NYDFS Finds Banks Have Significant Potential Cybersecurity Vulnerabilities | Practical Law

NYDFS Finds Banks Have Significant Potential Cybersecurity Vulnerabilities | Practical Law

In a recent report, the New York Department of Financial Services (NYDFS) found that while banks rely on third-party vendors for a broad range of services, approximately 30% of surveyed banks do not require their vendors to notify them of an information security or other cybersecurity breach.

NYDFS Finds Banks Have Significant Potential Cybersecurity Vulnerabilities

Practical Law Legal Update 8-608-7026 (Approx. 3 pages)

NYDFS Finds Banks Have Significant Potential Cybersecurity Vulnerabilities

by Practical Law Intellectual Property & Technology
Published on 13 Apr 2015USA (National/Federal)
In a recent report, the New York Department of Financial Services (NYDFS) found that while banks rely on third-party vendors for a broad range of services, approximately 30% of surveyed banks do not require their vendors to notify them of an information security or other cybersecurity breach.
On April 9, 2015, the New York Department of Financial Services (NYDFS) released a report describing potentially significant cybersecurity vulnerabilities of its regulated banks as a result of their relationships with third-party vendors such as law firms, check/payment processors, trading and settlement operations and data processing companies.
Based on a review of the responses of 40 regulated banking organizations, the NYDFS report highlights the most critical common issues and concerns, including that:
  • Approximately 30% of the banks do not require third-party vendors to notify them of an information security breach or other cybersecurity breach.
  • Only 38% of banks, and 50% of large institutions, encrypt at-rest data.
  • Twenty-one percent of banks do not require third-party vendors to represent that they have established minimum information security requirements.
  • Only 36% of banks require their third-party vendors to extend the vendor's minimum information security requirements to their subcontractors.
  • Fewer than half of the banks require on-site assessments of their third-party vendors.
  • Forty-four percent of the banks do not require a warranty of the integrity of the third-party vendors' data or products.
  • Less than half of the banks reported having cyber-insurance policies that explicitly cover third-party information security failures.
To address these concerns, the NYDFS plans to introduce regulations to strengthen cybersecurity standards for banks' third-party vendors. These include, among other regulations, potential measures related to the representations and warranties banks receive about the third-party's cybersecurity protections.