Report Highlights Bank Vendor Cybersecurity Vulnerabilities


On April 9, the New York State Department of Financial Services (NYDFS) released a report on bank vendor cybersecurity that highlights the risk that hackers will use third-party service providers to gain access to bank data. The report, entitled Update on Cyber Security in the Banking Sector: Third Party Service Providers,1 is based on responses to an October 2014 NYDFS information request to 40 regulated financial institutions and is significant for at least two reasons. First, the report may be useful for benchmarking a company's cybersecurity practices against similarly situated businesses. Second, the report may become the basis for NYDFS to promulgate new cyber regulations for third-party vendors-particularly with regard to the representations and warranties banks receive about cyber protections-in the coming weeks.2   

The October 2014 NYDFS request had asked that institutions describe steps taken to comply with the third-party stakeholder provisions of the Framework for Improving Critical Infrastructure Cybersecurity issued by the US Commerce Department's National Institute of Standards and Technology (NIST).3 Third-party providers include check and payment processing firms, trading and settlement operations firms, data processing firms and many others, which often have access to banking institutions' information technology systems.

Key findings from the report include:

  • Thirty percent of the institutions surveyed do not require third-party vendors to notify them in the event of a data breach;
  • Ninety percent have information security requirements for third-party vendors, but fewer than half require any on-site assessments of vendors;
  • Twenty-one percent do not require third-party vendors to represent that they have established minimum information security requirements;
  • Nearly half do not require a warranty of the integrity of the third-party vendor's data or products;
  • Ninety percent utilize encryption for data transmitted to or from third parties, but just over one-third use encryption for data that is not being transmitted or is "at rest"; and
  • Sixty-three percent carry insurance that would cover cybersecurity incidents, but fewer than half have insurance that covers information security failures by a third-party vendor.

This new report is an update to a May 2014 NYDFS report on cybersecurity in the banking sector.4 The report may provide additional impetus for NYDFS to issue new cybersecurity regulations for third-party vendors to the banking industry. It also reflects the growing focus of a variety of state and federal regulatory authorities-including the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), the Federal Financial Institutions Examination Council (FFIEC) member agencies, and the Financial Industry Regulatory Authority (FINRA)-on scrutinizing the cybersecurity practices of the financial services industry.5 Regulators have increasingly viewed information security as a critical component of both investor protection and broader market integrity.

1 New York State Department of Financial Services, Update on Cyber Security in the Banking Sector: Third Party Service Providers, April 2015, available at

2 New York State Department of Financial Services, Press Release, NYDFS Report Shows Need to Tighten Cyber Security at Banks' Third Party Vendors, April 9, 2015, available at

3 National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, February 12, 2014, available at

4 New York State Department of Financial Services, Report on Cyber Security in the Banking Sector, May 2014, available at NYDFS issued a similar report on the insurance sector. See New York State  Department of Financial Services, Report on Cyber Security in the Insurance Sector, February 2015, available at

5See Jonathan G. Cedarbaum, Yoon-Young Lee, Matthew Chambers and Benjamin A. Powell, "The SEC and FINRA Increase Scrutiny of Regulated Firms' Cybersecurity," The Investment Lawyer, April 2015, Volume 22, Number 4, pages 26-28; Daniel F. Schubert, Jonathan G. Cedarbaum and Leah Schloss, "The SEC's Two Primary Theories in Cybersecurity Enforcement Actions," The Cybersecurity Law Report, April 8, 2015, Volume 1, Number 1; Jonathan G. Cedarbaum, Yoon-Young Lee, Benjamin A. Powell and Matthew A. Chambers, "SEC and FINRA Release Cybersecurity Sweep Reports, Promise Increased Scrutiny of Regulated Firms," WilmerHale Client Alert, February 5, 2015, available at; US Commodity Futures Trading Commission, CFTC Staff to Hold Roundtable on Cybersecurity and System Safeguards Testing, March 15, 2015, available at

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© WilmerHale | Attorney Advertising

Written by:


WilmerHale on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.