March 1, 2019 marked the expiration of a two-year grace period for regulated entities (Covered Entities) to come into compliance with the New York Department of Financial Services’ (DFS) first-of-its-kind “Cybersecurity Requirements for Financial Services Companies” (the Cyber Requirements), 23 N.Y.C.R.R. 500. Now that the implementation phase is complete, DFS will no doubt look toward enforcing the Cyber Requirements. Indeed, Linda Lacewell, a former state and federal prosecutor, has been selected to serve as DFS’s next superintendent and recently called cybersecurity “the number one threat facing all industries and governments globally.” Lacewell also put Covered Entities on notice that compliance with the Cyber Requirements is going to “take center stage.”
Questions remain, however, regarding what components of the Cyber Requirements DFS will scrutinize most closely and to what degree. One area of significant concern for Covered Entities involves “Third-Party Service Providers.” The Cyber Requirements mandate that Covered Entities, which include state-licensed insurance companies and banks, “implement written policies and procedures designed to ensure the security of” information that is “accessible to, or held by, Third-Party Service Providers.” The Cyber Requirements define a Third-Party Service Provider as any individual or non-government entity that is (1) not affiliated with a Covered Entity, (2) provides services to a Covered Entity, and (3) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the Covered Entity. DFS’s focus on third-party cyber risk does not come as a surprise, given that third-party vendors pose one of the greatest threats to entities from a cybersecurity standpoint.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.
For questions call 1-877-256-2472 or contact us at [email protected]
