  
|
Posted By Robert Treuber,
Thursday, October 23, 2025
|
To: The executives and information
security personnel at all entities regulated by the New York State
Department of Financial Services (“DFS” or the “Department”) Re: Guidance on Managing Risks Related to Third-Party Service Providers Date: October 21, 2025 Covered Entities[1] have become more reliant on Third-Party Service Providers[2] (“TPSP” or “TPSPs”) for services that involve access to Information Systems[3] or Nonpublic Information[4]
(“NPI”). Although there are many potential benefits to engaging TPSPs,
Covered Entities must understand and address the risks posed by such
reliance. For example, reliance on TPSPs introduces the risk of
Cybersecurity Incidents[5]
at the TPSP, which can have a significant impact on Covered Entities’
operations and NPI. Appropriately managing these risks remains a
crucial element of a Covered Entity’s cybersecurity program. Covered
Entities’ exposure to threats will continue to grow as their reliance
on technologies managed by TPSPs—such as cloud computing, file transfer
systems, artificial intelligence (“AI”), and fintech
solutions—increases. The growing scale and complexity of cyber risks
posed by TPSPs demands a proactive, risk-based, and continuously
adaptive approach to third-party governance. Senior Governing Bodies[6] and Senior Officers[7] must engage actively in cybersecurity risk management, including the oversight of TPSP-related risks.[8]
Unless a Covered Entity qualifies for an applicable exemption, Senior
Governing Bodies must have a sufficient understanding of
cybersecurity-related matters to exercise appropriate oversight, which
includes the ability to provide a credible challenge to management’s
cybersecurity-related decisions to ensure that those decisions align
with the entity’s overall risk posture and resiliency objectives.[9]
The Cybersecurity Regulation (“Part 500”) also requires a Senior
Officer or the Senior Governing Body to review and approve the Covered
Entity’s cybersecurity policies and procedures at least annually.[10] The
Department reviews Covered Entities’ information security policies and
procedures, including those addressing TPSP risk, during examinations
and investigations. In these reviews, DFS has identified areas where
Covered Entities should strengthen their TPSP programs, including how
they monitor, assess, and manage TPSP cybersecurity risk. Specifically,
DFS has identified the need for more robust due diligence, contractual
provisions, monitoring and oversight, and TPSP risk management policies
and procedures. Moreover, DFS has observed a trend in which some
Covered Entities outsource critical cybersecurity compliance obligations
to TPSPs without ensuring appropriate oversight and verification by
Senior Governing Bodies or Senior Officers. As noted in previous
guidance, Covered Entities may not delegate responsibility for
compliance with the Cybersecurity Regulation to an affiliate or a TPSP.[11]
DFS has and will continue to consider the absence of appropriate TPSP
risk management practices by Covered Entities in its examinations,
investigations, and enforcement actions.[12] The
Department is issuing this guidance on managing risks related to
Third-Party Service Providers (“Guidance”) to assist Covered Entities of
all sizes[13]
in addressing risks associated with the use of TPSPs. The Guidance
does not impose new requirements or obligations on Covered Entities;
rather, it is intended to clarify regulatory requirements, recommend
industry best practices to mitigate common risks associated with TPSPs,
and promote compliance with relevant sections of Part 500, including
Section 500.11.[14]
In addition to clarifying regulatory requirements, the Guidance
describes steps Covered Entities should consider taking to assess and
address cybersecurity risks throughout the lifecycle of a TPSP
relationship, beginning with the due diligence and selection processes,
continuing through contracting, ongoing oversight and management of the
relationship, and ending with the termination of the TPSP relationship. Identification, Due Diligence, and SelectionWhen
selecting a TPSP, Covered Entities must assess the cybersecurity risks
the TPSP poses to the Covered Entity’s Information Systems and NPI.
Policies and procedures should outline how these risks are evaluated,
including minimum cybersecurity standards required for engagement, and
procedures for assessing the TPSP’s cybersecurity practices and controls
based on the unique risks presented by the TPSP.[15] Covered
Entities should classify TPSPs based on the latter’s risk profile,
considering factors such as system access, data sensitivity, location,
and how critical the service provided to the Covered Entity is to its
operations. For example, a TPSP with privileged access[16]
to a Covered Entity’s Information Systems and significant amounts of
NPI presents a greater risk than a TPSP that provides services operating
outside of the Covered Entity’s Information Systems. Providers of
critical services that often have a high degree of system-level access
and the ability to access sensitive NPI include companies that provide
IT managed services, outsourced help desk services, and insurance claims
management services. Additionally, Covered Entities should
develop a tailored, risk-based plan to mitigate risks posed by each
TPSP. The following is a non-exhaustive list of considerations that
Covered Entities should assess when performing due diligence on TPSPs: - The type and extent of access to Information Systems and NPI.
- The TPSP’s reputation within the industry, including its cybersecurity history and financial stability.
- Whether
the TPSP has developed and implemented a strong cybersecurity program
that addresses, at a minimum, the cybersecurity practices and controls
required by the Covered Entity and Part 500.
- The access controls
implemented by the TPSP for its own systems and data, as well as to
access the Covered Entity’s Information Systems, and the proposed
handling and storage of Covered Entity data, including whether
appropriate controls, such as data segmentation and encryption, are
applied based on the sensitivity of the data.[17]
- The criticality of the service(s) provided and the availability of alternative TPSPs.
- Whether
the TPSP uses unique, traceable accounts for personnel accessing the
Covered Entity’s systems and data and whether it maintains audit trails
meeting the requirements of Section 500.6.
