The New York State Department of Financial Services (NYDFS) has released a report entitled "Update on Cyber Security in the Banking Sector: Third Party Service Providers." The report details the findings of an October, 2014 survey of 40 banking organizations regulated by the department, and identified potential cyber security vulnerabilities with banks’ third-party vendors. Banks rely on third-party vendors for a broad range of services and often have access to a financial institution’s information technology systems, providing a potential point of entry for hackers to obtain sensitive customer data. Among the report’s findings, the department found that 1 in 3 surveyed banks did not require third-party vendors to notify them of cyber security breaches.
As a result of the report’s findings, NYDFS is now considering new regulations for financial institutions, establishing cyber security standards applicable to their relationships with third-party service providers, including potential measures related to the representations and warranties banks receive about the cyber security protections those providers have in place. These regulations could have a significant compliance impact on third-party service providers, including the title insurance industry.
The NYDFS report is the latest step it has taken examining cyber security issues among its regulated entities, and follows the publication of its initial May 2014 report on cyber security in the banking sector, its February 2015 report surveying insurers’ cyber security readiness and plans, and issuance of a Section 308 letter in March requesting information technology reports from insurers in anticipation of conducting risk assessments.
State and federal actions, such as the NYSDFS’s cyber security reports, expected regulations, and the Consumer Financial Services Bureau’s clear statements that supervised banks are expected to oversee and monitor activities of their third-party service providers to ensure compliance with federal consumer finance laws, highlight the continued trend of an increasingly regulated environment, and corresponding liability risks, for these entities.