What's Happening?
The New York State Department of Financial Services (DFS) has issued a warning to insurance companies, banks, and other financial services institutions about the cyber risks associated with third-party
service providers (TPSPs). As these entities increasingly rely on technologies managed by TPSPs, such as cloud computing and fintech solutions, the exposure to cyber threats grows. Acting Superintendent Kaitlin Asrow emphasized the need for regulated entities to maintain internal risk management controls to protect consumers and manage risks effectively. The DFS guidance, issued on October 21, highlights the importance of a proactive, risk-based approach to third-party governance, urging senior governing bodies to engage actively in cybersecurity risk management.
Why It's Important?
This warning underscores the critical need for financial institutions to address cybersecurity risks associated with third-party service providers. As these providers play a significant role in the financial system, their vulnerabilities can pose substantial risks to consumer data and the overall security of financial operations. The DFS's emphasis on internal risk management and oversight reflects the growing complexity of cyber threats and the necessity for institutions to adapt continuously. Failure to manage these risks could lead to significant financial and reputational damage, affecting stakeholders across the financial sector.
What's Next?
Financial institutions are expected to develop tailored, risk-based plans to mitigate risks posed by each TPSP. The DFS will continue to monitor compliance with cybersecurity regulations and may take enforcement actions against entities that fail to implement appropriate risk management practices. Institutions must assess the cybersecurity risks of TPSPs, especially those with privileged access to sensitive information, and ensure that their cybersecurity practices align with regulatory requirements.
