The New York State financial services regulator warns insurance companies, banks and other financial services institutions of the cyber risks associated with the growing use of third-party service providers (TPSP).
Exposure to threats will continue to grow as reliance on technologies managed by TPSPs, such as cloud computing, file transfer systems, artificial intelligence, and fintech solutions, continues to grow, said the New York State Department of Financial Services in a cybersecurity guidance for entities regulated by the DFS.
“While third-party service providers have driven innovation and enabled significant efficiencies in our financial system, regulated entities are still ultimately accountable for protecting consumers and managing risk,” according to New York State Department of Financial Services (DFS) Acting Superintendent Kaitlin Asrow in a press release accompanying the cybersecurity guidance.
“To ensure the safe and secure operation of financial services and the protection of nonpublic information, entities must establish and maintain appropriate internal risk management controls when using third-party service providers,” Asrow added.
“The growing scale and complexity of cyber risks posed by TPSPs demands a proactive, risk-based, and continuously adaptive approach to third-party governance,” said the industry guidance issued on October 21.
Active Cyber Risk Management
Senior governing bodies (such as boards of directors) and senior officers “must engage actively in cybersecurity risk management, including the oversight of TPSP-related risks,” the guidance continued.
These governing bodies and officers “must have a sufficient understanding of cybersecurity-related matters to exercise appropriate oversight, which includes the ability to provide a credible challenge to management’s cybersecurity-related decisions to ensure that those decisions align with the entity’s overall risk posture and resiliency objectives,” the DFS said.
DFS said it has observed a trend in which some of its regulated entities (also known as “covered entities”) outsource critical cybersecurity compliance obligations to TPSPs without ensuring appropriate oversight and verification.
Under New York state’s existing cybersecurity regulations, responsibility for compliance with cybersecurity regulations may not be outsourced to an affiliate or a TPSP, DFS added. “DFS has and will continue to consider the absence of appropriate TPSP risk management practices by covered entities in its examinations, investigations, and enforcement actions.”
Among its due diligence suggestions, the DFS said, when selecting a TPSP, covered entities must assess the cybersecurity risks the TPSP poses to the group’s information systems and non-public information (NPI). (NPI includes personal information such as social security numbers, passwords and health care records).
“Policies and procedures should outline how these risks are evaluated,…
Read More: NY Insurance Regulator Warns of Cyber Threats From Third-Party Service
