On April 9, 2015, the New York Department of Financial Services (“DFS”) released its Update on Cyber Security in the Banking Sector: Third Party Service Providers report which found that approximately 30 percent of the banks surveyed do not required third party vendors to report cyber security breaches.
The report is a follow-up to letters the DFS sent to 40 financial institutions in October 2014 that requested information on the policies and procedures established by each bank for protecting against loss as the result of a security breach by third party service providers. The report covers responses from what the DFS has categorized as “small” (less than $100 billion in assets), “medium” (between $100 billion and $1 trillion in assets) and “large” (more than $1 trillion in assets).
Some of the key findings from the report include:
- Only 35% of the banks surveyed require periodic on-site assessment of at least high-risk third party vendors;
- Only 20% of banks surveyed do not require third party service providers to verify that they have established minimum information security requirements and only one-third mandate that a third party vendor extend information security requirements to their subcontractors;
- Almost half of the banks surveyed do not require third party vendors to provide a warranty on the integrity of their data or products;
- Only 47% of the banks surveyed said they carried insurance that would cover security breaches by third party vendors;
- 90% of banks surveyed use encryption for data transmitted to and from third party vendors. However, only 38% use encryption for stored data.
Commenting on the report, Benjamin M. Lawsky, who is the Superintendent of Financial Services, said, “[a] bank’s cyber security is often only as good as the cyber security of its vendors. Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data. We will move forward quickly, together with the banks we regulate, to address this urgent matter.”
PIB Law is a multi-service law firm that focuses on litigation, arbitration and the full range of enforcement, transactional and regulatory issues confronting financial institutions and businesses nationwide. For more information, contact PIB Law at 908-725-9700.