In a sign of what may well be coming for all highly-regulated industries around the world, US financial services regulators are in the process of significantly enhancing their cybersecurity rules, including substantial new rules impacting third party relationships.These new rules will put significant expectations on financial services organizations to ensure the third parties that they work with have ample cybersecurity protections in place – often protections to the standard expected of the financial services industry itself.
The New York State Department of Financial Services issued new cybersecurity requirements for financial services companies in mid-February. In the US, each state has its own office of banking regulation which oversees certain institutions in its jurisdiction. The New York State Department of Financial Services has particular clout because of the financial services entities physically located in its boundaries. The new cyber rules cover foreign banks and insurers operating in the state, as well as state-chartered banks. It takes effect on 1 March 2017.
In addition, the Office of the Comptroller of the Currency (OCC), the Federal Reserve (Fed) and the Federal Deposit Insurance Corporation (FDIC) issued an Advance Notice of Proposed Rulemaking in October – Enhanced Cyber Risk Management Standards. A wide range of organizations responded by the mid-February deadline, including the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC), a financial industry body set up in 2002 specifically to work with regulators and the industry bon these kinds of systemic risk issues. Another US-based organization to respond is the Financial Services Roundtable’s technology policy arm, BITS.
The October, the Advanced Notice of Proposed Rulemaking third party rule proposals around cyber risk include:
- A requirement that financial firms integrate an external dependency management strategy into their overall strategic risk management plan, covering the lifespan of the relationship;
- A proposal that financial services firms should establish plans, policies and procedures to identify and manage real-time cyber risks associated with third parties, across the relationship lifespan;
- A requirement for a comprehensive database of third parties – something already contained in the OCC’s recent proposals. This database would contain real time information that would enable the financial institution to monitor cyber risk and ensure the third party stayed within the financial institution’s cyber risk appetite;
- A proposal that financial institutions continually apply and evaluate third party controls to reduce cyber risk.
- A proposal to apply financial institution standards for cyber risk management directly to third parties
- A requirement that financial institutions have a substitute for every critical third party to hand in the event of a cyber event
The new New York State rules align with the ANPR proposals on both cyber risk and treatment of third parties in a number of areas, including requirement for a governance structure, policies, procedures, and risk assessments. However, the policy is distinctive in a couple of specific areas including:
- A requirement for the use of MultiFactor Authentication for third party access to financial institution systems;
- Encryption of non-public data used by third parties;
The US banking industry – voiced in part via the FSSCC and FSR/BITS– has a range of concerns about this flurry of cyber risk proposals for third parties, including the fact that proposals are emerging at both the State and the Federal level. As a first step, the industry asks that State and Federal regulators align in their demands around cyber risk management to reduce complexity and cost of compliance.
Not surprisingly, the financial industry is pushing back across a number of other fronts too. The FSR/BITS is particularly concerned about the burden of responsibility that it says the new proposals will place on financial services firms:
“As a practical matter, FSR/BITS is concerned that responsibility for oversight of third parties will be placed upon the covered entities, creating a new and potentially onerous operational risk in both time availability of skilled resources and cost. Financial institutions contract with hundreds, if not thousands, of third-party vendors for a variety of services. Requiring financial institutions to audit each and every one of these vendors rather than commensurate with their risk profile and the particular contractual relationship, to the extent doing so is even feasible, would not only strain the resources of the covered entities themselves, but also the vendors, as many of them contract with multiple financial institutions.”
The proposal for non-financial services industry third party providers to be subject to the same cyber risk rules as the banking industry was roundly criticized by the FSSCC – which says it prefers to shift the burden onto the regulatory bodies through agency-approved third party certifications to replace the due diligence that banks currently perform on their third parties. Many third party providers do not have the same level of cyber risk infrastructure as financial services firms, and the industry is worried that if these third parties are made to meet the financial services’ compliance standards they will exit from the market due to compliance costs.
Too, the FSSCC says “alternate providers for every service or redundancy are not always available, depending on the expertise required or the type of service.” As an example, the body point out that some critical settlement services are only offered by national governments, central banks, or other government entities.
Along the same lines, the FSR/BITS letter is concerned about the ability of financial institutions to obtain the contract terms suggested by the Advanced Notice of Proposed Rulemaking with third parties:
“FSR/BITS members are similarly wary of requiring certain contractual terms to be included in third-party contracts. There is often minimal leverage for the negotiation of vendor contracts, particularly with respect to larger (and potentially more secure) third-party vendors, such as Amazon or Microsoft. Should prescriptive contractual terms be required by the enhanced standards, financial institutions would be forced to contract with those limited number of third parties willing to add such language to their contract. Vendors willing to adopt these terms may not be the most secure or competitive choices for the services, creating inefficiencies and raising potential security risks across the sector.
It’s clear that the New York State banking regulations, as well as the Federal-level Advanced Notice of Proposed Rulemaking, will create significant challenges for US-based organizations seeking to comply with cyber risk rules around third parties. It seems likely that whatever new rules emerge at the Federal level, they will not only have a significant impact on financial services organizations, but also on the third parties they contract with. The need to keep on top of third party relationship information, as well as communicate and manage risks collaboratively with third parties, is set to continue to evolve significantly.