- Whether the TPSP, its
affiliates, or vendors are located in, or operate from, a country or
territory jurisdictions that is considered high-risk based on
geopolitical, legal, socio-economic, operational, or other regulatory
risks.
- Whether the TPSP maintains and regularly tests its incident response and business continuity plans.[18]
- The TPSP’s practices for selecting, monitoring, and contracting with downstream service providers (“fourth parties”).
- Whether the TPSP undergoes external audits or independent assessments (e.g.,
ISO/IEC 27000 series, HITRUST) or can otherwise demonstrate, in
writing, compliance with Part 500 or industry frameworks such as the
National Institute of Standards and Technology’s (“NIST”) Cybersecurity
Framework.[19]
Covered
Entities should also consider how best to obtain, review, and validate
information provided by prospective TPSPs. For example, a standardized
questionnaire may assist in gathering responses, but qualified personnel
will need to interpret the responses to make risk-informed decisions,
ask follow-up questions as necessary, and determine appropriate
mitigation strategies. In some instances, Covered Entities may
face constraints when selecting, contracting with, or transitioning away
from a TPSP due to limited vendor options, industry concentration, or
legacy system dependencies. In such cases, organizations should make
risk-informed decisions, document the relevant risks, take steps to
implement compensating controls (e.g., monitoring,
segmentation, contract triggers), and conduct regular assessments of the
TPSP to evaluate whether viable alternative TPSPs have emerged over
time. ContractingThe Cybersecurity Regulation requires
Covered Entities that utilize TPSPs to develop and implement written
policies and procedures that address due diligence and contractual
protections.[20]
These policies must be risked-based and tailored to the services and
sensitivity of the data and Information Systems that will be accessed by
the TPSP. Below are a few examples of baseline contract provisions
Covered Entities should consider incorporating into their agreements[21] with TPSPs: - Access
Controls – Requirements for TPSPs to develop and implement policies and
procedures addressing access controls, including multi-factor
authentication, that comply with requirements in Sections 500.7 and
500.12.[22]
- Data
Encryption – Obligations to develop and implement policies and
procedures addressing encryption in transit and at rest as required by
Section 500.15.[23]
Although Covered Entities qualifying for exemptions under Section
500.19 are not required to comply with this obligation, given the
sensitivity of NPI, such Covered Entities should consider requiring
TPSPs encrypt sensitive data, including NPI, in transit and at rest.
- Cybersecurity
Event Notification – Provisions related to the immediate or timely
notice to the Covered Entity upon the occurrence of a Cybersecurity
Event directly impacting the Covered Entity’s Information Systems or NPI
being held by the TPSP.[24]
- Compliance
Representations – Obligations for the TPSP to provide representations
and warranties regarding compliance with applicable laws and
regulations, including applicable requirements of Part 500.[25]
- Data
Location and Transfer Restrictions – Requirements for the TPSP to
disclose where data may be stored, processed, or accessed; obtain prior
written approval for cross-border transfers (or full prohibitions of
this practice); and comply with applicable data residency or
localization laws. Although this contractual provision is not
explicitly required by the Cybersecurity Regulation, the Department
recommends incorporating this provision in contracts because Covered
Entities can more effectively analyze the risk to sensitive data,
including NPI, when they understand where data is stored and processed.
- Subcontractors
– Requirements for the TPSP to disclose the use of subcontractors that
may have access to or use the Covered Entity’s Information Systems or
NPI, as well as the ability of the Covered Entity to reject the use of
certain subcontractors for work on its Information Systems or NPI after
conducting appropriate due diligence. Although this practice is not
required by the Cybersecurity Regulation, the Department recommends
adoption of this practice so Covered Entities are better able to analyze
the risk to sensitive data, including NPI.
- Data Use and Exit Obligations – Restrictions related to the use and sharing of data, obligations to delete[26]
or migrate data held by the TPSP upon termination of the relationship,
and obligations to obtain appropriate certifications confirming the
completion of these steps.
Where relevant, Covered Entities
should consider including a clause related to the acceptable use of
Artificial Intelligence (“AI”), and whether the Covered Entity’s data
may be used to train AI models or be otherwise disclosed to additional
parties. In addition, the TPSP agreement should include remedies in the
event the Covered Entity reasonably determines that the TPSP has
breached any material terms of the agreement related to cybersecurity.
These remedies may include requiring timely remediation or permitting
early termination of the service agreement. This is not an
exhaustive list of contractual provisions that Covered Entities should
consider, nor is this list of terms viable or appropriate in all
situations.[27]
Covered Entities should carefully evaluate terms based on the nature of
the engagement, market conditions, and the sensitivity of data, among
other factors. Ongoing Monitoring and OversightAs
described above, each Covered Entity’s TPSP policy or policies must
address, to the extent applicable, the periodic assessment of TPSPs
based upon the risk each presents.[28]
The TPSP risk management procedures should include layered,
risk-informed oversight processes and controls designed to confirm that
TPSP cybersecurity programs are aligned with the Covered Entity’s
cybersecurity expectations.[29]
Accordingly, Covered Entities should develop and implement policies and
procedures for the ongoing monitoring and oversight of TPSPs. The
policies should be informed by a variety of factors, including the
evolving threat and regulatory landscape, changes to products and
services, and whether the TPSP has experienced a Cybersecurity Event.
