Vendor Management Requirements for Financial Institutions in New York

I recently wrote a blog post that discussed legislation in the State of New York that is set to take effect on January 1, 2017. This legislation will effect all financial institutions in the state around Cybersecurity and the development of a formal Cybersecurity program. Click here to review that post as it provides a good overview of the requirements for financial institutions as well as links to documents with even more information.One thing that I didn't cover in that post, hence this post, are the impacts that this legislation will have on vendors of financial institutions in New York. In the proposed legislation, there is an entire section devoted to each institution having a "Third Party Information Security Policy.” 

Vendor management is nothing new in the financial institution space. Organizations need to ensure that the vendors they do business with take Information Security seriously. Some of the same holds true in this recently enacted New York legislation related to Cybersecurity Policies and is similar to Vendor Management Policies. Examples of the requirements include:

1. Identification and Risk Assessment of third parties
2. Demonstration of minimum cybersecurity practices 
3. Conducting due diligence on each vendor 
4. Regular assessment of third parties, at a minimum annually

This is the standard and what each financial institution, across the country, should be doing. Managing your third-party risk is no longer a luxury, now it has become a business necessity. The new requirements as part of this legislation can be found in subsection (b) of Section 500.11 and includes the following:

• The use of Multi-Factor Authentication as set forth in Section 500.12 to limit access to sensitive systems and Nonpublic Information. Note this does not say Two-Factor Authentication, rather Multi-Factor Authentication, just like in the latest version of PCI DSS 3.2.
• The use of encryption to protect Nonpublic Information in transit and at rest. 
• Prompt notice to the Covered Entity in the event of a Cybersecurity Event affecting the third-party service provider.
•  Identity protection services for any customers materially impacted by a Cybersecurity Event that results from the third-party service provider’s negligence or willful misconduct.
• Representations and warranties from the third-party service provider that the service or product provided to the Covered Entity is free of viruses, trap doors, time bombs and other mechanisms that would impair the security of the Covered Entity’s Information Systems or Nonpublic Information.
• The right of the Covered Entity or its agents to perform cybersecurity audits of the third-party service provider.

That list is what language needs to be included in all contracts between a financial institution in New York and their third-party service providers. This is a specific, detailed list that could change how business is done in the financial services sector. In fact, this legislation is like the requirements of HIPAA / HITECH Regulations for both covered entities and their vendors (business associates).

This is all new and while the legislation takes effect in 3 weeks, financial institutions have until January 15, 2018 to comply. But, you can never get started too early, especially when there are such significant changes. As part of our monthly webinar series for December, we are going to be presenting on this exact topic. Whether you are a financial institution in New York or a third-party service provider, the information in this webinar will help you get ready for these changes. Details are below:

Legislative Changes for NY Financial Institutions