This is our final installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation. In this installment, we provide an overview of the regulation’s impact on third-party vendors and business partners, including law firms.
Early next year, law firms and other vendors will begin answering to their clients when it comes to cybersecurity. As we’ve reported, New York State’s top banking regulator, the DFS, has imposed a sweeping cybersecurity regime on the financial institutions and insurance companies it supervises, including their vendors and third-party business partners.
The new regulation takes aim at all third-party vendors – not only providers of legal services – that have access to a DFS regulated institution’s IT network or non-public information and requires that the vendor meet minimum cybersecurity standards. Lawyers already have an ethical obligation to safeguard client information, but the DFS regulation goes further and sets out detailed data security rules and protocols that regulated institutions must impose on their vendors and business partners.
Since New York-based banks and insurers are not the only entities covered by the regulation – out-of-state and foreign institutions that operate in New York under DFS supervision are generally subject to the new regulation as well – the number of law firms and other third parties affected will be substantial.
DFS’s focus on third-party cybersecurity is hardly surprising. Many of the massive data breaches that have grabbed headlines over the past few years – not to mention class action lawsuits and derivative demands – have involved cyber vulnerabilities related to vendors with access to a company’s network.
Under the regulation, covered banks and insurers are required to develop and implement written policies and procedures to ensure the security of any IT systems or non-public information that can be accessed by their vendors. At a minimum, these policies must identify the risks from third-party access, impose minimum cybersecurity practices for third-party vendors, and create a due-diligence process for evaluating vendors. Moreover, institutions must establish “preferred provisions to be included in contracts with third-party vendors.” Those contractual provisions must require, among other things, the following:
- use of multi-factor authentication to limit access to sensitive IT systems or non-public information;
- use of encryption of all nonpublic information – both “in transit and at rest”;
- prompt notice from the third-party provider to the regulated bank or insurer in the event of a breach or potential cyber-related event;
- representations and warranties from the third-party provider that their system or product provided “is free of viruses, trap doors and other mechanisms that would impair the security” of the institution covered by the regulation;
- identity protection services to customers impacted by a breach caused by the third party’s negligence or willful misconduct ; and
- authorization to perform periodic cybersecurity compliance and diligence audits of the third-party service provider.
Even in the abstract, these requirements are far from “check-the-box.” Law firms and other business partners will need to take a fresh look at their own cybersecurity policies and practices and re-tool them to comply with the regulation.
And the stakes are high. As we discussed in our post yesterday, the proposed regulation is premised on accountability at the top and requires that, each year, a board member or senior corporate officer file a compliance certificate with DFS attesting to the fact that it has met the requirements of the regulation including the third-party vendor rules. This means that law firms and other vendors are not only required to follow the regulation, but their clients will be attesting to it.
We hope you have found this three-part series informative. We will continue to follow the new DFS regulation on this blog as it becomes law in January.