Recently several media outlets reported that the New York State Department of Financial Services (“NYDFS”) sent a letter to many of the nation’s banks, regarding the “level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers.” The letter requested financial institutions to disclose “any policies and procedures governing relationships with third-party services providers,” and “any due diligence processes used to evaluate” such providers, including law and accounting firms.
The letter from the NYDFS is emblematic of an increasing level of attention by regulators on third party service providers of financial institutions. In May, an NYDFS “Report on Cyber Security in the Banking Sector,” for instance, identified “the industry’s reliance on third-party service providers for critical bank functions” as a “continuing challenge” and concluded that a financial “institution’s cyber risk level depends in large part on the processes and controls put in place by third parties.” Similarly, in a speech in July U.S. Secretary of the Treasury Jacob Lew—even while noting that “some banks are already spending as much as $250 million a year” on cybersecurity measures—urged financial institutions to apply the Administration’s cybersecurity framework to evaluations of outside vendors, remarking that “[f]ar too many hedge funds, asset managers, insurance providers, exchanges, financial market utilities, and banks should and could be doing more.”
The head of NYDFS is said to be considering new cybersecurity regulations (described by one former senior Justice Department official as akin to “a consent decree for a company that has already been breached, investigated and found to be lacking in security measures”) to meet the supposed gap in regulating third party service providers; the U.S. Treasury Department is also reportedly considering new cybersecurity regulations to govern third-party service providers of financial institutions.
This push for new authority, however, fails to account for several existing legal requirements. Significantly, financial institutions—defined broadly to include business engaged in providing financial products or services—are already subject to Title V of the 1999 Graham-Leach Bliley Act (GBLA), which includes a “safeguards rule” for data security, particularly customer information. Among other means, the safeguards rule is implemented through interagency information security guidelines, which require financial institutions not only to establish administrative, technical, and physical safeguards of customer information under their direct control but also to oversee service providers through:
- Due diligence in provider selection;
- Contractually requiring service providers to implement comparable information security procedures; and
- Monitoring service providers to ensure compliance with information security obligations.
Nor are the safeguard rule requirements unique. As we previously discussed, the Securities and Exchange Commission announced in April that it would conduct more than 50 cybersecurity examinations of broker-dealers and investment advisers, including of “the risks associated with vendors and other third parties.” Among other items, SEC examiners focus on an institution’s:
- Cybersecurity risk assessments of vendors or business partners, including any risk assessments of the segregation of sensitive “network resources accessible to third parties”;
- Contractual provisions relating to cybersecurity risk with vendors and business partners;
- Information security trainings for vendors and business partners; and
- Policies governing any vendors who conduct remote maintenance of networks and devices.
Ultimately, the NYDFS letter is likely the first of many efforts to further regulate the third-party vendors of financial institutions. Such efforts, moreover, may very well spread beyond the financial sector, since the threat of cyber attacks originating from third-party service providers is not limited to financial institutions. The hackers who caused massive data breaches at Target (a retail company) in late 2013, for instance, gained access to the company’s network through a third-party heating, ventilation, and air-conditioning (HVAC) vendor.
While the details of any future regulation are currently unclear, regulatory activity to date suggests that the following items may be of particular interest with regard to third party vendors:
- Selection of third-party service providers;
- Whether cyber security and data protection requirements are incorporated into an organization’s third-party contracts;
- Whether such requirements include third-party training on information security and other cybersecurity responsibilities;
- The level of third-party access to an organization’s network;
- If a third-party has a high level of access (e.g., to conduct remote maintenance), any corresponding heightened security procedures, including approval and logging processes or controls to prevent unauthorized access;
- An organization’s due diligence of the cybersecurity practices of its third-party service providers; and
- Any other policies or procedures (or lack thereof) governing the cybersecurity relationship between an organization and its third-party service providers.