The New York State Department of Financial Services recently issued a report, analyzing the cybersecurity requirements that financial institutions put in place for their third-party service providers. The report is based on survey responses from roughly 40 regulated banking organizations and serves as an update to an earlier Department report, which identified continuing challenges with the industry’s reliance on third-party vendors for “critical banking functions.”
In response to the survey as well as the “increasing number and sophistication of cyber attacks” and recent breaches at financial institutions, the Department is considering cybersecurity regulations that would apply to banks’ third-party vendor management processes.
The report identified some key cybersecurity vulnerabilities related to third-party vendor management and also revealed some differences between larger and smaller organizationsas well as U.S. and foreign organizations. Below are some of the key findings from the report:
- On-site Assessments: Less than half of the surveyed organizations require on-site assessments of third-party vendors. Only 46% require pre-contract on-site assessments of high-risk vendors, and even fewer (35%) mandate periodic on-site assessments after engagement.
Policies and Procedures
- Information Security Requirements: 21% of organizations do not require third-party vendors to represent that they have established minimum information security requirements, with foreign organizations imposing such requirement less frequently than U.S. institutions.
- Subcontractors: Only 36% of organizations require information security requirements to be extended to subcontractors. Notably, the survey revealed that large and medium domestic organizations are much more likely to impose information security requirements on subcontractors; none of the small domestic surveyed organizations confirmed they do so.
- Audits: 21% of organizations do not require the right to audit their vendors.
- Data Breach: Remarkably, 30% of the banking organizations surveyed do not require vendors to notify them in the event of an information security breach or other cybersecurity breach.
- Encryption: Only 38% of institutions encrypt stored data, compared to 90% who encrypt data that is transmitted to or from third parties. Smaller organizations are less likely to use encryption for stored data (roughly half of larger institutions do so).
- Multi-factor Authentication: Foreign organizations require multi-factor authentication much more so than U.S. organizations. While 70% of the surveyed institutions require multi-factor authentication for at least some vendors to access data, the rate for U.S. institutions doing so was much lower (around 50%).
- Cyber Insurance: 53% of organizations do not have cyber insurance that would explicitly cover third-party vendor information security failures. Further, 37% of surveyed institutions do not carry cyber insurance at all. Interestingly, a substantially higher number of small organizations have cyber insurance than medium-sized organizations, and a greater number of small organizations have insurance that explicitly covers third-party vendor security incidents than both medium and large institutions.
- Indemnification: 50% of organizations do not require indemnification clauses in their vendor contracts.
The New York State Department of Financial Services is not the only one taking an interest in vendor management issues. The House Oversight & Government Reform Committee just announced it will hold a hearing on Enhancing Cybersecurity of Third-Party Contractors and Vendors this week. Third-party vendor management is a critical aspect of any information security program, as service providers frequently have access to company systems, data, and infrastructure.
For the purposes of the report, banking organizations were categorized as “small” (assets < $100 billion), “medium” (assets between $100 and $1 trillion), and “large” (assets > $1 trillion).