In the wake of a spate of cybersecurity settlements with health and auto insurance providers last month, the New York Department of Financial Services issued a letter to its covered entities for managing risks related to third-party service providers, or TPSPs. The DFS describes the guidance as drawing directly from lessons learned during recent examinations and investigations. Given the increasing reliance on third-party service providers for critical activities ranging from compliance to cloud computing and fintech solutions, DFS sought to reiterate and elaborate on the relevant portions of its cybersecurity regulation or Part 500. In particular, DFS notes that the “growing scale and complexity of cyber risks posed by TPSPs demands a proactive, risk-based, and continuously adaptive approach to third-party governance. ”The guidance focuses on TPSP cyber risk within four domains of Part 500:
- Identification, due diligence, and selection
- Contracting arrangements
- Management and oversight
- Termination of relationships
Identification and Selection
The DFS acknowledges that the cybersecurity risks posed by each individual TPSP are unique and that covered entities should develop policies and procedures that apply a risk-based approach to assessment. Entities should classify TPSPs based on the “risk profile, considering factors such as system access, data sensitivity, location, and how critical the service provided to the covered entity is to its operations. ”DFS provided a non-exhaustive list of TPSP cyber issues that covered entities should incorporate into applicable policies, including access to sensitive information, testing of incident response controls, and the conducting of routine annual audits. DFS advises covered entities to vet TPSPs for cyber risks through the completion of questionnaires and direct engagement during the procurement process.
Read the full article here.
