Third Party Service Provider Cybersecurity Management: The (Not Quite) Last Requirement of the New York Department of Financial Services Cybersecurity Regulation

In prior issues, we have reported on the various requirements imposed by the New York Department of Financial Services (the ‎DFS) Cybersecurity Regulation (23 NYCRR 500) (the Regulation) on “Covered Entities,” which are defined to include all licen-‎sees of the DFS. The Regulation’s final transition date is March 1, 2019, by which time Covered Entities are required to satisfy ‎the obligations of Section 11 of the Regulation for a Third Party Service Provider Security Policy.‎

What is required?

The Regulation requires covered entities to manage the cybersecurity of Information Systems and Nonpublic Information that ‎are accessible to or held by Third Party Service Providers (TPSPs). ‎

Information Systems and Nonpublic Information. The earlier requirements of the Regulation have required Covered Entities ‎to identify their Information Systems and Nonpublic Information, which can be summarized as:‎

• Information Systems include electronic systems that process data or handle important business and operational functions of ‎the Covered Entity.‎
• Nonpublic Information includes electronic (not paper) information that encompasses personal information (including health ‎and medical information) as that term is normally used in state breach notification requirements, as well as business infor-‎mation that could, if compromised, cause a material harm to the business.

Relationships in scope as a Third Party Service Provider. Many Covered Entities struggle with the definition of Third Party Ser-‎vice Provider, which is defined as: a “Person” that: (i) is not an “Affiliate” of the Covered Entity; (ii) provides services to the ‎Covered Entity; and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision ‎of services to the Covered Entity. 23 NYCRR 500.01(n). For this purpose, the terms “Person” and “Affiliate” are defined as ‎commonly used in other laws and regulations. Therefore, each Covered Entity needs to identify its TPSPs by carefully consid-‎ering the following questions with respect to the Covered Entity’s relationship with any nonaffiliate:

• Does the Person provide services to the Covered Entity?‎
• Does the Person maintain, process or otherwise obtain access to Nonpublic Information through its provision of services to ‎the Covered Entity?‎

If the answer to each of these questions is “yes,” then the Person is a TPSP for purposes of the Regulation.

It is important to note that the definition of TPSP does not exempt Persons that are themselves Covered Entities, and that the ‎DFS has clarified that the requirements concerning TPSPs apply to Persons that meet the definition, regardless of whether a ‎TPSP is independently required to comply with the Regulation as a Covered Entity. This issue has been of particular interest ‎to the insurance industry, where carriers that are Covered Entities have questioned whether they need to address the cyber-‎security risk presented by their producers that are also Covered Entities but are not covered by the carrier’s cybersecurity ‎program. If the producer provides services to the Covered Entity, and if, through providing these services, the producer ‎maintains, processes or obtains access to Nonpublic Information, then the producer is a TPSP and must be considered in ‎scope for purposes of the requirements of Section 11 of the Regulation.

There are other, often more obvious, examples, such as outsourced IT, payment processors and payroll services providers, ‎that would meet the definition of TPSP for the Covered Entity. 

Specific requirements of Section 11. Each Covered Entity must implement written policies and procedures designed to en-‎sure the security of Information Systems and Nonpublic Information that are accessible to or held by TPSPs. These policies ‎and procedures are to be based on the Risk Assessment of the Covered Entity, and must address the following, to the extent ‎applicable:‎

• the identification and risk assessment of TPSPs;‎
• minimum cybersecurity practices required to be met by TPSPs in order for them to do business with the Covered Entity;‎
• due diligence processes used to evaluate the adequacy of cybersecurity practices of TPSPs; and
• periodic assessment of TPSPs based on the risk they present and the continued adequacy of their cybersecurity practices.‎

The Covered Entity’s policies and procedures are required to include relevant guidelines for due diligence and/or contractual ‎protections relating to TPSPs. To the extent applicable, the guidelines should address requirements for access controls, en-‎cryption, notice to be provided to the Covered Entity in the event that the TPSP experiences a Cybersecurity Event, and con-‎tractual representations and warranties to be made by the TPSP that related to cybersecurity.‎

How to satisfy the Section 11 requirements?‎

For many Covered Entities, the requirements for TPSPs are onerous and require thoughtful planning and careful execution. ‎

• Determine what third parties are in scope. What services do they provide? In connection with the services, do they have ac-‎cess to Nonpublic Information and/or Information Systems?‎
• Assess the risk. The risk assessment of TPSPs drives the requirements for policies and procedures, due diligence and con-‎tractual requirements. For Covered Entities with many relationships with TPSPs, project management may dictate that ‎ranking certain types of relationships would be appropriate, given the assessment of incumbent risk. 
• Develop the policy. The Covered Entity must develop a TPSP cybersecurity policy “designed to ensure the security of Infor-‎mation Systems and Nonpublic Information that are accessible to, or held by, [TPSPs],” based on the risk assessment. The ‎specific requirements and guidelines described above must be incorporated to the extent applicable. Required levels of ‎due diligence and contractual terms should be incorporated into and attached to the policy. The policy should contem-‎plate that exceptions may need to be made, and certain risks may need to be accepted. The policy should provide for ‎these situations, with appropriate provisions for approval of exceptions, risk acceptance and mitigation, and reassessment.‎
• Implement the policy. Due diligence must be conducted and contractual terms implemented. Due diligence must be com-‎pleted, usually involving some form of questionnaire, which must be drafted, disseminated and evaluated, often requiring ‎follow-up with particular TPSPs. Contracts must be reviewed and considered, and amended where appropriate, often with ‎the use of a cybersecurity addendum to existing contracts. TPSPs can be expected to push back or negotiate these con-‎tractual terms, often resulting in further discussion, review and negotiation. ‎
• Make the deadline! With a transition date of March 1, 2019, there is much to accomplish to satisfy this requirement in a timely ‎fashion in order to permit the Covered Entity to certify its compliance by the subsequent certification deadline of Febru-‎ary 15, 2020. Working toward the March 1 deadline is not good enough. The exceptions and risk acceptance provisions of ‎the policy described above are critical to allow for follow-up items within the policy, without a failure to meet the deadline. ‎For example, if the required contractual provisions with a particular TPSP cannot be completed prior to March 1, consider ‎whether the policy permits an exception to be made, and risk to be mitigated and accepted.‎

It’s the final transition date; why is this not the last requirement?‎

Covered Entities must vet and onboard any new TPSPs in accordance with the TPSP cybersecurity policy. Periodic risk as-‎sessments must be performed, even for current TPSPs, to address changes in the threat environment and other develop-‎ments. As is true for most of the Regulation, the Section 11 requirements for TPSPs are ongoing for every Covered Entity. ‎Covered Entities have a great deal to accomplish to satisfy these requirements by March 1, 2019, and to meet their continuing ‎obligations under the Regulation. ‎