Regulations are like Marmite — you either love them or hate them. Last year, when the SEC published its proposed rule on cybersecurity risk management, I was in love! For an analyst who covers risk and compliance, there’s nothing quite like an independent federal agency putting out a rule change with teeth, especially on a topic that frequently lacks clear, harmonized, and industry-agnostic regulatory requirements: third-party risk management (TPRM).
The SEC Rule Could Have Been A TPRM Game Changer
Indisputably, the SEC’s proposed rule on cybersecurity risk management, strategy, and governance released last year made it clear that the era of nominal cybersecurity oversight is over. But Item 106(b) that would require SEC-registered companies to make “disclosure concerning [their] selection and oversight of third-party entities” had the potential to be a TPRM game changer. But the finalized rule adopted on July 23, 2023, watered down any meaningful TPRM requirements to a yes/no box-check exercise by asking companies to disclose whether they have “processes to oversee and identify material risks from cybersecurity threats associated with [ … ] use of any third-party service provider.”
The New NYDFS Cybersecurity Rule Fills The Void Left By The SEC’s Rule
The New York State Department of Financial Services (NYDFS) may not have the same gravitas and name recognition as the SEC, but when it comes to cybersecurity and risk regulations, it punches well above its weight. The NYDFS requirements are known to be rigorous and pioneering — both of which describe the amended Cybersecurity Regulation, 23 NYCRR, Part 500, released on November 1, 2023. There’s a lot that’s new in the updated rule compared to its 2017 predecessor, including requirements for incident and ransomware payment disclosure, enhanced governance, and additional controls that surpass those of the SEC’s rule.
If you think that the NYDFS has limited reach, consider that it supervises and regulates over 3,000 financial institutions, including banks, insurance companies, health insurers, and managed care organizations that are licensed, registered, or chartered in New York and, by extension, unregulated third-party service providers of regulated entities, which basically means that it also applies to the third-party ecosystems of companies regulated by the NYDFS.
Four TPRM NYDFS Requirements To Prepare For Now
If you weren’t looking for it, you might have missed the third-party service provider security policy in section 500.11(a) stating that each covered entity must implement written policies and procedures to ensure the security of information systems and nonpublic information “accessible to, or held by, third-party service providers.” But that’s not all! The rule’s policies and procedures for third-party service providers are risk-based and require a level of TPRM program maturity and automation that exceeds the status quo of most organizations. Security, risk, and compliance pros responsible for their organizations’ TPRM program should begin planning for these four requirements:
- Third parties must meet minimum cybersecurity practices to do business with the covered entity, which flips the “contract now, assess cybersecurity later” equation.
- Due diligence must evaluate whether their cybersecurity practices are adequate, which means that you can’t race through the due diligence process just so you can onboard third parties quicker.
- Periodic assessment of third parties’ continued adequacy all but bans a “one and done” approach that ignores reassessment of long-term third parties because you don’t want to poke the bear.
- Policies and procedures will require contractual protections, which means that you’ll need stronger clauses in your contracts today and will have to update legacy master services agreements to ensure that they address MFA, data encryption, breach notification, and reps and warranties of their cybersecurity practices. This creates an even bigger tie between contract lifecycle management (CLM) and TPRM.
For a closer look at TPRM technology market and the 27 vendors that support third-party risk program requirements, read the new report, The Third-Party Risk Management Platforms Landscape, Q4 2023. For Forrester clients, schedule an inquiry or guidance session with me to discuss the NYDFS third-party risk requirements, the link between TPRM and CLM, or this report.