New York State Department of Financial Services. Update on Cyber Security in the Banking Sector: Third Party Service Providers



Similar documents
Past vs. Present: Third Party Risk

Identifying and Managing Third Party Data Security Risk

Anthony J. Albanese, Acting Superintendent of Financial Services. Financial and Banking Information Infrastructure Committee (FBIIC) Members:

Vendor Management. Outsourcing Technology Services

White Paper on Financial Institution Vendor Management

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

New York State Department of Financial Services. Report on Cyber Security in the Banking Sector

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

White Paper on Financial Industry Regulatory Climate

Risk Management of Outsourced Technology Services. November 28, 2000

DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)

VENDOR MANAGEMENT. General Overview

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Cyber Governance Preparing for the Inevitable Perimeter Breach

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

FINRA Publishes its 2015 Report on Cybersecurity Practices

Attachment A. Identification of Risks/Cybersecurity Governance

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

April 28, Dear Mr. Chairman:

Outsourcing Technology Services A Management Decision

Data Recovery Service Providers: The Low Profile, High Impact Risk to Enterprise Security

Policy Title: HIPAA Security Awareness and Training

State Governments at Risk: The Data Breach Reality

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Page 1 of 15. VISC Third Party Guideline

Cloud Computing: Legal Risks and Best Practices

WHITE PAPER Third-Party Risk Management Lifecycle Guide

POSTAL REGULATORY COMMISSION

STATE OF NEW JERSEY Security Controls Assessment Checklist

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Human Resource (HR) and Security Awareness v1.0 September 25, 2013

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Data Privacy, Security, and Risk Management in the Cloud

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Five keys to a more secure data environment

SEC Cybersecurity Findings May Establish De Facto Standard

HIPAA S BUSINESS ASSOCIATE REQUIREMENTS FOR PATHOLOGISTS AND LABORATORIES

Navigating Vendor Management Issues in Today s Regulatory Environment

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

Terms and Conditions of Use - Connectivity to MAGNET

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Cyber and Data Risk What Keeps You Up at Night?

Information Security Program Management Standard

Privacy Governance and Compliance Framework Accountability

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

CYBERSECURITY EXAMINATION SWEEP SUMMARY

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Fortinet Solutions for Compliance Requirements

Page 1. Copyright MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

Jim Bray, Cyber Security Adviser InfoSight, Inc.

The promise and pitfalls of cyber insurance January 2016

Third Party Security Guidelines. e-governance

The Second National HIPAA Summit

OCIE CYBERSECURITY INITIATIVE

PLEASE ALSO ATTACH THE FOLLOWING: Specimen

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Intel Enhanced Data Security Assessment Form

Leveraging Regulatory Compliance to Improve Cyber Security

Cyber-Security White Paper Final 1Q2013 Version. to HIT Commission Feb. 21, 2013

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

How to Protect Intellectual Property While Offshore Outsourcing?

An Introduction to HIPAA and how it relates to docstar

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Mitigating and managing cyber risk: ten issues to consider

Logging In: Auditing Cybersecurity in an Unsecure World

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

HIPAA BUSINESS ASSOCIATE AGREEMENT

FFIEC Cybersecurity Assessment Tool

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Top Ten Technology Risks Facing Colleges and Universities

Outsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk

PROPOSED INTERPRETIVE NOTICE

Information Technology Internal Audit Report

Cybersecurity A Clear and Present Danger

To: Our Clients and Friends March 25, 2014

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

References: County Policy Manual- Credit Card Payments; Vendor Remote Access Request Form

What is Management Responsible For?

In the Cloud Risk Assessments in the Great Unknown

GEARS Cyber-Security Services

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

Seminar on Unfair Competition Enforcement in the United States and Supply Chain Cybersecurity Issues. Palace Hotel Saigon, HCMC, November 19 th 2014

Information Technology

Legal Issues in the Cloud: A Case Study. Jason Epstein

BUSINESS ASSOCIATE AGREEMENT

Transcription:

New York State Department of Financial Services Update on Cyber Security in the Banking Sector: Third Party Service Providers April 2015

Update on Cyber Security in Banking Sector: Third-Party Service Providers I. Introduction In May 2014, the New York State Department of Financial Services ( the Department ) published a report titled Report on Cyber Security in the Banking Sector that described the findings of its survey of more than 150 banking organizations. The report specifically highlighted the industry s reliance on third-party service providers for critical banking functions as a continuing challenge. In light of the increasing number and sophistication of cyber attacks, including recent breaches at both banks and insurers, the Department is now considering, among other regulations, cyber security requirements for financial institutions that would apply to their relationships with third-party service providers. In connection with that effort, the Department sent a letter in October 2014 to 40 regulated banking organizations requesting information about the practices currently in place surrounding the management of their third-party service providers. After reviewing the responses (which included relevant policies and procedures), the Department noted a number of common issues and concerns and has drafted this update to the May 2014 report to highlight the most critical observations. The October 2014 letter asked for information about due diligence processes, policies and procedures governing relationships with third-party vendors, protections for safeguarding sensitive data, and protections against loss incurred due to third-party information security failures. For the purposes of this report, banking organizations have been categorized as small (assets < $100 billion), medium (assets between $100 and $1 trillion), and large (assets > $1 trillion). Additionally, the Department asked each of the surveyed banking organizations to describe any steps it has taken to adhere to the Framework for Improving Critical Infrastructure Cybersecurity issued by the U.S. Commerce Department s National Institute of Standards and Technology ( NIST ) on February 12, 2014 concerning third-party stakeholders. The NIST framework is generally viewed as a set of baseline principles for cybersecurity. Interestingly, while the overwhelming majority of the respondents stated that they had taken or were taking steps to incorporate NIST principles, the application of those principles may vary across institutions, described in more detail below. II. Observations A. Due Diligence Processes The Department asked each banking organization to describe any due diligence processes used to evaluate the adequacy of information security practices of third-party service providers. All but one of the surveyed banking organizations classify their third-party service providers by risk and 95% of the surveyed banking organizations conduct specific information security risk assessments of at least their high-risk vendors. Banking organizations typically classify any vendors with access to sensitive bank or customer data as high-risk, material, and/or critical. 2

