While third-party risk management has been a required component of an effective enterprise risk management program for many years, the topic is receiving elevated attention at insurance companies and related businesses.
The recently effective New York State Department of Financial Services (NYDFS) cybersecurity standards for NYDFS licensed financial institutions and the current proposed draft of the NAIC Insurance Data Security Model Law require licensees to implement specific policies and procedures designed to protect the security of company information systems and nonpublic information (including personally identifiable information of customers and policyholders) that are accessible to, or held by, outside service providers as part of an overall cybersecurity program.
The regulators recognize that an entity’s cybersecurity program should start with, and be based on, the results of a risk assessment. The risk assessment should take into account factors specific to the entity, such as its size and complexity. However, regardless of specific regulatory mandates, every well-designed third-party risk management program should include the following:
- an analysis of the particular risks associated with the service organization and the services to be provided;
- baseline cybersecurity and other requirements to be eligible for hire;
- due diligence steps to be followed prior to contracting with a third-party;
- standard contractual provisions;
- mechanisms to monitor performance and compliance under the contract; and
- address termination and post-contractual procedures.
Implementing an appropriate third-party risk management program will require enterprise-wide engagement, including the participation of representatives from areas such as business units, procurement, sourcing, IT, risk, compliance, internal audit, legal, privacy, and the individual designated to manage the program.
©2017 Carlton Fields Jorden Burt, P.A. Carlton Fields practices law in California through Carlton Fields Jorden Burt, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.