Third Party Service Provider Cybersecurity Management: The (Not Quite) Last Requirement of the New York Department of Financial Services Cybersecurity Regulation

Privacy & Cybersecurity Newsletter
January 2019

In prior issues, we have reported on the various requirements imposed by the New York Department of Financial Services (the ‎DFS) Cybersecurity Regulation (23 NYCRR 500) (the Regulation) on “Covered Entities,” which are defined to include all licen-‎sees of the DFS. The Regulation’s final transition date is March 1, 2019, by which time Covered Entities are required to satisfy ‎the obligations of Section 11 of the Regulation for a Third Party Service Provider Security Policy.‎

What is required?

The Regulation requires covered entities to manage the cybersecurity of Information Systems and Nonpublic Information that ‎are accessible to or held by Third Party Service Providers (TPSPs). ‎

Information Systems and Nonpublic Information. The earlier requirements of the Regulation have required Covered Entities ‎to identify their Information Systems and Nonpublic Information, which can be summarized as:‎

  • Information Systems include electronic systems that process data or handle important business and operational functions of ‎the Covered Entity.‎
  • Nonpublic Information includes electronic (not paper) information that encompasses personal information (including health ‎and medical information) as that term is normally used in state breach notification requirements, as well as business infor-‎mation that could, if compromised, cause a material harm to the business.

Relationships in scope as a Third Party Service Provider. Many Covered Entities struggle with the definition of Third Party Ser-‎vice Provider, which is defined as: a “Person” that: (i) is not an “Affiliate” of the Covered Entity; (ii) provides services to the ‎Covered Entity; and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision ‎of services to the Covered Entity. 23 NYCRR 500.01(n). For this purpose, the terms “Person” and “Affiliate” are defined as ‎commonly used in other laws and regulations. Therefore, each Covered Entity needs to identify its TPSPs by carefully consid-‎ering the following questions with respect to the Covered Entity’s relationship with any nonaffiliate:

  • Does the Person provide services to the Covered Entity?‎
  • Does the Person maintain, process or otherwise obtain access to Nonpublic Information through its provision of services to ‎the Covered Entity?‎

If the answer to each of these questions is “yes,” then the Person is a TPSP for purposes of the Regulation.

It is important to note that the definition of TPSP does not exempt Persons that are themselves Covered Entities, and that the ‎DFS has clarified that the requirements concerning TPSPs apply to Persons that meet the definition, regardless of whether a ‎TPSP is independently required to comply with the Regulation as a Covered Entity. This issue has been of particular interest ‎to the insurance industry, where carriers that are Covered Entities have questioned whether they need to address the cyber-‎security risk presented by their producers that are also Covered Entities but are not covered by the carrier’s cybersecurity ‎program. If the producer provides services to the Covered Entity, and if, through providing these services, the producer ‎maintains, processes or obtains access to Nonpublic Information, then the producer is a TPSP and must be considered in ‎scope for purposes of the requirements of Section 11 of the Regulation.

There are other, often more obvious, examples, such as outsourced IT, payment processors and payroll services providers, ‎that would meet the definition of TPSP for the Covered Entity. 

Specific requirements of Section 11. Each Covered Entity must implement written policies and procedures designed to en-‎sure the security of Information Systems and Nonpublic Information that are accessible to or held by TPSPs. These policies ‎and procedures are to be based on the Risk Assessment of the Covered Entity, and must address the following, to the extent ‎applicable:‎

  • the identification and risk assessment of TPSPs;‎
  • minimum cybersecurity practices required to be met by TPSPs in order for them to do business with the Covered Entity;‎
  • due diligence processes used to evaluate the adequacy of cybersecurity practices of TPSPs; and
  • periodic assessment of TPSPs based on the risk they present and the continued adequacy of their cybersecurity practices.‎

The Covered Entity’s policies and procedures are required to include relevant guidelines for due diligence and/or contractual ‎protections relating to TPSPs. To the extent applicable, the guidelines should address requirements for access controls, en-‎cryption, notice to be provided to the Covered Entity in the event that the TPSP experiences a Cybersecurity Event, and con-‎tractual representations and warranties to be made by the TPSP that related to cybersecurity.‎

How to satisfy the Section 11 requirements?‎

For many Covered Entities, the requirements for TPSPs are onerous and require thoughtful planning and careful execution. ‎

  • Determine what third parties are in scope. What services do they provide? In connection with the services, do they have ac-‎cess to Nonpublic Information and/or Information Systems?‎
  • Assess the risk. The risk assessment of TPSPs drives the requirements for policies and procedures, due diligence and con-‎tractual requirements. For Covered Entities with many relationships with TPSPs, project management may dictate that ‎ranking certain types of relationships would be appropriate, given the assessment of incumbent risk. 
  • Develop the policy. The Covered Entity must develop a TPSP cybersecurity policy “designed to ensure the security of Infor-‎mation Systems and Nonpublic Information that are accessible to, or held by, [TPSPs],” based on the risk assessment. The ‎specific requirements and guidelines described above must be incorporated to the extent applicable. Required levels of ‎due diligence and contractual terms should be incorporated into and attached to the policy. The policy should contem-‎plate that exceptions may need to be made, and certain risks may need to be accepted. The policy should provide for ‎these situations, with appropriate provisions for approval of exceptions, risk acceptance and mitigation, and reassessment.‎
  • Implement the policy. Due diligence must be conducted and contractual terms implemented. Due diligence must be com-‎pleted, usually involving some form of questionnaire, which must be drafted, disseminated and evaluated, often requiring ‎follow-up with particular TPSPs. Contracts must be reviewed and considered, and amended where appropriate, often with ‎the use of a cybersecurity addendum to existing contracts. TPSPs can be expected to push back or negotiate these con-‎tractual terms, often resulting in further discussion, review and negotiation. ‎
  • Make the deadline! With a transition date of March 1, 2019, there is much to accomplish to satisfy this requirement in a timely ‎fashion in order to permit the Covered Entity to certify its compliance by the subsequent certification deadline of Febru-‎ary 15, 2020. Working toward the March 1 deadline is not good enough. The exceptions and risk acceptance provisions of ‎the policy described above are critical to allow for follow-up items within the policy, without a failure to meet the deadline. ‎For example, if the required contractual provisions with a particular TPSP cannot be completed prior to March 1, consider ‎whether the policy permits an exception to be made, and risk to be mitigated and accepted.‎

It’s the final transition date; why is this not the last requirement?‎

Covered Entities must vet and onboard any new TPSPs in accordance with the TPSP cybersecurity policy. Periodic risk as-‎sessments must be performed, even for current TPSPs, to address changes in the threat environment and other develop-‎ments. As is true for most of the Regulation, the Section 11 requirements for TPSPs are ongoing for every Covered Entity. ‎Covered Entities have a great deal to accomplish to satisfy these requirements by March 1, 2019, and to meet their continuing ‎obligations under the Regulation. ‎