While many of the initial due diligence considerations remain relevant
throughout the relationship, once active, Covered Entities must conduct
periodic assessments based on the risk(s) a TPSP presents and the
continued adequacy of their cybersecurity practices.[30] These assessments may consider, among other things, security attestations (e.g.,
SOC2, ISO 27001), penetration testing summaries, policy updates,
evidence of security awareness training, and compliance audits. Moreover,
where relevant, Covered Entities should request updates on
vulnerability management, assess patching practices, and confirm
remediation of previously identified deficiencies. Material or
unresolved risk should be documented in the Covered Entity’s risk
assessment and escalated through appropriate internal risk governance
channels. As part of a broader resiliency strategy, Covered Entities
should incorporate third-party risk into their incident response and
business continuity planning.[31]
For example, Covered Entities should assess how they would rapidly
transition to alternate systems or providers in the event of a
disruption and consider testing relevant portions of their business
continuity and incident response plans with their TPSPs. TerminationWhen
preparing for the end of a TPSP relationship, Covered Entities must
disable the TPSP’s access to the Covered Entity’s Information Systems.[32]
This includes revoking system access for TPSP personnel and
subcontractors and deactivating service accounts. For TPSPs providing
cloud-based services, organizations should revoke identity federation
tools (e.g., SSO, OAuth tokens), API integrations, and external
storage access. Covered Entities generally should require
certification of destruction of NPI, secure return of data to the
Covered Entity, or migration of data to another TPSP or internal
environment. As part of this process, Covered Entities should confirm
that any remaining snapshots, backups, or cached datasets are deleted
from TPSP systems and TPSP access to any shared resources is revoked. Additionally,
Covered Entities should give special attention to residual or
unmonitored access points that may fall outside routine access
provisioning systems. Access points that become redundant or
unnecessary during the course of the TPSP relationship should be
addressed or eliminated on an ongoing basis, rather than being left in
place until the end of the relationship. Procedures should align with
the Covered Entity’s cybersecurity program and comply with Section
500.7. To ensure a secure and orderly termination, Covered
Entities should develop a transition plan for critical services with
clearly defined timelines, roles and responsibilities. Management
should engage key stakeholders, including IT, legal, compliance,
procurement, and business units, to identify strategies to mitigate
potential risks. Prior to termination, Covered Entities should review
the agreement with the TPSP to identify offboarding obligations and
protections. In addition, Covered Entities should verify and retain any
data subject to legal, regulatory, or litigation hold requirements
before initiating data return or destruction processes. After
termination is completed, a final risk review should be conducted to
confirm that all obligations have been fulfilled, and that access and
data controls have been properly enforced. The offboarding process
should be documented and relevant audit logs retained to support
accountability and future verification. Finally, any lessons learned
should be incorporated into future third-party risk assessments and
contracting practices to refine and improve TPSP lifecycle management. ConclusionCovered
Entities must evaluate and mitigate cybersecurity risks relevant to
their own business. To that end, this Guidance highlights risks
associated with TPSPs as well as strategies to manage these risks as
part of an effective cybersecurity program. As third-party service
offerings expand and evolve, so too will TPSP-related cybersecurity
risks. Managing these risks appropriately requires performing, at
regular intervals, careful analysis of the sufficiency of
administrative, technical, and physical controls to manage third-party
risk, as required by Part 500.
[1]
A Covered Entity is defined in § 500.1(e) as “any person operating
under or required to operate under a license, registration, charter,
certificate, permit, accreditation or similar authorization under the
Banking Law, the Insurance Law or the Financial Services Law, regardless
of whether the covered entity is also regulated by other government
agencies.” N.Y. Comp. Codes R. & Regs. tit. 23, § 500.1(e) (2025).
References to Sections hereinafter refer to those in the Cybersecurity
Regulation. Capitalized terms used hereinafter are defined in the
Cybersecurity Regulation. [2]
Third-Party Service Provider is defined in § 500.1(s) as “a person
that: (1) is not an affiliate of the covered entity; (2) is not a
governmental entity; (3) provides services to the covered entity; and
(4) maintains, processes or otherwise is permitted access to nonpublic
information through its provision of services to the covered entity.” [3]
An Information System is defined in § 500.1(i) as “a discrete set of
electronic information resources organized for the collection,
processing, maintenance, use, sharing, dissemination or disposition of
electronic information, as well as any specialized system such as
industrial/process controls systems, telephone switching and private
branch exchange systems, and environmental control systems.” [4]
Nonpublic Information is defined in § 500.1(k) as ”all electronic
information that is not publicly available information and is: (1)
business related information of a covered entity the tampering with
which, or unauthorized disclosure, access or use of which, would cause a
material adverse impact to the business, operations or security of the
covered entity; (2) any information concerning an individual which
because of name, number, personal mark, or other identifier can be used
to identify such individual, in combination with any one or more of the
following data elements: (i) social security number; (ii) drivers’
license number or non-driver identification card number; (iii) account
number, credit or debit card number; (iv) any security code, access code
or password that would permit access to an individual’s financial
account; or (v) biometric records; (3) any information or data, except
age or gender, in any form or medium created by or derived from a health
care provider or an individual and that relates to: (i) the past,
present or future physical, mental or behavioral health or condition of
any individual or a member of the individual's family; (ii) the
provision of health care to any individual; or (iii) payment for the
provision of health care to any individual.” [5]
A Cybersecurity Incident is defined in § 500.1(g) as “a cybersecurity
event that has occurred at the covered entity, its affiliates, or a
third-party service provider that: (1) impacts the covered entity and
requires the covered entity to notify any government body,
self-regulatory agency or any other supervisory body; (2) has a
reasonable likelihood of materially harming any material part of the
normal operation(s) of the covered entity; or (3) results in the
deployment of ransomware within a material part of the covered entity’s
information systems.” A Cybersecurity Event is defined in § 500.1(f) as
“any act or attempt, successful or unsuccessful, to gain unauthorized
access to, disrupt or misuse an information system or information stored
on such information system.” [6]
A Senior Governing Body is defined in § 500.1(q) as “the board of
directors (or an appropriate committee thereof) or equivalent governing
body or, if neither of those exist, the senior officer or officers of a
covered entity responsible for the covered entity’s cybersecurity
program. For any cybersecurity program or part of a cybersecurity
program adopted from an affiliate under section 500.2(d) of this Part,
the senior governing body may be that of the affiliate.” [7]
A Senior Officer(s) is defined in § 500.1(r) as “the senior individual
or individuals (acting collectively or as a committee) responsible for
the management, operations, security, information systems, compliance
and/or risk of a covered entity, including a branch or agency of a
foreign banking organization subject to this Part.” [8]
Tit. 23, § 500.4(d). While Covered Entities that qualify for
exemptions under § 500.19 do not need to comply with the requirements of
§ 500.4, Covered Entities must still maintain a written cybersecurity
policy or policies that are approved at least annually by a Senior
Officer(s) or the Senior Governing Body who oversee its implementation.
