Why it matters

A new report released by New York’s Department of Financial Services (DFS) detailed the vulnerabilities found in the relationships that many financial institutions have with their third-party vendors. Almost 1 in 3 of the 40 banking organizations surveyed do not require third-party vendors to notify the bank of cyber security breaches, the report found, while less than half conduct any on-site assessment of vendors. In a press release accompanying the report, DFS Superintendent Benjamin Lawsky said the regulator intends to move forward—in “the coming weeks”—with regulations “strengthening” the cyber security standards for third-party vendors, including possibilities related to the representations and warranties that banks receive from vendors about cyber security. “A bank’s cyber security is often only as good as the cyber security of its vendors,” Lawsky said in a statement. “Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data. We will move forward quickly, together with the banks we regulate, to address this urgent matter.” The DFS’s concern about vendors and third-party relationships is not unique to the agency—the Office of the Comptroller of the Currency issued guidance on the topic in December 2013 and took joint action with the Federal Deposit Insurance Corporation (FDIC) against two technology service providers based on “unsafe or unsound banking practices” in the performance of their services.

Detailed discussion

Last October, the New York DFS sent letters to 40 covered entities seeking information about their data security practices. The letters expressed concern about the “level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers,” and requested any policies and procedures established by the bank as well as “any and all” protections against loss incurred as a result of an information security failure by a third-party service provider.

After compiling the responses, the Department “noted a number of common issues and concerns” and released the report to highlight the most critical points, breaking down its observations into the following four categories: (a) due diligence, (b) policies and procedures, (c) safeguarding sensitive data, and (d) loss protection. Of the 40 institutions surveyed, the report characterized those banks with less than $100 billion in assets as “small,” those with between $100 billion and $1 trillion as “medium,” and any bank with assets above $1 trillion as “large.”

The DFS requested information from each banking organization about any due diligence processes used to evaluate the adequacy of third-party service providers’ information security practices. Nearly all of the banks classified the vendors by risk, and 95 percent of those surveyed conduct risk assessments of at least the vendors considered to be high risk.

Typical classifications include high risk or material (those with access to sensitive bank or customer information, such as check or payment processors), while janitorial services and providers of office supplies are examples of low-risk vendors. Some banking organizations exempt individual consultants and professional service providers—such as lawyers—from their customary due diligence, the report noted.

While the specific requirements vary, 90 percent of those surveyed have information security requirements for their third-party vendors. Large institutions may mandate actions like data encryption and access controls while small institutions may institute more general standards, the DFS found.

On-site assessments of third-party vendors—even those classified as high risk—remain a requirement at a minority of institutions, according to the report, although almost all of the banks have policies and procedures that require reviews of information security practices both during vendor selection and as part of a periodic review.

Considering the policies and procedures governing relationships with third-party service providers, the DFS said all of the institutions surveyed have written vendor management policies, with most written and/or updated “within the last several years.” The majority of the banks mandate that vendors represent that they have established minimum information security requirements, but just 36 percent extend that requirement to subcontractors of third-party vendors.

Seventy-nine percent of the banking institutions maintain the right to audit their third-party vendors, but just over half (56 percent) require a warranty of the integrity of the third-party vendor’s data or products, with larger institutions more likely to ask for such a guarantee.

Of those institutions surveyed by the DFS, 30 percent “do not appear to require their third-party vendors to notify them in the event of an information security breach or other cyber security breach,” the report found.

In the category of protections for safeguarding sensitive data, the Department discovered that 90 percent of the banking organizations encrypt data transmitted to or from third parties. However, only 38 percent use encryption for data at rest, the DFS said. Multi-factor authentication (MFA) is more commonly used at large, foreign institutions, and generally required for third-party vendors that remotely access sensitive data or banking systems.

Finally, the DFS analyzed the surveyed institutions’ protections against loss incurred by third-party information security failures. Sixty-three percent of the surveyed banks (and 78 percent of large institutions) carry insurance that would cover cyber security incidents, according to the report, although less than half (47 percent) have policies that would cover information security failures by a third-party vendor. Only half of the banks surveyed require indemnification clauses in their agreements with third-party vendors.

“Based on the responses that the Department received, banking organizations appear to be working to address the cyber security risks posed by third-party service providers, although progress varies depending on the size and type of institution,” the report concluded.

To read the DFS report, click here.