New York State Department of Financial Services, Update on Cyber Security in the Banking Sector: Third Party Service Providers (Apr. 2015) (full-text).
The New York State Department of Financial Services (NYSDFS) recently conducted a survey with 40 different banking organizations including many of the largest financial institutions — about the cyber security standards these organizations have in place for their third-party vendors. On April 9, 2015, the NYSDFS released this report that outlines significant potential cyber security vulnerabilities with financial institution's third-party vendors. The report highlights some key findings:
- 1 in 3 banks surveyed do not require their third-party vendors to notify them of cyber security breaches
- Less than half of the banks surveyed require on-site assessments and review of their third party vendors
- Approximately 1 in 5 banks surveyed does not require third-party vendors to represent that they have established minimum information security] requirements. Additionally, only one-third of the banks require those information security requirements to be extended to subcontractors of the third-party vendors (fourth parties)
- Approximately 1 in 5 banks surveyed do not require the right to audit their third party vendor
- Nearly half of the banks do not require a warranty of the integrity of the third-party vendor's data or products (e.g., that the data and products are free of viruses).
- Approximately 2 in 5 banks surveyed require encryption for their data at rest
- Less than half of the banks surveyed carry insurance for information security failures by third party vendors.