Tit. 23, § 500.3. [9] See, e.g., Federal Financial Institutions Examination Council Information Technology Examination Handbook, Management Booklet, at I.A.1 Board of Directors Oversight, n.3,
https://ithandbook.ffiec.gov/it-booklets/management/i-governance/ia-it-governance/ia1-board-of-directors-oversight/
which states that “[a] credible challenge involves being actively
engaged, asking thoughtful questions, and exercising independent
judgment.” [11] See
N.Y. State Dep’t of Fin. Servs., Industry Letter on Adoption of an
Affiliate’s Cybersecurity Program (Oct. 22, 2021), available at https://www.dfs.ny.gov/industry_guidance/industry_letters/il20211022_affiliates_cybersecurity_program;
see also, Bd. of Governors of the Fed. Rsrv. Sys., Fed. Deposit Ins.
Corp., Off. of the Comptroller of the Currency, Interagency Guidance on
Third-Party Relationships: Risk Management, 88 Fed. Reg. 37920 (June 9,
2023); see also id. tit. 23, § 500.4(a)(1). [13] Note
that the Cybersecurity Regulation imposes different requirements on
organizations based on their size and resources. See id. § 500.1(d)
(describing the qualifying conditions for Class A Companies) and §
500.19(a) (describing the qualifying factors for Covered Entities that
are granted limited exemptions based upon the number of Covered Entity
personnel, revenue, and assets). [14] For
larger Covered Entities, including Class A Companies, a risk-based
approach and solutions may require different steps based upon the unique
circumstances, technologies, and other factors relevant to the entity. [15] Tit. 23, § 500.11(a). [16]
Privileged access refers to the access an Information System user has
where the user “is authorized (and therefore, trusted) to perform
security-relevant functions that ordinary users are not authorized to
perform.” See, definition of a “privileged user,” National Institute of
Standards and Technology, SP 800-53r5, Appendix A: Glossary, Security
and Privacy Controls for Information Systems and Organizations (Sep.
2020, updated Dec. 10, 2020), available at https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final. [17] Tit. 23, §§ 500.11(b)(1)-(2). [18] Tit. 23, § 500.16(d). [20] Tit. 23, § 500.11(b). [21]
The type of agreement, provisions, and exhibits will vary depending on
the nature of the services provided and type and breadth of data the
TPSP will access. For example, when using cloud-based service providers
such as Software-as-a-Service and Infrastructure-as-a-Service, among
others, Covered Entities may want to append a service-level agreement,
which typically defines service quality expectations, system
availability of the product or service for use (commonly referred to as
“up-time”), and response and recovery times. Alternatively,
organizations providing professional services (e.g., developer,
consultant, auditor) generally append Statements of Work to address
project-specific obligations, such as deliverables, timelines, and
scope. Both documents serve as contractual supplements that clarify
roles and expectations under a broader agreement. DFS understands that
these types of service-level agreements are often drafted by the TPSP,
and that Covered Entities may not always have sufficient leverage to
negotiate many of the terms. [22] Tit. 23, § 500.11(b)(1). [23] Tit. 23, § 500.11(b)(2). [24]
Section500.11 requires a Covered Entity’s policies and procedures to
include relevant guidelines covering, among other things, contractual
provisions addressing a TPSP’s obligation to provide notice of
Cybersecurity Events. A Covered Entity’s policies and procedures must
include guidelines and/or contractual protections that address the
notice to be provided in the event of a Cybersecurity Event directly
impacting the Covered Entity’s Information Systems or the Covered
Entity’s NPI being held by the TPSP. See supra note 5 (observing that
Cybersecurity Events include more than Cybersecurity Incidents). [25] Tit. 23, § 500.11(b)(4). [26]
See, e.g., tit. 23, § 500.13(b) (requiring each Covered Entity to have
policies and procedures for the secure disposal on a periodic basis of
certain NPI no longer necessary for business operations or other
legitimate business purposes). [27]
In this circumstance, Covered Entities should still seek to secure
reasonable protections, such as breach notification clauses, data use,
and assurances regarding access controls and data handling.
