The New York State Department of Financial Services (DFS) recently issued updated cybersecurity guidance addressing the risks associated with entities becoming increasingly reliant on third-party service providers. Guidance can be found on the department’s website.
“While third-party service providers have driven innovation and enabled significant efficiencies in our financial system, regulated entities are still ultimately accountable for protecting consumers and managing risk,” DFS Acting Superintendent Kaitlin Asrow said. “To ensure the safe and secure operation of financial services and the protection of nonpublic information, entities must establish and maintain appropriate internal risk management controls when using third-party service providers.”
The guidance, which does not impose new requirements or obligations on DFS-regulated entities, is intended to clarify regulatory requirements under DFS’s cybersecurity regulation and to share best practices that entities should consider implementing. It builds on the department’s ongoing work to protect New Yorkers and DFS-regulated entities from cybersecurity risks through cybersecurity regulation.
It commends that entities must assess the cybersecurity risks third-party providers pose. Policies and procedures should outline how the risks are evaluated, including minimum cybersecurity standards required for engagement, and procedures for assessing the provider’s cybersecurity practices and controls based on the unique risks. Entities should consider multiple factors.