Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.

 Skip to Content

NYDFS Report Foreshadows New Cyber Security Regulations
June 15, 2015

The New York State Department of Financial Services (NYDFS) has released a report entitled "Update on Cyber Security in the Banking Sector: Third Party Service Providers." The report details the findings of an October, 2014 survey of 40 banking organizations regulated by the department, and identified potential cyber security vulnerabilities with banks’ third-party vendors. Banks rely on third-party vendors for a broad range of services and often have access to a financial institution’s information technology systems, providing a potential point of entry for hackers to obtain sensitive customer data. Among the report’s findings, the department found that 1 in 3 surveyed banks did not require third-party vendors to notify them of cyber security breaches.

As a result of the report’s findings, NYDFS is now considering new regulations for financial institutions, establishing cyber security standards applicable to their relationships with third-party service providers, including potential measures related to the representations and warranties banks receive about the cyber security protections those providers have in place. These regulations could have a significant compliance impact on third-party service providers, including the title insurance industry.

The NYDFS report is the latest step it has taken examining cyber security issues among its regulated entities, and follows the publication of its initial May 2014 report on cyber security in the banking sector, its February 2015 report surveying insurers’ cyber security readiness and plans, and issuance of a Section 308 letter in March requesting information technology reports from insurers in anticipation of conducting risk assessments.

State and federal actions, such as the NYSDFS’s cyber security reports, expected regulations, and the Consumer Financial Services Bureau’s clear statements that supervised banks are expected to oversee and monitor activities of their third-party service providers to ensure compliance with federal consumer finance laws, highlight the continued trend of an increasingly regulated environment, and corresponding liability risks, for these entities.

Related Practices
Consumer Finance Cybersecurity and Privacy
©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.