Why it matters

Continuing the regulatory focus on third-party relationships, New York’s Department of Financial Services (DFS) has sent multiple letters to banks across the country to address the issue of data security. The DFS has been keeping a close eye on cybersecurity in the banking sector, releasing a report in May that noted “the industry’s reliance on third-party service providers for critical bank functions” presents serious concerns for financial institutions. The New York regulator is not alone; the Office of the Comptroller of the Currency (OCC) released a bulletin earlier this year with guidance about managing the risk of third-party relationships, while the OCC and the Federal Deposit Insurance Corporation (FDIC) took action for “unsafe or unsound banking practices” against two financial institution technology service providers.

Detailed discussion

Expressing concern about the “level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers,” the DFS sent several letters to gather data about current practices.

DFS Superintendent Benjamin Lawsky asked recipients to disclose “any policies and procedures governing relationships with third-party service providers,” as well as “any due diligence processes used to evaluate” all types of providers, including accountants and law firms.

Specifically, the DFS requested the methods used to protect sensitive data being sent to or received from third parties, the data accessible by those outside the institution, and “any and all protections against loss incurred as a result of an information security failure by a third-party service provider, including any relevant insurance coverage.”

“It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors,” Lawsky wrote in the letter, a copy of which was obtained by Reuters. “It is important that financial institutions are able to identify, monitor and mitigate any cybersecurity risks posed by their third-party relationships.”

The trigger for the letters and heightened regulatory scrutiny appears to be the number of high profile data breaches occurring at major companies, such as JPMorgan Chase. That incident involved the personal information – including names, addresses, phone numbers, and e-mail addresses – of an estimated 83 million accountholders when the bank’s computer systems were hacked.

After collecting the requested information from banks, Lawsky’s letter said the DFS intends to review how institutions manage cybersecurity risks with regard to third parties with an eye toward possible regulation. The regulator is reportedly considering a rule that representations and warranties are obtained by financial institutions from third-party service providers with respect to cybersecurity standards and practices.