Report Assesses Banking Industry’s Progress in Addressing Cybersecurity Risks Posed by Third-Party Service Providers

SUMMARY

On April 9, the New York State Department of Financial Services (“DFS”) released findings arising out of its study of measures banking organizations use to address cybersecurity risks posed by their third-party service providers. The April 9 report, which updates a May 2014 report, is based on a survey of vendor cybersecurity practices in place at 40 regulated banking organizations. It highlights various cybersecurity measures that banking organizations may want to consider implementing. The DFS said that its findings demonstrate a “need to tighten cybersecurity at banks’ third-party vendors” and that, in the coming weeks, the DFS expects to move forward on regulations strengthening cybersecurity standards for banks’ third-party vendors. The DFS also said that it was conducting an analogous review of vendor cybersecurity practices at the insurance companies it regulates and expects to put in place heightened cybersecurity standards there as well.

BACKGROUND

Banking organizations typically rely on third-party vendors for a broad range of services, from supporting accounting and trading operations to printing and food catering. Those third parties often connect to the financial institutions’ information technology systems. As such, third-party vendors may present an attractive “backdoor entrance” for hackers seeking to access banks’ sensitive customer data and other valuable information. Cybersecurity failures at third-party vendors enabled several major data breaches in recent years, including those at Target, Home Depot and Goodwill.

Over the past year, the DFS has taken a heightened interest in the cybersecurity of the financial institutions and insurers it regulates. Benjamin M. Lawsky, New York State’s Superintendent of Financial Services, recently described cybersecurity as likely the most important issue facing the DFS in the coming years.

In May 2014, the DFS published a report describing the findings of its survey of more than 150 banking organizations’ general cybersecurity practices. The report characterized “the industry’s reliance on thirdparty service providers for critical banking functions” as a “continuing challenge.” It noted that when banking functions are outsourced, “an institution’s cyber risk level depends in large part on the processes and controls put in place by third parties.” Therefore, institutions’ lack of adequate insight into the sufficiency of vendors’ processes and controls “may represent an area in need of heightened due diligence and monitoring.”

In October 2014, the DFS requested information from 40 regulated banking organizations about their cybersecurity practices for third-party service providers. The DFS asked for information about each banking organization’s relevant due diligence processes, relationship-governing policies and procedures, protections for safeguarding sensitive data, and protections against loss incurred due to third-party information security failures. The DFS also inquired about the banking organizations’ adherence to the National Institute of Standards and Technology (“NIST”) Framework for Improving Critical Infrastructure Cybersecurity, which is considered by many to be the de facto baseline for cybersecurity.

DISCUSSION

The DFS’s April 9 update documents the prevalence of particular measures that financial institutions may adopt to guard against the cybersecurity risks posed by third-party vendors. Perhaps the most noteworthy statistic the DFS reported is that 30% of surveyed banking organizations do not require their third-party vendors to notify them in the event of a cybersecurity breach.

The DFS reported that the overwhelming majority of surveyed banking organizations employ the following practices:

  • Conducting information security risk assessments of at least high-risk vendors, which typically include any vendor with access to sensitive bank or customer data (95%).
  • Having information security requirements for their third-party vendors (90%).
  • Having policies and procedures that require pre-contract and periodic reviews of third-party vendors’ information security practices, though fewer than half of the surveyed institutions require on-site assessments of their third-party vendors.
  • Utilizing encryption for any data transmitted to or from third parties (90%), though only 38% use encryption for data “at rest” (a figure that rises to 50% for “large” institutions, defined as those with assets exceeding $1 trillion).

According to the DFS update, many of the surveyed banking organizations also take the following precautions:

  • Requiring third-party vendors to represent that they have established minimum information security requirements (79%), though only 36% require third-party vendors to extend the minimum information security requirements to subcontractors.
  • Reserving the right to audit their third-party vendors’ compliance with information security requirements (79%).
  • Requiring a warranty from third-party vendors of the integrity of their data or products (for example, that their systems are malware free) (56% overall, but 80% of large institutions).
  • Requiring multi-factor authentication (“MFA”) for at least some third-party vendors to access sensitive data or systems (nearly 80% of foreign banks; roughly 50% of domestic institutions).
  • Carrying insurance that would cover cybersecurity incidents (63% overall; 78% of large institutions), including policies that explicitly cover third-party vendor information security failures (47%).
  • Requiring indemnification clauses in their agreements with third-party vendors (50%).

The DFS is considering adopting cybersecurity requirements for financial institutions that would apply to their relationships with third-party service providers. Cybersecurity vulnerabilities introduced by thirdparty vendors have also been an issue of concern for a number of other regulators. A February 2015 Risk Alert from the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations discussed, among other things, registered broker-dealers’ and investment advisers’ risk policies relating to vendors. Similarly, in its February 2015 Report on Cybersecurity Practices, the Financial Industry Regulatory Authority noted that broker-dealers “need an effective vendor management program in place to help guard against [the cybersecurity] risks” created by third-party vendors.

Regulated banking and insurance institutions should review the DFS’s recent update to determine whether it discusses cybersecurity measures that they may wish to implement.