Additionally, they should consider limiting the volume and sensitivity
of data shared, using tokenization to replace sensitive data elements
and applying pseudonymization techniques to obscure individual
identities, where appropriate. Independent third-party assessments or
certifications (e.g., SOC 2, ISO 27001) should also be reviewed and
required where feasible. In parallel, organizations should develop
medium- to long-term strategi es
to reduce dependency, such as enabling data portability, modularizing
services, or evaluating alternative providers. Moreover, high-risk TPSP
relationships should be appropriately escalated through risk governance
frameworks and reflected in the Covered Entity’s risk assessments and
board-level reporting. [28] See tit. 23, § 500.11(a)(4). [29]
See, e.g., FINRA, Regulatory Notice 21–29, FINRA Reminds Firms of Their
Supervisory Obligations Related to Outsourcing to Third-Party
Vendors (Aug. 13, 2021), available at https://www.finra.org/rules-guidance/notices/21-29
(Guidance noting that member firms should consider, among other things,
vendor self-assessments, including certified reporting, as well as
conducting onsite visits) and NIST SP 800-161r1-upd1, Cybersecurity
Supply Chain Risk Management Practices for Systems and Organizations
(May 5, 2022, rev. Nov. 1, 2024), available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-upd1.pdf
(Publication recommending that organizations audit Information and
Communication Technology “supply chain-relevant events within their
information system boundaries” using mechanisms such as system logs,
intrusion detection system logs, firewall reports, and other evidence
trails. [30] Tit. 23, § 500.11(a)(4). [31] See, e.g., tit. 23, § 500.16. [32] Tit. 23, § 500.7(a)(4).
Tags:
cybersecurity
DFS
Industry Letter
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Friday, April 4, 2025
|
Superintendent Harris’s Operations and Technology Transformation Hits
Major Milestones with DFS Connect Launch and 1000 Hires and Promotions
Since January 2022 The New York State Department of Financial Services
(DFS) today launched the DFS Connect platform, marking a significant
milestone in the Department’s ongoing operations and technology
transformation. Under Superintendent Adrienne Harris’s leadership, over
the past three years, DFS has executed a strategic plan to invest in
human capital, modernize technological resources, and streamline
processes. These efforts ensure that DFS remains a forward-thinking,
responsive regulator in an evolving financial landscape. “Over the
last three years, we have cultivated a culture of innovation, invested
in new technological infrastructure, and updated key processes,” said Superintendent Harris. “DFS
Connect is a pivotal example of how we are innovating to enhance
regulatory oversight while making it easier for New Yorkers and
businesses to engage directly with the agency,” Over the course of
the next three years, the DFS Connect digital portal will centralize
the Department’s interactions with regulated entities and consumers. DFS
Connect is eliminating outdated, fragmented systems and replacing them
with a single, streamlined platform that enhances efficiency, improves
oversight, and ensures better service to businesses and consumers. With
today’s launch, New Yorkers can now submit complaints about
prescription drug costs, pharmacy benefit managers (PBMs), and drug
manufacturers. Once a complaint is submitted, an individual can track
its status in real-time and communicate directly with DFS staff about
their issue. By 2027, all consumer complaints and regulatory functions
agency-wide, such as licensing, renewals, examinations, financial
statements and legal filings, will be handled seamlessly through DFS
Connect. Since 2022, DFS has prioritized modernizing its
regulatory infrastructure to ensure it is well-equipped to manage
emerging risks. This has included a comprehensive technology overhaul,
the establishment of the agency’s first Data Governance Office, and the
hiring of the Department’s first-ever Chief Technology Officer and Chief
Risk Officer. These steps have allowed DFS to enhance its analytical
capabilities, implement real-time risk monitoring, and improve
decision-making processes. DFS has also invested heavily in
strengthening its workforce, hiring and promoting more than 1,000
individuals over the past three years, including the first class of
financial services examiner trainees since 2018. Additionally, the
Department has expanded its regulatory capabilities by establishing the
Climate Division and the Pharmacy Benefit Unit and elevating key
operational functions by creating an executive leadership role dedicated
to internal operations. These staffing investments, combined with
business process redesign efforts, have eliminated backlogs that had
persisted for years. Since implementing a new regulatory tracking system
in 2023, DFS has now cleared more than 30,000 backlogged regulatory
filings, ensuring more efficient oversight of financial institutions. The
Department will continue to invest in cutting-edge technology,
data-driven oversight, and a highly skilled workforce to maintain its
status as a 21st-century regulator. By enhancing its efficiency and
responsiveness, DFS is not only adapting to the complexities of the
modern financial landscape but also strengthening protections for New
Yorkers and the financial system at large. For more information or to sign up for DFS Connect, visit the DFS website or the DFS Connect platform.
Tags:
consumer
DFS
portal
Regulations
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Tuesday, November 14, 2023
|
The
New York State Department of Financial Services (DFS) alerts all
regulated entities to take immediate action to investigate and, if
applicable, to mitigate the following cybersecurity
threat.
On
November 7, 2023, the U.S. Department of Homeland Security’s
Cybersecurity and Infrastructure Security Agency (CISA) released
guidance for addressing a critical vulnerability
designated as CVE-2023-4966 which impacts multiple versions of Citrix
NetScaler ADC and Gateway products. The vulnerability, also known as
Citrix Bleed, could allow a cyber actor to take control of an affected
system.
Threat
actors are actively exploiting this vulnerability. According to
Citrix’s website, there are reports of session hijacking and targeted
attacks. Citrix strongly urges all
affected users to immediately install recommended builds and to
terminate and clear all active and persistent sessions. Please refer to
the
Citrix Security Blog for details and the necessary commands.
