On April 9, the New York State Department of Financial Services (NYDFS) released a report on bank vendor cybersecurity that highlights the risk that hackers will use third-party service providers to gain access to bank data. The report, entitled Update on Cyber Security in the Banking Sector: Third Party Service Providers,1 is based on responses to an October 2014 NYDFS information request to 40 regulated financial institutions and is significant for at least two reasons. First, the report may be useful for benchmarking a company's cybersecurity practices against similarly situated businesses. Second, the report may become the basis for NYDFS to promulgate new cyber regulations for third-party vendors-particularly with regard to the representations and warranties banks receive about cyber protections-in the coming weeks.2
The October 2014 NYDFS request had asked that institutions describe steps taken to comply with the third-party stakeholder provisions of the Framework for Improving Critical Infrastructure Cybersecurity issued by the US Commerce Department's National Institute of Standards and Technology (NIST).3 Third-party providers include check and payment processing firms, trading and settlement operations firms, data processing firms and many others, which often have access to banking institutions' information technology systems.
Key findings from the report include:
- Thirty percent of the institutions surveyed do not require third-party vendors to notify them in the event of a data breach;
- Ninety percent have information security requirements for third-party vendors, but fewer than half require any on-site assessments of vendors;
- Twenty-one percent do not require third-party vendors to represent that they have established minimum information security requirements;
- Nearly half do not require a warranty of the integrity of the third-party vendor's data or products;
- Ninety percent utilize encryption for data transmitted to or from third parties, but just over one-third use encryption for data that is not being transmitted or is "at rest"; and
- Sixty-three percent carry insurance that would cover cybersecurity incidents, but fewer than half have insurance that covers information security failures by a third-party vendor.
This new report is an update to a May 2014 NYDFS report on cybersecurity in the banking sector.4 The report may provide additional impetus for NYDFS to issue new cybersecurity regulations for third-party vendors to the banking industry. It also reflects the growing focus of a variety of state and federal regulatory authorities-including the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), the Federal Financial Institutions Examination Council (FFIEC) member agencies, and the Financial Industry Regulatory Authority (FINRA)-on scrutinizing the cybersecurity practices of the financial services industry.5 Regulators have increasingly viewed information security as a critical component of both investor protection and broader market integrity.