Examples of third-party vendors that were classified as high-risk or material include check/payment processors, trading and settlement operations, and data processing companies. However, some banking organizations have exemptions from their customary due diligence for individual consultants and professional service providers (e.g., legal counsel). Examples of third-party vendors that were classified as low-risk include providers of office supplies, printing services, food catering, and janitorial services. Ninety percent of the banking organizations surveyed have information security requirements for their third-party vendors, although the nature and specificity of these requirements vary. Some large institutions set forth specific requirements, including data encryption, access controls, data classification, and business continuity and disaster recovery plans, while other institutions (both large and small) merely require compliance with more general information security standards. While nearly all of the surveyed banking organizations have policies and procedures that require reviews of information security practices both during vendor selection and as part of their periodic review, fewer than half of the institutions surveyed require any on-site assessments of their third-party vendors, as illustrated in Table 1. Only 46% of the surveyed institutions are required to conduct pre-contract on-site assessments of at least high-risk third-party vendors, while only 35% are required to conduct periodic on-site assessments of at least high-risk thirdparty vendors. TABLE 1 On-Site Assessment of At Least High-Risk Third- Party Vendors 4 Pre-contract Periodic Total Foreign Domestic - Large and Medium Domestic - Small 3

B. Policies and Procedures Governing Relationships with Third-Party Service Providers The Department asked each banking organization to provide a copy of any policies and procedures governing relationships with third-party service providers that address information security risks, including setting minimum information security practices or requiring representations and warranties concerning information security. All of the institutions surveyed have written vendor management policies, and all but three have written procedures for selecting third-party vendors. Most of these policies appear to have been written and/or updated within the last several years. Most of the institutions surveyed require third-party vendors to represent that they have established minimum information security requirements, although 21% of them do not, as illustrated in Table 2. Only 36% of the surveyed banking organizations require those information security requirements to be extended to subcontractors of the third-party vendors. TABLE 2 Require Representations by Third Parties of Minimum Information Security Standards 4 Require representations of minimum information security requirements Require information security requirements for subcontractors Total Foreign Domestic - Large and Medium Domestic - Small 4

Most of the surveyed banking organizations require the right to audit their third party vendors, although 21% of them do not. Nearly half (44%) of the institutions do not require a warranty of the integrity of the third-party vendor s data or products (e.g., that the data and products are free of viruses). Larger institutions are more likely to require such warranties than small and medium-size institutions, as illustrated in Table 3. TABLE 3 4 Required Warranty of Integrity of Data and Products Total Large (> $ 1 trillion) Medium ($100B - $1T) Small (<$100 billion) Thirty percent of the banking organizations surveyed do not appear to require their third-party vendors to notify them in the event of an information security breach or other cyber security breach. C. Protections for Safeguarding Sensitive Data The Department asked each institution to describe any protections used to safeguard sensitive data that is sent to, received from, or accessible to third-party service providers, such as encryption or multi-factor authentication. Ninety percent of the surveyed banking organizations utilize encryption for any data transmitted to or from third parties. However, only 38% of the surveyed institutions ( of large institutions) use encryption for data at rest. Seventy percent of the surveyed institutions require multi-factor authentication ( MFA ) for at least some third-party vendors to access sensitive data or systems. However, the surveyed foreign banks (primarily large institutions) require MFA much more than large or small domestic institutions. When used, MFA is primarily required for third-party vendors that remotely access sensitive data or banking systems, either on computers or portable devices. 5

TABLE 4 Protections Used to Safeguard Data Data encrypted in transit Data encrypted at rest Total Foreign Domestic - Large and Medium Domestic - Small Multi-factor authentication required to access data 4 D. Protections against Loss Incurred by Third-Party Information Security Failures The Department asked each banking organization to list any and all protections against loss incurred as a result of an information security failure by a third-party service provider, including any relevant insurance coverage. Sixty-three percent of the surveyed institutions (78% of large institutions) informed the Department that they carry insurance that would cover cyber security incidents. However, only 47% of the surveyed institutions reported having cyber insurance policies that explicitly cover information security failures by a third-party vendor. Only half of the banking organizations surveyed require indemnification clauses in their agreements with third-party vendors. 6

TABLE 5 Protections Against Loss Incurred by Third-Party Breaches 4 Cyber insurance Cyber insurance covering third party information security failure Indemnification clause in vendor agreements Total Large (> $1 trillion) Medium ($100B - $1T) Small (<$100 billion) V. Conclusion Based on the responses that the Department received, banking organizations appear to be working to address the cyber security risks posed by third-party service providers, although progress varies depending on the size and type of institution. 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information