The New Vendor Management World Under NYDFS' New Cyber Regulation
To overcome the challenges in maintaining compliance after the deadline, covered entities must implement a highly structured and organized approach to vendor management, with consistent application of thoughtful, risk-based rules, all within a third-party ecosystem growing in size, complexity and risk.
March 28, 2019 at 07:00 AM
5 minute read
As of March 1, 2019, the New York State Department of Financial Services' (NYDFS) cybersecurity regulation, 23 NYCRR Part 500, requires financial services institutions regulated by NYDFS to implement policies and procedures to address the cybersecurity risks posed by third-party service providers to the institutions' nonpublic information (NPI).
While reaching the March 1 deadline has been a monumental task for many covered entities, it is only the first step in maintaining a compliant vendor management program in this new world of cybersecurity regulation. To manage the risks and potential liability that come with this “first of its kind” cyber regulation, covered entities must implement an ongoing program that in most cases will reflect a sea change from their prior practices. In particular, the required oversight and management of third-party service providers, or TPSPs, will expand well beyond traditional vendor management functions and deep into contracting, diligence and stakeholder review.
|The Requirements of the NYDFS Regulation
The regulation requires covered entities to implement written, risk-based and consistently applied policies and procedures for managing the cybersecurity risks posed by TPSPs. In particular, the policies and procedures must:
- Describe how to identify relevant TPSPs, and assess their risks;
- Establish minimum cybersecurity standards for TPSPs;
- Define the entity's due diligence process for TPSP cybersecurity practices; and
- Provide for periodic risk reassessment of TPSPs and their cybersecurity practices.
In addition, the policies and procedures must include particular guidelines for due diligence and contracting relating to cybersecurity. These guidelines must address:
- The TPSP's access controls, including multifactor authentication;
- The TPSP's use of encryption to protect NPI both in transit and at rest;
- Notification from the TPSP of cybersecurity incidents impacting the covered entity's systems or information; and
- Contractual protections regarding the TPSP's cybersecurity practices
While the regulation establishes clear requirements for the policies and procedures and what issues must (at minimum) be addressed in those policies and procedures, the regulation offers considerable flexibility to covered entities in determining their own approach to managing the cybersecurity risks posed by TPSPs. Thus, the policies and procedures need not conform to any particular standard or approach so long as they are reasonable and appropriate to the covered entity's overall cybersecurity risk profile. And, importantly, so long as the covered entity follows these policies and procedures once implemented.
|Maintaining Compliance Will Be Challenging
Number and Type of Vendors: A key challenge facing covered entities is the sheer number, diversity and complexity of applicable TPSPs. Specifically, the definition of a TPSP under the regulation is a “Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity.” 23 NYCRR § 500.01(n). For most covered entities, these TPSP relationships range from traditional vendors—such as IT and business process outsourcers, hosting providers, cloud and SaaS providers and application developers—to less apparent providers that are not part of traditional procurement processes, such as consultants, auditors, law firms and even independent agents. Further, with increased adoption of cloud computing and other innovations, the portfolio of vendors for most companies is expanding at an increasing rate.
Investment in Risk Management: As noted above, the NYDFS regulation places a significant emphasis on the contracting and diligence process, including to methodically and consistently evaluate and address the risks posed by TPSPs, with appropriate stakeholder involvement. These processes thus will require a large investment of time and process, applied to each TPSP relationship. Further, the new diligence requirements require periodic reviews throughout the term of the parties' relationship. Thus, most covered entities are required to establish not only a whole new management infrastructure but also a new way of doing business that allows for the time and effort to incorporate these activities into the vendor management process.
Applicable Data and Information: A further challenge is that the definition of “Nonpublic Information” under the regulation is broader than what is generally considered to constitute applicable information under established privacy and cybersecurity laws. Specifically, the NYDFS definition includes not only personal and health information but also “business related information … the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity.” 23 NYCRR § 500.01(g). Thus, several vendor relationships that previously were not critical from a regulatory perspective—because, for example, no personal information was involved—may now be covered under the NYDFS regulation.
Not Just a Going-Forward Requirement: Covered entities must address not only new vendors and new services on a going-forward basis but also legacy vendors under legacy agreements. In many cases, these legacy agreements, and the programs in which the vendors were established and have been managed, will be inadequate under the new guidelines and changing market expectations of how financial institutions are to manage cybersecurity risks from third parties.
|Summary
Achieving compliance by the March 1, 2019, deadline imposed by the NYDFS cybersecurity regulation was a crucial step for covered entities. But to overcome the challenges in maintaining compliance after the deadline, covered entities must implement a highly structured and organized approach to vendor management, with consistent application of thoughtful, risk-based rules, all within a third-party ecosystem growing in size, complexity and risk. This new approach to vendor management will mean not only a new level of focus and coordination for covered entities' business owners, procurement groups and vendor management departments, but also an increasingly important and central role for their legal departments.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Recent Decisions Regarding the Telephone Consumer Protection Act
- 2The Tech Built by Law Firms in 2024
- 3Distressed M&A: Mass Torts, Bankruptcy and Furthering the Search for Consensus: Another Purdue Decision
- 4For Safer Traffic Stops, Replace Paper Documents With ‘Contactless’ Tech
- 5As Second Trump Administration Approaches, Businesses Brace for Sweeping Changes to Immigration Policy
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250