On April 9, 2015, the New York Department of Financial Services (“NYDFS”) issued a report entitled Update on Data Security in the Banking Sector: Third Party Service Providers (the “Report”).  The Report details findings of a recent survey of 40 banking organizations and the data security standards that they impose on their third party vendors.  The NYDFS concluded that these organizations’ data security standards are inadequate.

The Report made key findings on risk assessment, vendor policy, data encryption, and loss recovery.  With respect to risk assessment, the NYDFS found the following: 

  • Almost all surveyed banking organizations set out to identify the risk levels of their various vendors, but only 50 percent of them conduct on-site information security risk assessments on their high-risk vendors (e.g., those with access to sensitive banking or customer information).
  • Specifically, 46 percent of the surveyed institutions conduct such assessment prior to retaining a high-risk vendor.  Only 35 percent do so periodically.

The NYDFS made the following findings with respect to vendor policy:

  • Almost all surveyed institutions have written policies for the selection or management of third-party vendors and the associated information security risks.
  • Seventy-nine percent of these institutions require their vendors to represent that they have established minimum information security requirements, but only 36 percent of them extend these requirements to the subcontractors of their vendors.
  • Thirty percent of the surveyed institutions do not require their vendors to report information security breaches to the institutions.

With respect to data encryption, the NYDFS found that:

  • Ninety percent of the surveyed banking organizations encrypt data transmitted to or from third parties.
  • However, only 38 percent of them encrypt data stored in their systems, and only 70 percent of the institutions require multi-factor authentication for at least some of their vendors that can access sensitive data or systems, potentially leaving backdoors that can be exploited by hackers.

Finally, the NYDFS made the following findings with respect to loss recovery:

  • Sixty-three percent of the surveyed institutions carry insurance covering cyber security incidents.  However, only 47 percent of them have cyber insurance policies that explicitly cover information security failures at a third-party vendor.
  • Only half of the banking organizations surveyed have indemnification clauses in their agreements with third-party vendors that cover such failures.

The Report is a follow-up to a May 2014 Report on Cyber Security in the Banking Sector.  Also published by the NYDFS, the May 2014 Report is a comprehensive study of over 150 regulated institutions, covering their management of IT systems, use of security technologies, costs and budgets, and breaches and breach-prevention mechanisms.