In prior issues, we have reported on the various requirements imposed by the New York Department of Financial Services (the DFS) Cybersecurity Regulation (23 NYCRR 500) (the Regulation) on “Covered Entities,” which are defined to include all licen-sees of the DFS. The Regulation’s final transition date is March 1, 2019, by which time Covered Entities are required to satisfy the obligations of Section 11 of the Regulation for a Third Party Service Provider Security Policy.
What is required?
The Regulation requires covered entities to manage the cybersecurity of Information Systems and Nonpublic Information that are accessible to or held by Third Party Service Providers (TPSPs).
Information Systems and Nonpublic Information. The earlier requirements of the Regulation have required Covered Entities to identify their Information Systems and Nonpublic Information, which can be summarized as:
Relationships in scope as a Third Party Service Provider. Many Covered Entities struggle with the definition of Third Party Ser-vice Provider, which is defined as: a “Person” that: (i) is not an “Affiliate” of the Covered Entity; (ii) provides services to the Covered Entity; and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity. 23 NYCRR 500.01(n). For this purpose, the terms “Person” and “Affiliate” are defined as commonly used in other laws and regulations. Therefore, each Covered Entity needs to identify its TPSPs by carefully consid-ering the following questions with respect to the Covered Entity’s relationship with any nonaffiliate:
If the answer to each of these questions is “yes,” then the Person is a TPSP for purposes of the Regulation.
It is important to note that the definition of TPSP does not exempt Persons that are themselves Covered Entities, and that the DFS has clarified that the requirements concerning TPSPs apply to Persons that meet the definition, regardless of whether a TPSP is independently required to comply with the Regulation as a Covered Entity. This issue has been of particular interest to the insurance industry, where carriers that are Covered Entities have questioned whether they need to address the cyber-security risk presented by their producers that are also Covered Entities but are not covered by the carrier’s cybersecurity program. If the producer provides services to the Covered Entity, and if, through providing these services, the producer maintains, processes or obtains access to Nonpublic Information, then the producer is a TPSP and must be considered in scope for purposes of the requirements of Section 11 of the Regulation.
There are other, often more obvious, examples, such as outsourced IT, payment processors and payroll services providers, that would meet the definition of TPSP for the Covered Entity.
Specific requirements of Section 11. Each Covered Entity must implement written policies and procedures designed to en-sure the security of Information Systems and Nonpublic Information that are accessible to or held by TPSPs. These policies and procedures are to be based on the Risk Assessment of the Covered Entity, and must address the following, to the extent applicable:
The Covered Entity’s policies and procedures are required to include relevant guidelines for due diligence and/or contractual protections relating to TPSPs. To the extent applicable, the guidelines should address requirements for access controls, en-cryption, notice to be provided to the Covered Entity in the event that the TPSP experiences a Cybersecurity Event, and con-tractual representations and warranties to be made by the TPSP that related to cybersecurity.
How to satisfy the Section 11 requirements?
For many Covered Entities, the requirements for TPSPs are onerous and require thoughtful planning and careful execution.
It’s the final transition date; why is this not the last requirement?
Covered Entities must vet and onboard any new TPSPs in accordance with the TPSP cybersecurity policy. Periodic risk as-sessments must be performed, even for current TPSPs, to address changes in the threat environment and other develop-ments. As is true for most of the Regulation, the Section 11 requirements for TPSPs are ongoing for every Covered Entity. Covered Entities have a great deal to accomplish to satisfy these requirements by March 1, 2019, and to meet their continuing obligations under the Regulation.
Sign up for our newsletter and get the latest to your inbox.