What's Happening?
The New York State Department of Financial Services (DFS) has issued a warning to insurance companies, banks, and other financial institutions about the cyber risks associated with third-party service
providers (TPSPs). As these institutions increasingly rely on technologies managed by TPSPs, such as cloud computing and fintech solutions, the exposure to cyber threats grows. DFS Acting Superintendent Kaitlin Asrow emphasized that while TPSPs have driven innovation and efficiency, regulated entities remain accountable for consumer protection and risk management. The guidance issued by DFS stresses the need for entities to establish robust internal risk management controls when engaging TPSPs. Senior governing bodies and officers are urged to actively participate in cybersecurity risk management, ensuring that decisions align with the entity's risk posture and resiliency objectives.
Why It's Important?
This guidance is significant as it underscores the growing complexity and scale of cyber risks in the financial sector, particularly those posed by TPSPs. Financial institutions are reminded of their ultimate responsibility for cybersecurity compliance, which cannot be outsourced. The DFS's emphasis on proactive, risk-based governance highlights the need for institutions to adapt continuously to evolving cyber threats. This development is crucial for maintaining the integrity and security of financial systems, protecting nonpublic information, and ensuring consumer trust. Institutions that fail to implement appropriate TPSP risk management practices may face scrutiny during DFS examinations and potential enforcement actions.
What's Next?
Financial institutions are expected to develop tailored, risk-based plans to mitigate risks associated with each TPSP. The DFS guidance, while not imposing new requirements, clarifies existing regulatory obligations and suggests best practices for cybersecurity management. Institutions will need to assess the cybersecurity risks posed by TPSPs, particularly those with privileged access to sensitive information. As the financial sector continues to evolve, institutions must remain vigilant and adaptive in their cybersecurity strategies to safeguard against potential threats.
