New NYDFS chief fleshes out third-party risk

Deficient risk-management procedures create new risk threats. That premise, backed by evidence from examinations conducted by the New York Department of Financial Services , prompted the agency to release guidance in late October on cybersecurity-related risks associated with third parties. “Financial services is fundamentally dependent on partnership,” said Kaitlin Asrow , newly appointed acting superintendent of the NYDFS, during a fireside chat at the Philadelphia Federal Reserve Board ’s fintech conference last month. “But we’re seeing increasing outsourcing, specialization and, of course, this nexus with innovation and trying to keep pace.” Beefed-up monitoring needed Broadly, exposure to cybersecurity threats expand as lenders increase reliance on technologies managed by third-party providers — like cloud computing, file transfer systems, artificial intelligence and fintech solutions. In its exams and investigations, NYDFS identified the need for “more robust” due diligence and contractual provisions, plus beefed-up monitoring and oversight of third-party providers, according to the guidance. Further, the agency noted that it had observed a trend in which lenders were outsourcing “critical” cybersecurity compliance obligations to third parties without ensuring “appropriate” oversight and verification by their board or appropriate committees or senior officers. By law, lenders must maintain written cybersecurity policies that are approved at least annually. Identifying risk As such, third-party risk will be one of Asrow’s near-term focuses at NYDFS. “We’re going to continue to think about that across all of our authorities,” she said. And although the guidance was released in Asrow’s first week in her new position, the subject is one she had been exploring for years as executive deputy superintendent of the NYDFS research and innovation division. “From the data side, I’ve spent many turns at different places trying to visualize the world of third parties, trying to model that, trying to see where there are material risks,” she said. In fact, Asrow noted that in her new post atop the NYDFS, she has been “spearheading” the agency’s “own use of data — in analytics, using visuals and thinking about risk.” To that end, she instituted NYDFS’s first data-governance team. “That’s a team that is thinking about what data we have,” she said. “How do we keep it clean? How do we do quality checks so that we can then use it in research and innovation considerations?” New guidance, not requirements Although NYDFS is delving deeper into the third-party service provider sector, Asrow pointed out that the recent guidance did not create a new set of requirements for NYDFS-regulated entities. Rather, it explained how the agency interprets existing regulations and expectations. “We tried to go through a lot of detail,” she said. “We go through the entire lifecycle of a third party, from ideation to identification to vetting to onboarding to contracting, then through implementation and termination. We introduced or suggested safeguards and best practices at each one of those stages specific to cybersecurity.” For instance, when selecting third-party service providers , lenders might use standardized questionnaires to secure baseline information, but “qualified personnel will need to interpret the responses to make risk-informed decisions, ask follow-up questions as necessary and determine appropriate mitigation strategies,” according to the guidance. Meanwhile, the contracting section of the guidance suggests that while certain smaller lenders are exempt from implementing policies that address data encryption in transit and at rest, they might still consider doing so given the sensitivity of information. Similarly, while third-party providers are not explicitly required to disclose where data may be stored, processed or accessed, NYDFS “recommends incorporating this provision in contracts” because lenders can more effectively size up the risk to sensitive data when they understand where that data is warehoused and how it is handled. ‘Layering’ of providers Another obstacle in third-party oversight relates to the “layering” of providers. “Third parties are challenging because as partnerships become nested, our jurisdiction stops at some point, of course,” Asrow said.” But you know, the sprawl of interconnection doesn’t stop.” As such, NYDFS recommends that third-party providers inform lenders about the use of subcontractors that may have access to the lender’s information systems or sensitive data — even though the practice is not required by the state’s Cybersecurity Regulation. Ultimately, the NYDFS guidance is meant to steer lenders in their collaborations with partner firms. “How are we depending on partnerships?” Asrow asked. “How are we using the authorities that we have to keep our entities safe and keep our consumers safe, as these break-points expand?”

New NYDFS chief fleshes out third-party risk

Cybersecurity threats rise with third-party reliance

Harley-Davidson expands CFO’s role, names new leaders

Related Posts

FourLeaf FCU sees 53.8% jump in auto loan origination with AI

Residence document recycling scam spans seven lenders

AI contributes to 25% rise in fraud losses

States double down on financial literacy (Under the Hood)

Stay Informed with Our Newsletters

The Roadmap Podcast

Retrieve your password