Based on a report released last week about cyber security vulnerabilities faced by financial institutions, New York State Department of Financial Services (“NYDFS”) Superintendent Benjamin Lawsky signaled that the agency will soon move forward with cyber security regulations. The report concluded that banks’ third-party vendors have significant potential cyber security vulnerabilities. Superintendent Lawsky said that the regulations will strengthen cyber security standards for banks’ third-party vendors, including potential measures related to cyber security representations and warranties that banks receive from their vendors.
The NYDFS report surveyed 40 covered entities and identified what it described as a number of potentially significant security gaps. Among other issues, the report found that:
- Less than 50% of the institutions surveyed required any on-site assessments of vendor cybersecurity practices; only 46% required these evaluations to be conducted before a vendor was retained; and only 35% conducted periodic on-site inspection after the vendor was hired.
- Over 20% of surveyed banks did not ask vendors to warrant that they had adequate cybersecurity practices and procedures in place. Of the banks that called for such representations, only 36% required that the warranties also apply to subcontractors.
- 44% of banks did not expect their vendors to guarantee that data and other products provided by them would be free of viruses and other cybersecurity issues.
- 30% of the surveyed organizations did not require vendors to notify them of cybersecurity breaches.
The agency also stated that it would be surveying a group of regulated insurers for similar issues concerning the cybersecurity of third-party vendors.