How New York’s Cybersecurity Law Impacts Third-Party Vendors

How New York’s Cybersecurity Law Impacts Third-Party Vendors on cyberguard360.comBest cybersecurity practices are required to do business with New York’s financial sector

Companies that aren’t in the financial sector can’t ignore New York’s first-in-the-nation cybersecurity law. Although 23 NYCRR 500 does not directly govern third-party vendors, it demands that financial service companies insist upon robust cyber security practices at entities they do business with, from payroll and point-of-sale solutions to cloud services.

Vendors who don’t comply may not face fines from New York’s Department of Financial Services (DFS), but their bottom lines can still suffer a big hit if they lose profitable relationships with financial service customers who can’t risk being held responsible for lax security measures.

Since March of 2017, any banking, insurance, or brokerage firm that uses a license to operate in New York has had to adapt to the stringent requirements of New York’s new cybersecurity law. And from February 2018, these companies have been required to provide evidence that they have taken the proper steps to safeguard the confidentiality and integrity of sensitive client data.

The law comes on the heels of an alarming 937 percent increase in cyber-attacks against the financial services industry in 2016, with 200 million records breached, according to IBM’s latest Security Trends in the Financial Services Sector report. The financial sector is attacked 65 percent more often than any other industry – and as the recent Target breach taught us, clever hackers understand that softer security measures at third-party vendors can provide an easy access point to the information they seek. In that case, cybercriminals used credentials stolen from an unsuspecting HVAC company to penetrate Target’s network.

Vendor management, including certain compliance measures, is nothing new in the financial sector. But as DFS regulations hold companies responsible for ensuring their vendors protect critical data, actively managing the cybersecurity compliance of third parties is no longer just a good idea – it’s a business necessity.

What does the law require for third parties?

Regulations governing relationships with third-party vendors are comprehensive. They demand that all financial companies create written, rigorous risk management policies and procedures that protect information systems and private data that the vendor holds or can access, for as long as the companies work together. Even financial companies who qualify for limited exemptions must comply. The law requires that governed companies, to the extent applicable:

  • Identify and assess risks of all third-party vendors
  • Require these vendors to meet minimum cybersecurity requirements in order to do business with the firm
  • Establish due diligence processes that evaluate the adequacy of vendors’ cybersecurity practices
  • Regularly assess vendors based on the risk they present and the continued adequacy of their cybersecurity measures

When relevant, New York’s regulations also lay out specific guidelines for due diligence and contractual protections with third-party vendors. These measures address:

  • Policies and procedures for access controls, including the use of multifactor authentication
  • Policies and procedures for the use of encryption to protect sensitive data in transit and at rest
  • Notification of cybersecurity events that could impact information systems or private data
  • Representations and warranties addressing the vendor’s cybersecurity policies and procedures that relate to the security of the financial company’s data

So, what do these rules really mean?

In a nutshell, financial companies are mandated to ensure that the vendors they do business with take information security seriously. Governed companies are having to negotiate new contracts, revise old contracts, and continually monitor third-party relationships to ensure that their vendors meet best cybersecurity practices.

As part of their annual certification of compliance with the new rules, financial firms are required to report that they have taken steps to ensure vendor security. Submitting a false or inaccurate certification is a serious violation and subjects the company – and possibly the person who signed or approved it – to regulatory measures and enforcement action.

Are all vendors treated the same under the new law?

No. Third-party vendors holding critical private customer or company data are subject to the highest scrutiny because they enable cybercriminals to cause the most damage. Some financial services companies are responding to the new regulations by limiting sensitive data to as few third parties as possible.

What can third parties do to continue successful relationships with customers who must comply with the new law?

Vendors who hold or have access to sensitive data must implement a comprehensive cybersecurity risk management program if they want to do business with companies governed by DFS. Important components should include strong passwords, data encryption, multifactor authentication to prevent logins from new systems and unidentified devices, and an audit trail that identifies who can see which types of data and any changes that are made. Third parties also should be willing to undergo regular cybersecurity assessments from their customers.

Documented plans for detecting and promptly responding to an attack must be in place, as well as plans for backing up data centers and telecommunications lines to ensure business continuity in the wake of a cyber event. Vendors must also promptly notify their customer of attempted or successful cyber events that have the potential to impact information systems or sensitive data. Finally, vendors should take the extra step of listing and obtaining security assurances from their relevant vendors, such as data center providers who provide hosting functions.

These measures are not too expensive or difficult to achieve with the help of a trusted cybersecurity firm. The ever-evolving nature of cybercrime makes it impossible for even the best cybersecurity practices to guard against every attack, but they significantly reduce their likelihood – plus lessen the impact of any breach, in terms of cost and the number of records that are affected. And crucially, complying with these measures ensures that third-party vendors can continue relationships with financial services companies governed by New York’s cybersecurity law.

CyberGuard360’s clients across four states and 40 industries are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, and training and disaster recovery, and we specialize in helping New York companies comply with 23 NYCRR 500. If you’d like us to put our expertise to work for you, we’d be happy to help. Call us at 844-315-9882 or use our contact form for a free consultation.