An
additional vulnerability has been found in customer-managed instances
of Citrix NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway
(formerly Citrix Gateway) CVE-2023-4967.
Exploitation of these vulnerabilities can result in deployment of ransomware, data theft, and business disruption.
DFS
advises all regulated entities to assess promptly the risk to their
organization, customers, consumers, and third-party service providers
based upon the evolving information
and to take action to mitigate risk. As you assess risk, we recommend
reviewing the
CISA Alert and the
Citrix Security Bulletin and
Security Blog.
Regulated
entities are reminded to report Cybersecurity Incidents that meet the
criteria of 23 NYCRR Section 500.17(a) as promptly as possible and
within 72 hours at the latest
via the secure
DFS Portal. As of December 1,
2023, regulated entities who decide to make cyber extortion payments
must report such payments to DFS within 24 hours and within 30 days
provide a description of the rationale for, and diligence
undertaken in connection with, making such payment. For more
information, visit DFS’s Cybersecurity
Resource Center.
If others in your
organization should receive this cybersecurity information, please
forward this email. Additional interested parties may also
opt-in to receive "Cybersecurity Updates" from DFS.
Tags:
cybersecurity
DFS
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Wednesday, November 8, 2023
|
Download the regulation HERE Check this Newsblog and the Calendar for announcements on cybersecurity training and compliance education, currently under development.
Tags:
compliance
cybersecurity
DFS
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Monday, March 14, 2022
Updated: Monday, March 14, 2022
|
Annual Certifications of Compliance
The Certification of Compliance is a critical governance pillar of the cybersecurity programs of all Covered Entities. Prior to April 15th of each year, all Covered Entities must file a Certification of Compliance confirming their compliance with the
Cybersecurity Regulation for the previous calendar year.
An entity or individual should only submit a Certification if they were in compliance with all portions of the regulations that applied to that Covered Entity during the time period the Certification covers. Even if a Covered Entity qualifies for an exemption
pursuant to 500.19(a), (c), or (d), it has to submit a Certification of Compliance to demonstrate that it was in compliance with the sections of the regulation that apply pursuant to the particular exemption. (The exemption set forth in 500.19(b)
is the only exemption that does not require a Covered Entity to file a Certification of Compliance.)
Certifications of Compliance for the calendar year 2021 are due by April 15, 2022. Covered Entities that hold more than one license must file a separate Certification of Compliance for each license it holds.
Instructions on how to file a Certification of Compliance can be found by clicking https://www.dfs.ny.gov/system/files/documents/2019/12/cyber_cert_compliance_filing.pdf
Covered Entities Do Not Need to File New Notices of Exemption
Any DFS regulated entity or licensed person who filed a Notice of Exemption previously
does not need to refile a Notice of Exemption. However, if your exempt status has changed, then the entity or individual should amend or terminate their filing through the DFS portal.
How to File
The DFS Cybersecurity Portal has been redesigned to assist you with your filings. To ensure that filings are matched to the appropriate Covered
Entity or licensed person, we encourage the use of an identifying number when filing. Identifying numbers are New York State License number, NAIC/NY Entity number, NMLS number or Institution number. Please make sure that you have your license number
available when you make your filing. A look-up feature is included in the Portal for anyone who does not know which number to use.
To get started please visit the DFS Cybersecurity Portal: https://myportal.dfs.ny.gov/web/cybersecurity/
Tags:
compliance
cyber
cybersecurity
DFS
Licensing
Regulations
technology
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Tuesday, April 14, 2020
Updated: Tuesday, April 14, 2020
|
Released on April 13, 2020
https://www.dfs.ny.gov/industry_guidance/industry_letters/il20200413_covid19_cybersecurity_awareness
Re: Guidance to Department of Financial Services (“DFS”) Regulated Entities Regarding Cybersecurity Awareness During COVID-19 Pandemic
To: All New York State Regulated Entities
As we face an unprecedented threat from the novel coronavirus known as “COVID-19,” every organization’s highest priority must be health and safety. The extraordinary steps necessary to combat the COVID-19 pandemic have also created new challenges as regulated entities work to continue operating and providing critical services. Among these new risks is a significant increase in cybercrime, as criminals seek to exploit the situation.[1]
The Department of Financial Services (“DFS”) has identified several areas of heightened cybersecurity risk as a result of this crisis. As called for by DFS’s cybersecurity regulation, 23 NYCRR Part 500, regulated entities should assess the risks described below and address them appropriately.[2]
We also remind all regulated entities that, under 23 NYCRR Section 500.17(a), covered Cybersecurity Events must be reported to DFS as promptly as possible and within 72 hours at the latest. Prompt reporting will enable DFS to respond quickly to new threats as DFS works to protect consumers and the financial services industry in these difficult times.
Heightened Risks
- Remote Working
The abrupt shift to mass remote working forced by COVID-19 has created new security challenges, and attackers are exploiting these new vulnerabilities.[3] These heightened risks to regulated entities’ networks and Nonpublic Information[4] include:
- Secure Connections. Companies should make remote access as secure as possible under the circumstances. This includes the use of Multi-Factor Authentication and secure VPN connections that will encrypt all data in transit. See 23 NYCRR §§ 500.12 & 500.15.
- Company-Issued Devices. As new devices such as computers and phones are acquired or repurposed for remote working, regulated entities should ensure that they are properly secured. This includes locking down the devices so applications cannot be added or deleted by the user, and installing appropriate security software, such as Endpoint Detection & Response and Mobile Device Management.
