New York Agency’s Report Focuses on Data Vulnerability of Banks’ Third-Party Vendors

Daniel McKenna, Philip Yannella
Ballard Spahr LLP
Contact
LinkedIn
Facebook
X
Send
Embed

The New York State Department of Financial Services (NYDFS) recently issued a report identifying common cybersecurity issues and concerns caused by the failure of some banks to sufficiently manage vulnerabilities posed by third-party vendors.

In the wake of these findings and the increasing number and sophistication of cyberattacks on both banks and insurers, NYDFS announced it is considering new regulations to strengthen cybersecurity standards for banks, which will likely include new requirements in bank relationships with third-party vendors.

“A bank’s cybersecurity is often only as good as the cybersecurity of its vendors,” New York Superintendent of Financial Services Benjamin Lawsky said. “Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data. We will move forward quickly, together with the banks we regulate, to address this urgent matter.”

Third-party vendors provide a broad range of services to banking institutions, including check/ payment processing, online banking, and trading and settlement operations. The report summarized findings from NYDFS’s survey of 40 banking organizations’ policies and procedures for managing third-party vendors. It identified multiple deficiencies, including:

  • Nearly a third of surveyed institutions do not require third-party vendors to notify them of an information security or other cybersecurity breach.
  • Fewer than half of the banks conduct on-site assessments of third-party vendors.
  • The vast majority of banks have implemented encryption for data in transit, but only 38 percent of the surveyed institutions (50 percent of large institutions, defined as having assets of more than $1 trillion) use encryption for data “at rest,” that is, in storage.
  • Seventy percent of the surveyed institutions require multi-factor authentication for at least some third-party vendors to access sensitive data or systems.
  • While 79% of the banks require third-party vendors to meet minimum information security requirements, only 36 percent mandate that requirements be extended to their vendors’ subcontractors.
  • Nearly half of the banks do not require the third-party vendor to provide a warranty as to the integrity of the vendor’s data or products (i.e., that the data or products are free of viruses). 
  • While 63 percent of surveyed institutions (78 percent of large institutions) carry insurance for cyberattacks, less than half have insurance that explicitly covers information security failures by a third-party vendor.

The report concludes that banking organizations appear to be working to address the cybersecurity risks posed by third-party service providers, but progress varies depending on the size and type of institution. Banks and other financial institutions should look carefully at their own due diligence processes, policies, and procedures governing relationships with third-party vendors, and at protections for safeguarding sensitive data and protections against loss incurred due to third-party information security failures.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide