The New York State financial services regulator warns insurance companies, banks and other financial services institutions of the cyber risks associated with the growing use of third-party service providers (TPSP).
Exposure to threats will continue to grow as reliance on technologies managed by TPSPs, such as cloud computing, file transfer systems, artificial intelligence, and fintech solutions, continues to grow, said the New York State Department of Financial Services in a cybersecurity guidance for entities regulated by the DFS.
“While third-party service providers have driven innovation and enabled significant efficiencies in our financial system, regulated entities are still ultimately accountable for protecting consumers and managing risk,” according to New York State Department of Financial Services (DFS) Acting Superintendent Kaitlin Asrow in a press release accompanying the cybersecurity guidance.
“To ensure the safe and secure operation of financial services and the protection of nonpublic information, entities must establish and maintain appropriate internal risk management controls when using third-party service providers,” Asrow added.
“The growing scale and complexity of cyber risks posed by TPSPs demands a proactive, risk-based, and continuously adaptive approach to third-party governance,” said the industry guidance issued on October 21.
Active Cyber Risk Management
Senior governing bodies (such as boards of directors) and senior officers “must engage actively in cybersecurity risk management, including the oversight of TPSP-related risks,” the guidance continued.
These governing bodies and officers “must have a sufficient understanding of cybersecurity-related matters to exercise appropriate oversight, which includes the ability to provide a credible challenge to management’s cybersecurity-related decisions to ensure that those decisions align with the entity’s overall risk posture and resiliency objectives,” the DFS said.
DFS said it has observed a trend in which some of its regulated entities (also known as “covered entities”) outsource critical cybersecurity compliance obligations to TPSPs without ensuring appropriate oversight and verification.
Under New York state’s existing cybersecurity regulations, responsibility for compliance with cybersecurity regulations may not be outsourced to an affiliate or a TPSP, DFS added. “DFS has and will continue to consider the absence of appropriate TPSP risk management practices by covered entities in its examinations, investigations, and enforcement actions.”
Among its due diligence suggestions, the DFS said, when selecting a TPSP, covered entities must assess the cybersecurity risks the TPSP poses to the group’s information systems and non-public information (NPI). (NPI includes personal information such as social security numbers, passwords and health care records).
“Policies and procedures should outline how these risks are evaluated, including minimum cybersecurity standards required for engagement, and procedures for assessing the TPSP’s cybersecurity practices and controls based on the unique risks presented by the TPSP,” the guidance added.
A TPSP with “privileged access” (or those TPSPs that perform security-relevant functions not authorized by ordinary users) pose “a greater risk than a TPSP that provides services operating outside of the covered entity’s information systems.”
“Providers of critical services that often have a high degree of system-level access and the ability to access sensitive NPI include companies that provide IT managed services, outsourced help desk services, and insurance claims management services.”
Tailored Risk-Based Plans
The guidance suggested that covered entities should develop tailored, risk-based plans “to mitigate risks posed by each TPSP.”
This DFS explained that this guidance bulletin does not impose new requirements or obligations on DFS-regulated entities but intends to clarify regulatory requirements under DFS’s cybersecurity regulation and share best practices that entities should consider implementing.
Was this article valuable?
Here are more articles you may enjoy.
Illinois Sues State Farm for Refusal to Release Homeowners’ Insurance Data 
Progressive Records $2.6B in Q3 Income After Refunds for Excess Profits in Florida 
Chubb Books Record P/C Underwriting Income, Combined Ratio in Q3 
Amazon’s AWS Struggles to Recover After Major Outage Disrupts Apps, Services 
