risk does not come as a surprise, given that third-party vendors pose one of the greatest threats to entities from a cybersecurity standpoint.
