On April 9, the New York State Department of Financial Services (NYDFS) released a report on bank vendor cybersecurity that highlights the risk that hackers will use third-party service providers to gain access to bank data. The report, entitled Update on Cyber Security in the Banking Sector: Third Party Service Providers,1 is based on responses to an October 2014 NYDFS information request to 40 regulated financial institutions and is significant for at least two reasons. First, the report may be useful for benchmarking a company's cybersecurity practices against similarly situated businesses. Second, the report may become the basis for NYDFS to promulgate new cyber regulations for third-party vendors-particularly with regard to the representations and warranties banks receive about cyber protections-in the coming weeks.2
The October 2014 NYDFS request had asked that institutions describe steps taken to comply with the third-party stakeholder provisions of the Framework for Improving Critical Infrastructure Cybersecurity issued by the US Commerce Department's National Institute of Standards and Technology (NIST).3 Third-party providers include check and payment processing firms, trading and settlement operations firms, data processing firms and many others, which often have access to banking institutions' information technology systems.
Key findings from the report include:
- Thirty percent of the institutions surveyed do not require third-party vendors to notify them in the event of a data breach;
- Ninety percent have information security requirements for third-party vendors, but fewer than half require any on-site assessments of vendors;
- Twenty-one percent do not require third-party vendors to represent that they have established minimum information security requirements;
- Nearly half do not require a warranty of the integrity of the third-party vendor's data or products;
- Ninety percent utilize encryption for data transmitted to or from third parties, but just over one-third use encryption for data that is not being transmitted or is "at rest"; and
- Sixty-three percent carry insurance that would cover cybersecurity incidents, but fewer than half have insurance that covers information security failures by a third-party vendor.
This new report is an update to a May 2014 NYDFS report on cybersecurity in the banking sector.4 The report may provide additional impetus for NYDFS to issue new cybersecurity regulations for third-party vendors to the banking industry. It also reflects the growing focus of a variety of state and federal regulatory authorities-including the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), the Federal Financial Institutions Examination Council (FFIEC) member agencies, and the Financial Industry Regulatory Authority (FINRA)-on scrutinizing the cybersecurity practices of the financial services industry.5 Regulators have increasingly viewed information security as a critical component of both investor protection and broader market integrity.
1 New York State Department of Financial Services, Update on Cyber Security in the Banking Sector: Third Party Service Providers, April 2015, available at www.dfs.ny.gov/reportpub/dfs_rpt_tpvendor_042015.pdf.
2 New York State Department of Financial Services, Press Release, NYDFS Report Shows Need to Tighten Cyber Security at Banks' Third Party Vendors, April 9, 2015, available at dfs.ny.gov/about/press2015/pr1504091.htm.
3 National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, February 12, 2014, available at www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf.
4 New York State Department of Financial Services, Report on Cyber Security in the Banking Sector, May 2014, available at www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf. NYDFS issued a similar report on the insurance sector. See New York State Department of Financial Services, Report on Cyber Security in the Insurance Sector, February 2015, available at www.dfs.ny.gov/reportpub/dfs_cyber_insurance_report_022015.pdf.
5See Jonathan G. Cedarbaum, Yoon-Young Lee, Matthew Chambers and Benjamin A. Powell, "The SEC and FINRA Increase Scrutiny of Regulated Firms' Cybersecurity," The Investment Lawyer, April 2015, Volume 22, Number 4, pages 26-28; Daniel F. Schubert, Jonathan G. Cedarbaum and Leah Schloss, "The SEC's Two Primary Theories in Cybersecurity Enforcement Actions," The Cybersecurity Law Report, April 8, 2015, Volume 1, Number 1; Jonathan G. Cedarbaum, Yoon-Young Lee, Benjamin A. Powell and Matthew A. Chambers, "SEC and FINRA Release Cybersecurity Sweep Reports, Promise Increased Scrutiny of Regulated Firms," WilmerHale Client Alert, February 5, 2015, available at www.wilmerhale.com/pages/publicationsandnewsdetail.aspx?NewsPubId=17179876235; US Commodity Futures Trading Commission, CFTC Staff to Hold Roundtable on Cybersecurity and System Safeguards Testing, March 15, 2015, available at www.cftc.gov/PressRoom/Events/opaevent_cftcstaff031815.