Banks, insurance companies and other entities regulated by the New York Department of Financial Services are facing a new cybersecurity regulation designed to prevent cyberattacks and protect private customer data, but it’s reach may go much farther than New York.
In a rare turn of compliance events, that’s actually a good thing for banks outside New York.
The new regulation, which took effect March 1 and gives institutions a year and a half to comply, spells out specific items that NY financial institutions will need to request from third-party vendors. That includes third-party service provider:
- Policies and procedures for access controls, including its use of Multi-Factor Authentication;
- Policies and procedures for use of encryption to protect nonpublic information; and
- Representations and warranties of cybersecurity policies and procedures related to the security information systems or nonpublic information.
How does this help your institution? If any of your vendors have clients in New York state, it should easily be able to provide your institution with this documentation to help with risk assessments, due diligence and other important areas of vendor management. It’s a great source of boilerplate information on security.
If they can’t give you these documents, that’s cause for concern. It’s a regulatory requirement for NY state clients. A vendor that can’t deliver obviously isn’t that concerned about compliance or regulatory requirements. They may be falling short in other compliance areas too.