March is now here and with it the Cybersecurity Regulation of the New York Department of Financial Services (NYDFS) is now in full force and effect, including requirements relating to Third Party Service Providers[1] (e.g., vendors, suppliers, agents). To comply with the regulation, banks, insurance companies, and other financial institutions and individuals who are, or should be, licensed with NYDFS (Covered Entities) were required to address substantial data security compliance requirements over the past two years (detailed in our February 2017 and July 2017 posts). The March 1 deadline marked the end of the last transitional period for the regulation, and perhaps a new period marked by its enforcement.

Because of its onerous nature, NYDFS gave Covered Entities a two-year transitional period to address the Third Party Service Provider provision. Now that it is in effect, Covered Entities (including those qualifying for limited exemptions under Section 500.19(a), (c), or (d)) must have written policies and procedures to address the risks associated with Third Party Service Providers’ access to Nonpublic Information or Information Systems.

Among other things, this provision requires Covered Entities to:

  • Identify Third Party Service Providers that access their Nonpublic Information or Information Systems;
  • Periodically assess the risks posed by their access;
  • Establish minimum cybersecurity practices required of Third Party Service Providers, including with respect to encryption, access controls (e.g., multi-factor authentication), and contractual protections (e.g., representations and warranties as well as notice provisions); and
  • Develop due diligence processes to evaluate the cybersecurity practices of Third Party Service Providers.

Although this provision went into effect after this year’s February 15 compliance certification, it still applies now. Given this, Covered Entities should have well-developed written policies and procedures to protect against the cybersecurity risks posed by their Third Party Service Providers. Such policies and procedures not only will guard against data breaches but also will help Covered Entities avoid protracted NYDFS examinations and costly enforcement actions. We will continue to monitor the Cybersecurity Regulation’s FAQs and other developments to identify additional guidance on this untested regulation.

[1] All terms not otherwise defined in this post have the meaning provided to them in the Cybersecurity Regulation.