What The SEC Missed, But The NYDFS’s Cybersecurity Rule Got Right, About Third-Party Risk

Rules are like Marmite — you both love them or hate them. Final yr, when the SEC printed its proposed rule on cybersecurity danger administration, I used to be in love! For an analyst who covers danger and compliance, there’s nothing fairly like an impartial federal company placing out a rule change with tooth, particularly on a subject that often lacks clear, harmonized, and industry-agnostic regulatory necessities: third-party danger administration (TPRM).

The SEC Rule Might Have Been A TPRM Sport Changer

Indisputably, the SEC’s proposed rule on cybersecurity danger administration, technique, and governance launched final yr made it clear that the period of nominal cybersecurity oversight is over. However Merchandise 106(b) that will require SEC-registered firms to make “disclosure regarding [their] choice and oversight of third-party entities” had the potential to be a TPRM sport changer. However the finalized rule adopted on July 23, 2023, watered down any significant TPRM necessities to a sure/no box-check train by asking firms to reveal whether or not they have “processes to supervise and establish materials dangers from cybersecurity threats related to [ … ] use of any third-party service supplier.”

The New NYDFS Cybersecurity Rule Fills The Void Left By The SEC’s Rule

The New York State Division of Monetary Providers (NYDFS) might not have the identical gravitas and title recognition because the SEC, however in the case of cybersecurity and danger laws, it punches effectively above its weight. The NYDFS necessities are recognized to be rigorous and pioneering — each of which describe the amended Cybersecurity Regulation, 23 NYCRR, Half 500, launched on November 1, 2023. There’s rather a lot that’s new within the up to date rule in comparison with its 2017 predecessor, together with necessities for incident and ransomware fee disclosure, enhanced governance, and extra controls that surpass these of the SEC’s rule.

If you happen to suppose that the NYDFS has restricted attain, take into account that it supervises and regulates over 3,000 monetary establishments, together with banks, insurance coverage firms, well being insurers, and managed care organizations which are licensed, registered, or chartered in New York and, by extension, unregulated third-party service suppliers of regulated entities, which principally implies that it additionally applies to the third-party ecosystems of firms regulated by the NYDFS.

4 TPRM NYDFS Necessities To Put together For Now

If you happen to weren’t on the lookout for it, you might need missed the third-party service supplier safety coverage in part 500.11(a) stating that every coated entity should implement written insurance policies and procedures to make sure the safety of knowledge programs and nonpublic data “accessible to, or held by, third-party service suppliers.” However that’s not all! The rule’s insurance policies and procedures for third-party service suppliers are risk-based and require a degree of TPRM program maturity and automation that exceeds the established order of most organizations. Safety, danger, and compliance execs liable for their organizations’ TPRM program ought to start planning for these 4 necessities:

Third events should meet minimal cybersecurity practices to do enterprise with the coated entity, which flips the “contract now, assess cybersecurity later” equation.
Due diligence should consider whether or not their cybersecurity practices are sufficient, which suggests that you would be able to’t race by way of the due diligence course of simply so you possibly can onboard third events faster.
Periodic evaluation of third events’ continued adequacy all however bans a “one and completed” method that ignores reassessment of long-term third events since you don’t wish to poke the bear.
Insurance policies and procedures would require contractual protections, which implies that you’ll want stronger clauses in your contracts right now and should replace legacy grasp providers agreements to make sure that they deal with MFA, knowledge encryption, breach notification, and reps and warranties of their cybersecurity practices. This creates an excellent greater tie between contract lifecycle administration (CLM) and TPRM.

For a better have a look at TPRM expertise market and the 27 distributors that assist third-party danger program necessities, learn the brand new report, The Third-Occasion Danger Administration Platforms Panorama, This autumn 2023. For Forrester shoppers, schedule an inquiry or steering session with me to debate the NYDFS third-party danger necessities, the hyperlink between TPRM and CLM, or this report.