- Bring Your Own Device (BYOD) Expansion. Regulated entities that have expanded their BYOD policies to enable mass remote working should be aware of the security risks and consider mitigating steps. Some personal devices are not properly secured or are already compromised. If an expanded BYOD policy is necessary, compensating controls should therefore be considered.
- Remote Working Communications. Remote working has increased reliance on video and audio-conferencing applications, but these tools are increasingly targeted by cybercriminals. Regulated entities should configure these tools to limit unauthorized access, and make sure that employees are given guidance on how to use them securely.
- Data Loss Prevention. Employees may be using unauthorized personal accounts and applications, such as email accounts, to remain productive while remote working. Regulated entities should remind employees not to send Nonpublic Information to personal email accounts and devices. Anticipating and solving productivity problems will reduce the temptation to use such devices.
- Increased Phishing and Fraud
There has been a significant increase in online fraud and phishing attempts related to COVID-19. For example, the FBI has reported that criminals are using fake emails that pretend to be from the Centers for Disease Control and Prevention (“CDC”), ask for charitable contributions, or offer COVID-19 relief such as government checks.[5]
-
Regulated entities should remind their employees to be alert for phishing and fraud emails, and revisit phishing training and testing at the earliest practical opportunity. Now that face-to-face work is curtailed, authentication protocols may need to be updated – especially for key actions, like security exceptions and wire transfers.
- Third-Party Risk
The challenges created by the COVID-19 pandemic have also affected third-party vendors, and regulated entities should re-evaluate the risks to critical vendors. See 23 NYCRR § 500.11. Regulated entities should coordinate with critical vendors to determine how they are adequately addressing the new risks.
Conclusion
The COVID-19 pandemic has disrupted normal operations in the financial services industry and beyond, and cyber criminals are exploiting the crisis. Despite the extraordinary challenges, regulated entities should remain vigilant. By following good cybersecurity practices, entities can identify, mitigate, and manage the risks.
[1] See DHS Cybersecurity and Infrastructure Security Agency (“CISA”), COVID-19 Exploited by Malicious Cyber Actors (April 8, 2020).
[2] Heightened cyber risk should also be addressed in the COVID-19 operational preparedness plans called for by DFS guidance issued on March 10, 2020. See Guidance to New York State Regulated Institutions and Request for Assurance of Operational Preparedness Relating to the Outbreak of the Novel Coronavirus.
[3] See FBI, Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments (April 1, 2020); U.S. Secret Service, Secret Service Issues COVID-19 (Coronavirus) Phishing Alert (March 9, 2020).
[4] 23 NYCRR § 500.01(g).
[5] See FBI, FBI Sees Rise In Fraud Schemes Related to the Coronavirus (COVID-19) Pandemic (March 20, 2020).
Tags:
Coronavirus
COVID-19
cybersecurity
DFS
technology
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Saturday, April 4, 2020
Updated: Saturday, April 4, 2020
|
https://www.dfs.ny.gov/industry_guidance/industry_letters/il20200403_paycheck_protection_loan_program
Industry Letter
April 3, 2020
To: The Chief Executive Officers or the Equivalents of New York State Regulated Institutions
The New York State Department of Financial Services (Department) is issuing this letter with respect to the Paycheck Protection Loan Program (the Program) created by the recently enacted Coronavirus Aid, Relief and Economic Security Act (CARES Act), through which the U.S. Small Business Administration’s (SBA’s) 7(a) Loan Program [1] will offer a new loan product. The CARES Act provides for forgiveness of up to the full principal amount of qualifying loans guaranteed under the Program.
As you know, the COVID-19 pandemic has placed many small businesses, not-for-profit organizations and their employees in dire need of funding to survive. The Program is intended to provide economic relief to small businesses nationwide, including the many New York businesses that have been significantly adversely impacted by the COVID-19 pandemic.
Yesterday, the SBA issued its interim final rule, announcing the implementation of the CARES Act for the Program. The interim final rule includes formal guidance that outlines the key elements of the SBA’s implementation of the Act, and the SBA requests public comments.
The interim final rule provides that a lending institution does not need to conduct any verification if the borrower submits documentation supporting its request for a loan and attests that it has accurately verified the payments for eligible costs. The SBA Administrator will hold harmless any lender that relies on such borrower documents and attestations. The loans guaranteed under the Program will be under the same terms, conditions and processes as other 7(a) loans with certain exceptions, such as the guarantee percentage being 100%, and the lack of a requirement for collateral or personal guarantees.
The Program authorizes existing 7(a) lenders to participate in the Program, and allows for the authorization of additional 7(a) lenders if the lender is (1) a federally insured depository institution or a federally insured credit union; (2) any Farm Credit system institution with certain exceptions; and (3) certain specified types of depository and non-depository financing providers that originate, maintain and service business loans or other commercial financial receivables and participation interests, subject to meeting certain additional criteria.
Small business lending is at the core of what many of your institutions do every day. Your knowledge of the local markets and community needs, along with your underwriting skills, are exceptionally important during this time of crisis. Your active participation is critical to the success of this Program and the much needed help our small businesses deserve during this unprecedented interruption to their operations and the lives of many of their employees.
The Department strongly encourages all its institutions that are eligible to participate in the Program to participate and provide this desperately needed help to small businesses so they can weather the current crisis and sustain their employee base, subject to their safety and soundness requirements. The Department also encourages those that are not currently eligible for participation to obtain eligibility so they can participate in the Program.
