Tag Archives: NYDFS

MBA Panel Discusses Third Party Risk Issues

According to HousingWire, a panel at the Mortgage Bankers Association mortgage servicing conference discussed cyber risks and one seems to have the attention of regulators is risk introduced by vendors.  All you have to do is think back to Target, Home Depot and the Office of Personnel Management (collectively around 200 million compromised records).  The entry point of attackers in all three cases was vendors.

The panel pointed to guidelines from The New York Department of Financial Services (NYDFS), which are voluntary now, but may not be voluntary for long.  NYDFS is working with many state and federal regulators to make their view of the universe the nation’s standard.

While NYDFS only regulates entities like banks, insurance companies and broker-dealers (among others), there is a food chain to consider.  If you sell to or provide services for one of these covered entities, then that entity is going to require that you measure up to their regulator’s rules.  Otherwise, the regulator will come after them.

The NYDFS wants their rules to be included in contracts that regulated entities use.  That way there is no question.  You don’t want to agree to these terms, then don’t do business with them.

Some of the rules include:

  • Requirement to use two factor (or multi factor) authentication.
  • Use of encryption at rest and in motion.
  • Notification in case of a breach (yes, believe it or not, some banks recently were found to not require vendors tell them if the vendor was breached).
  • Indemnification in case the entity that is contracting for services experiences a loss due to the vendor being breached.
  • A requirement that the entity be able to audit the third party vendor (you may recall some issues around Blue Cross and their refusal to let the feds audit them.  With this clause in the contract, no audit, no payments).
  • Finally, reps and warrants regarding the third party’s information security.

This is only a partial list of the requirements, but as you can see, the implications are serious.  If Target’s refrigeration vendor had to indemnify them, the vendor would be out of business.

AND, the NYDFS is working with other regulators to get them to adopt these same rules.

So, while this only affects New York regulated entities and any company that does business with them, expect this to grow.  Look for a future blog post on what California is doing in this area.

One option is to wait until the rules are mandatory and then scramble to react to them.  Alternatively, you could be proactive and create a vendor risk management program under your timeline.  The second way may be less stressful.  It will allow you to grow the program over time as you work out the kinks.

 

Information for this post came from HousingWire.

Facebooktwitterredditlinkedinmailby feather

NY Regulator Unveils Proposed New Cyber Security Regulations

When Ben Lawsky was running the New York Department Of Financial Services, he proposed new cyber security examination rules.  Now that he is gone on to start his own legal consulting firm, the legacy that he started continues.

This week the post-Lawsky NYDFS has released a set of proposed cyber security regulations.  And, just to up the ante, they shared their proposed regulations with every other significant regulator: the Federal Reserve, the OCC, the SEC and every other state regulator.  Their goal is to get everyone to adopt the same basic rules.

So what is in this gem?  If you are a state or federally chartered bank, an insurance company or a broker-dealer, you might want to check this out.  Here they are:

  • 12 very specific policies and procedures including data governance, access controls, systems and application development and QA, vendor and third party risk management and incident response.  That is just one of the items.
  • Third party service provider management
  • Multi-factor authentication
  • Hiring a CISO, who must submit an annual report to the regulator, signed off on by the Board
  • Application security procedures, guidelines and standards
  • Cyber security staff and intelligence
  • Cyber security audit
  • Notification of the department in the event of any cyber security incident.

While this is only a proposal and may change, it likely will not “go away”.

If you are a regulated entity, now might be a good time to start planning and getting ready for whatever comes.

 

 

 

Information for this post came from the WSJ and Reuters.

Facebooktwitterredditlinkedinmailby feather