In the wake of a spate of cybersecurity settlements with health and auto insurance providers last month, the New York Department of Financial Services issued a letter to its covered entities for managing risks related to third-party service providers, or TPSPs. The DFS describes the guidance as drawing directly from lessons learned during recent examinations and investigations.
Given the increasing reliance on third-party service providers for critical activities ranging from compliance to cloud computing and fintech solutions, DFS sought to reiterate and elaborate on the relevant portions of its cybersecurity regulation or Part 500.
In particular, DFS notes that the “growing scale and complexity of cyber risks posed by TPSPs demands a proactive, risk-based, and continuously adaptive approach to third-party governance.”
The guidance focuses on TPSP cyber risk within four domains of Part 500:
- Identification, due diligence, and selection
- Contracting arrangements
- Management and oversight
- Termination of relationships
Identification and Selection
The DFS acknowledges that the cybersecurity risks posed by each individual TPSP are unique and that covered entities should develop policies and procedures that apply a risk-based approach to assessment.
Entities should classify TPSPs based on the “risk profile, considering factors such as system access, data sensitivity, location, and how critical the service provided to the covered entity is to its operations.”
DFS provided a non-exhaustive list of TPSP cyber issues that covered entities should incorporate into applicable policies, including access to sensitive information, testing of incident response controls, and the conducting of routine annual audits. DFS advises covered entities to vet TPSPs for cyber risks through the completion of questionnaires and direct engagement during the procurement process.
Contracts and Certifications
Contractual relationships are an essential part of any TPSP engagement and DFS emphasizes several key provisions covered entities should consider adding to standard form agreements such as access controls, data encryption, cyber event notification, and data location and transfer.
Additionally, DFS highlights artificial intelligence as an area in which covered entities should develop terms to manage the risk of these emerging technologies. In an effort to synthesize guidance on both contracting and oversight, covered entities should consider a TPSP’s maintenance of AI audits or certifications as part of standard contractual clauses.
Given the emergence of trusted artificial intelligence audit standards such as ISO 42001 for AI Management Systems, NIST AI Risk Management Framework, and the Cloud Security Alliance STAR for AI, it seems reasonable for covered entities to incorporate contractual expectations for TPSPs’ maintenance of these certifications, analogous to cybersecurity expectations for annual SOC 2 or ISO 27001 testing.
Monitoring and Oversight
Given the pace of technology change, DFS advises covered entities continually reevaluate policies and processes to encompass “a variety of factors, including the evolving threat and regulatory landscape, changes to products and services, and whether the TPSP has experienced a Cybersecurity Event.”
Consistent with the collection of demonstrable evidence of assessment practices such as the collection and completion of questionnaires by TPSPs, covered entities should consider how to structure oversight programs to incorporate the appropriate risks of each provider and the steps taken to mitigate identified risks.
Covered entities should lean on TPSPs to demonstrate how they can support monitoring functions. TPSPs can develop self-service features and reporting to facilitate efficient and streamlined oversight.
Such features may include routine reports of access or activity that can be generated on a self-service basis, the ability to extract and report on system metrics through platform APIs, the availability of key cyber and risk documentation through trust center portals, and supplementing these controls with the annual third-party validations such as penetration test results.
Terminating Relationships
The last step in any TPSP lifecycle is termination, and because cyber risks can lurk in offboarding, DFS outlines considerations for covered entities as part of that process.
When considering termination, DFS highlights the revocation of system access as a key consideration as well as disabling and revoking identity federation tools (such as SSO and OAuth tokens), API integrations, and external storage access for cloud computing-based platforms.
As with oversight, CEs should consider what built-in features TPSPs offer to facilitate smooth and seamless termination. Oftentimes, controls supporting the routine operation of TPSP platforms also support termination and can make life easier for risk and compliance teams throughout the entire relationship.
Specifically, controls for importing and exporting data at any time during an engagement are beneficial during the term of a covered entity-TPSP relationship as well as upon termination.
In another overlap between items in the guidance, covered entities should outline appropriate termination protocols in TPSP agreements to avoid “data hostage” fees for the export of information at the end of a relationship and to prevent the use of proprietary file formats that hinder data portability.
Collectively, the guidance shines a light on key cybersecurity considerations that legal and compliance teams should focus on to evidence adherence with Part 500 and to uplevel risk management practices, generally. The guidance further solidifies the DFS’ position as a standard bearer for meaningful cybersecurity regulation with an influence that reverberates outside the borders of New York state.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.
Author Information
Marc Gilman is general counsel and vice president of compliance at Theta Lake, and adjunct professor at Fordham University School of Law.
Write for Us: Author Guidelines
To contact the editors responsible for this story: