Following the March 1, 2019 deadline imposed by the New York Department of Financial Services' "first of its kind" cybersecurity regulation, financial services institutions must implement documented procedures that properly evaluate the security risks posed by third-party vendors.

  • BUT, establishing these procedures is only the first step in a compliant vendor management program. Institutions must now manage an ongoing program that expands well beyond the traditional vendor
  • management function and--perhaps most significantly--deep into the contracting process. To assist our clients in this challenging endeavor, Eversheds Sutherland has developed a proprietary
  • solution using artificial intelligence software, effectively managed resources and proven vendor management templates.

The challenges

  • The entire vendor contracting process for financial institutions must change.
  • Financial institutions often utilize hundreds or sometimes even thousands of vendors that are covered by the regulation.
  • The number and complexity of these vendor relationships are expanding with increased adoption of cloud computing and other innovative solutions.
  • The third-party relationships covered by the regulation are very broad, including not only IT vendors such as hosting and cloud providers, but also less apparent service providers such as business consultants, auditors, law firms and even independent insurance agents.
  • The requirements apply not only to new agreements, but also legacy agreements that may be inadequate under the new guidelines.