If you operate a financial services company which works with customers in New York, you should be aware of the NYDFS Cybersecurity Regulation Part 500 which initially went into effect on March 1, 2017. In our world, Section 500.11 for Third-Party Service Provider Oversight, went into effect on March 1, 2019. We have worked with a number of financial services companies to help them prepare for and maintain their compliance with this critically important regulation.
I recently had the great fortune to sit in on a webinar featuring Maria T. Vullo, the former Superintendent of the NYDFS and principal author of the regulation. I found her tone and comments so refreshing as she shared some great insights about the development and core tenants of the regulation but more importantly some practical, best practice recommendations for compliance. As I sat in with full attention over the hour she spoke, I was happy to discover that our interpretation and work we have done with our clients aligned perfectly with what she outlined in her comments.
Here is a brief recap of the import things to consider with the entire regulation but specifically Section 500.11, for Third-Party Service Providers:
- The regulation obligates all “covered entities” (financial institutions) subject to the regulation to ensure cybersecurity compliance of their third-party vendors.
- Every “covered entity” must have written policy and procedures detailing their Cybersecurity Program to include oversight of third parties to ensure they are meeting cybersecurity requirements stemming from any system access to protected company and customer data.
- The “covered entity” must perform annual risk assessment and appropriate due diligence to ensure the vendor has adequate policies and controls in place to mitigate and detect, respond and recover from a cybersecurity event, if it occurs.
- The written and documented policy must be approved by the Board or a Senior Officer.
- Ensure this is a company-wide process engaging all stakeholders that work with third parties and that regular training is provided to stay up to date with latest risks.
- Stay up to date on key events in your vendor population like mergers and acquisitions and reassess risks associated with cybersecurity policies and factors like legacy systems as their can be material changes.
These are just some highlights from the webinar and I would certainly encourage you to do more research on this important regulation. One of the last and most important takeaways I wanted to share was her comment that “Work done is meaningless if it is not documented.” In other words, don’t allow this to be an ad hoc, one-time activity where there is not a formal policy and ongoing oversight activities being documented at every step of the way. Happy to answer any additional questions that may arise from reading this.