Takeaways from the NYDFS Proposed Cybersecurity Regulation Amendments

This regulation has since passed in a final form. Click here to read about the final regulation and any changes from what was proposed.

On July 29, 2022, the New York Department of Financial Services (NYDFS) released a series of amendments to its cybersecurity regulations, which, when approved, will affect financial institutions that fall under its governance. These new guidelines include setting standards for notification periods following suspicious activity on privileged accounts, updates to risk assessments, and using multifactor authentication processes for private accounts.

What do these proposed amendments mean for your third-party risk management program? What risks might your vendors pose regarding these new regulations. And, what does your team need to do to ensure vendor compliance?

Third Parties and Their Compliance

With third-party data breaches and cyberattacks becoming a more serious threat across all industries, your vendors must follow the proper guidelines and regulations. Financial institutions must comply with these updated amendments. Therefore, an organization's third-party risk management team will need to consider its vendors' ability to meet these expectations.

Your organization is responsible for complying with these proposed amendments and your vendors may play a larger role in your cybersecurity strategy than you initially think. Consider whether your vendors will notify you with enough time following an incident so that you can notify the proper supervisors. How often do your vendors audit and update their policies? Do the vendors utilize multifactor authentication tools and limit access to privileged accounts and sensitive information only to include the necessary stakeholders? What happens if there is a data breach? Or, a malicious actor gains access to sensitive information?

Updating your organization's policies and procedures is only the first step. You must work with your vendors to ensure they take the necessary actions to comply with the amended regulations. You must ensure that your vendors follow the appropriate guidelines, or you may face significant legal and regulatory consequences.

Questions to Consider When Assessing Your Vendors’ Compliance

No matter what industry you operate in or what regulatory requirements your vendors must meet, your organization will be held liable if they don’t. Ensure that your vendors can comply with your policies and procedures to avoid legal action, fines, and other damages.

When assessing your vendors and their compliance, consider the following questions:

• How does the vendor access and use your data?
• What processes are in place to protect your customers and their sensitive information?
• What is the vendor's notification policy following a data breach or other security threat?
• Are your vendor's operations consistent with the industry's regulations and laws?
• How often do they risk assess and reassess their vendors?
• How often does your vendor assess its cybersecurity measures?
• What controls does the vendor have in place to meet the updated rules?
• Does your vendor stay updated on the latest regulations and legislation?

After assessing your vendor, you must verify if the vendor can meet the new requirements. Suppose the vendor's controls do not meet the requirements. In that case, it may be time to consider offboarding and replacing the vendor before any security events occur.

As regulators update their requirements, your organization must make the necessary adjustments to ensure compliance and ensure that its vendors have the appropriate controls to meet the new requirements. Failure to meet the new regulatory requirements puts your organization at great risk and increases your likelihood of regulatory fines and legal action.