According to HousingWire, a panel at the Mortgage Bankers Association mortgage servicing conference discussed cyber risks and one seems to have the attention of regulators is risk introduced by vendors. All you have to do is think back to Target, Home Depot and the Office of Personnel Management (collectively around 200 million compromised records). The entry point of attackers in all three cases was vendors.
The panel pointed to guidelines from The New York Department of Financial Services (NYDFS), which are voluntary now, but may not be voluntary for long. NYDFS is working with many state and federal regulators to make their view of the universe the nation’s standard.
While NYDFS only regulates entities like banks, insurance companies and broker-dealers (among others), there is a food chain to consider. If you sell to or provide services for one of these covered entities, then that entity is going to require that you measure up to their regulator’s rules. Otherwise, the regulator will come after them.
The NYDFS wants their rules to be included in contracts that regulated entities use. That way there is no question. You don’t want to agree to these terms, then don’t do business with them.
Some of the rules include:
- Requirement to use two factor (or multi factor) authentication.
- Use of encryption at rest and in motion.
- Notification in case of a breach (yes, believe it or not, some banks recently were found to not require vendors tell them if the vendor was breached).
- Indemnification in case the entity that is contracting for services experiences a loss due to the vendor being breached.
- A requirement that the entity be able to audit the third party vendor (you may recall some issues around Blue Cross and their refusal to let the feds audit them. With this clause in the contract, no audit, no payments).
- Finally, reps and warrants regarding the third party’s information security.
This is only a partial list of the requirements, but as you can see, the implications are serious. If Target’s refrigeration vendor had to indemnify them, the vendor would be out of business.
AND, the NYDFS is working with other regulators to get them to adopt these same rules.
So, while this only affects New York regulated entities and any company that does business with them, expect this to grow. Look for a future blog post on what California is doing in this area.
One option is to wait until the rules are mandatory and then scramble to react to them. Alternatively, you could be proactive and create a vendor risk management program under your timeline. The second way may be less stressful. It will allow you to grow the program over time as you work out the kinks.
Information for this post came from HousingWire.