By David Fagan and Sumon Dantiki

Recently several media outlets reported that the New York State Department of Financial Services (“NYDFS”) sent a letter to many of the nation’s banks, regarding the “level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers.”  The letter requested financial institutions to disclose “any policies and procedures governing relationships with third-party services providers,” and “any due diligence processes used to evaluate” such providers, including law and accounting firms.

The letter from the NYDFS is emblematic of an increasing level of attention by regulators on third party service providers of financial institutions.  In May, an NYDFS “Report on Cyber Security in the Banking Sector,” for instance, identified “the industry’s reliance on third-party service providers for critical bank functions” as a “continuing challenge” and concluded that a financial “institution’s cyber risk level depends in large part on the processes and controls put in place by third parties.”  Similarly, in a speech in July U.S. Secretary of the Treasury Jacob Lew—even while noting that “some banks are already spending as much as $250 million a year” on cybersecurity measures—urged financial institutions to apply the Administration’s cybersecurity framework to evaluations of outside vendors, remarking that “[f]ar too many hedge funds, asset managers, insurance providers, exchanges, financial market utilities, and banks should and could be doing more.”

The head of NYDFS is said to be considering new cybersecurity regulations (described by one former senior Justice Department official as akin to “a consent decree for a company that has already been breached, investigated and found to be lacking in security measures”) to meet the supposed gap in regulating third party service providers; the U.S. Treasury Department is also reportedly considering new cybersecurity regulations to govern third-party service providers of financial institutions.

This push for new authority, however, fails to account for several existing legal requirements.  Significantly, financial institutions—defined broadly to include business engaged in providing financial products or services—are already subject to Title V of the 1999 Graham-Leach Bliley Act (GBLA), which includes a “safeguards rule” for data security, particularly customer information.  Among other means, the safeguards rule is implemented through interagency information security guidelines, which require financial institutions not only to establish administrative, technical, and physical safeguards of customer information under their direct control but also to oversee service providers through:

  • Due diligence in provider selection;
  • Contractually requiring service providers to implement comparable information security procedures; and
  • Monitoring service providers to ensure compliance with information security obligations.

Nor are the safeguard rule requirements unique.  As we previously discussed, the Securities and Exchange Commission announced in April that it would conduct more than 50 cybersecurity examinations of broker-dealers and investment advisers, including of “the risks associated with vendors and other third parties.”  Among other items, SEC examiners focus on an institution’s:

  • Cybersecurity risk assessments of vendors or business partners, including any risk assessments of the segregation of sensitive “network resources accessible to third parties”;
  • Contractual provisions relating to cybersecurity risk with vendors and business partners;
  • Information security trainings for vendors and business partners; and
  • Policies governing any vendors who conduct remote maintenance of networks and devices.

Ultimately, the NYDFS letter is likely the first of many efforts to further regulate the third-party vendors of financial institutions.  Such efforts, moreover, may very well spread beyond the financial sector, since the threat of cyber attacks originating from third-party service providers is not limited to financial institutions.  The hackers who caused massive data breaches at Target (a retail company) in late 2013, for instance, gained access to the company’s network through a third-party heating, ventilation, and air-conditioning (HVAC) vendor.

While the details of any future regulation are currently unclear, regulatory activity to date suggests that the following items may be of particular interest with regard to third party vendors:

  • Selection of third-party service providers;
  • Whether cyber security and data protection requirements are incorporated into an organization’s third-party contracts;
  • Whether such requirements include third-party training on information security and other cybersecurity responsibilities;
  • The level of third-party access to an organization’s network;
  • If a third-party has a high level of access (e.g., to conduct remote maintenance), any corresponding heightened security procedures, including approval and logging processes or controls to prevent unauthorized access;
  • An organization’s due diligence of the cybersecurity practices of its third-party service providers; and
  • Any other policies or procedures (or lack thereof) governing the cybersecurity relationship between an organization and its third-party service providers.
Tags: Cybersecurity, Financial Institutions, New York, service providers
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practice on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and is a partner in the firm’s data privacy and cybersecurity practice.

David has…

David Fagan co-chairs the firm’s top ranked practice on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and is a partner in the firm’s data privacy and cybersecurity practice.

David has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including being named The American Lawyer’s Dealmaker of the Year three times. His work includes successfully securing three of the four Presidential approvals in the history of CFIUS; securing the only Presidential order protecting a client against a proposed hostile takeover; and negotiating the only “golden share” the U.S. government has taken in a U.S. company. Clients laud him for “[seeing] far more matters than many other lawyers,” his “incredible insight,” and “know[ing] how to structure deals to facilitate regulatory reviews” (Chambers USA).

For more than two decades, David has handled transactions for clients across every sector subject to CFIUS review, including some of the most sensitive and complex matters that have set the template for CFIUS compliance and security agreements in their respective industries. He is also routinely called upon to rescue transactions that encounter challenges in CFIUS; provide strategic counsel to clients on navigating and addressing U.S. national security considerations in commercial transactions; and negotiate solutions with the U.S. government, including equity arrangements, that protect national security interests while preserving shareholder value and U.S. business interests.

In the enforcement area, David has represented clients in numerous enforcement actions pursued by CFIUS, including two of the three largest penalty cases resolved with CFIUS.

Reflecting his experience on complex U.S. national security matters intersecting with China, David is regularly engaged by the world’s leading multinational companies to advise on emerging legal issues, including outbound investment restrictions and regulations governing information and communications technologies and services (ICTS), as well as strategic legal projects related to the evolving U.S.-China competitive landscape. 

In addition, in the foreign investment and national security area, David routinely advises clients on matters requiring mitigation of foreign ownership, control, or influence (FOCI) under applicable national industrial security regulations. His work includes advising many of the world’s leading aerospace and defense companies and private equity firms, as well as telecommunications transactions subject to public safety, law enforcement, and national security review by Team Telecom.

Read more about David FaganEmail
Show more Show less