The Department appreciates all of your hard work to keep the financial system open and operating in New York State and commends you for your leadership and support of small businesses during the current crisis.
Sincerely,
Linda A. Lacewell, Superintendent
New York State Department of Financial Services
1 The 7(a) Loan Program is the SBA’s primary program for providing financial assistance to small businesses.
Tags:
COVID-19
DFS
Lacewell
SBA
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Saturday, April 4, 2020
|
Guidance to Insurance Producers regarding Electronic Delivery of Notices
Guidance to Insurance Producers regarding Electronic Delivery of Notices Pursuant to new 11 NYCRR § 229.5(b) and 3 NYCRR § 405.6(b)(4)
The Department of Financial Services (“Department”) is aware of insurance producers (“Producers”) facing challenges complying with the notice obligations in new 11 NYCRR § 229.5(b) and 3 NYCRR § 405.6(b)(4) described below (“Notice Obligations”).
First, regarding obtaining consumers’ consent to electronic communications, please see the Department’s Current Guidance Regarding Electronic Signatures, Transactions, and Filings with DFS.
Second, the Department is accommodating Producers by reducing their burden to fulfill the Notice Obligations during the current state of emergency. Specifically, for the duration of the current state of emergency, Producers may comply with the Notice Obligations by emailing the notices to the consumers for which the Producers have email addresses, regardless of whether the consumers have consented to receiving this notice via email.
Producers with websites should post the information on their websites as soon as possible. The Department also encourages supplemental dissemination of the content of the Notice Obligations by other means, including social media.
Finally, Producers should maintain records of their communications with consumers, electronic or otherwise, used to satisfy the Notice Obligations for a period of time sufficient to satisfy applicable statutes of limitation and, where an action or claim is pending, for such period of time until the matter is resolved. See Office of General Counsel Opinion 05-03-32 (March 24, 2005). In addition, if a Producer obligated itself by contract with its principal, the insurer or insured, to retain records for a period of time, then such obligation, if legally enforceable, must be satisfied, subject to an alternative acceptable to the principal. These communications used to satisfy the Notice Obligations may be subject to Department review, including but not limited to, on examination.
Below is a summary of the insurance producer requirement in the relevant emergency regulations.
New 11 NYCRR § 229.5(b) and 3 NYCRR § 405.6(b)(4) require a licensed insurance producer who services an in-force life insurance policy, annuity contract, or fraternal benefit society certificate or who procured a property/casualty insurance policy for the policyholder or contract holder to mail or deliver notice to the policyholder or contract holder of the provisions of 11 NYCRR 229 and 3 NYCRR § 405.6 within ten business days following the promulgation of 11 NYCRR 229 and 3 NYCRR § 405.6.
Tags:
Coronavirus
COVID-19
DFS
disclosure
Regulations
Permalink
| Comments (0)
|
|
|
Posted By Jean Partridge, Agent Section Vice-chair,
Wednesday, August 1, 2018
|
The recent decision by Judge Rakower and the ensuing developments have been overwhelming to understand at times. Much of this complexity was explained at the two Town Hall meetings but of course every member was not able to attend those sessions.
Therefore, we are providing you with a brief summary of the status of the litigation below. I will do my best to keep this simple and concise.
- We brought our suit in the NY State Supreme Court in New York County.
- The case was assigned to Judge Rakower and pleadings were filed by our attorneys.
- The Attorney General’s (AG) office representing the DFS replied to our pleadings and we responded.
- A hearing was held before Judge Rakower on June 14, 2018.
- Judge Rakower rendered a decision on July 5th.
- The decision effectively nullified Regulation 208 in its entirety.
- The AG filed a notice of appeal on July 6th.
- The AG immediately notified our attorneys of their intention to seek an emergency stay of the judge’s decision. An emergency stay, If granted , would postpone the judge’s ruling of annulling the regulation and “reimpose” the Regulation 208 until the case was heard on appeal in the Appellate Division).
- The AG later informed our counsel that they would NOT be seeking an emergency stay.
- Both the AG and NYSLTA must file additional pleadings with the Appellate Division prior to the next court appearance.
The earliest this matter could come before the Appellate judges is October. Given the congestion of the court’s schedule, it could slip to late October or later. Until then, the regulation 208 is annulled. All other regulations pertaining to the title industry remain in effect.
We will continue to keep you advised.
Tags:
Article 78
DFS
litigation
Reg 208
Regulations
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Sunday, July 8, 2018
Updated: Sunday, July 8, 2018
|
To NYSLTA Members –
As you may have seen in the New York Times, The NY Law Journal, Crain’s NY and The Real Deal, on July 5, 2018, Judge Eileen Rakower in New York County Supreme Court ruled in favor of the NYSLTA, Venture Title and Great American Title Agency by declaring NYDFS Regulation 208 annulled in its entirety.
The following day, the DFS filed an appeal with the Appellate Division.
The judge’s ruling and the DFS appeal can be viewed online, here: https://bit.ly/2KO7u8T
There is a natural exuberance at our victory in Supreme Court and a sense of vindication. These emotions are to be enjoyed but tempered with an understanding of the “big picture” and the realization that this matter is not yet settled.
First, act professionally.
When this is all behind us, there will still be a DFS and we will still be a regulated industry. Heed the advice of Ron Burgundy and “stay classy”. This is not a time for grandstanding and chest-thumping.
Second, be mindful of everything we have learned about DFS in this process.
We can assume greater scrutiny, an expanded market conduct investigation and efforts to provide evidence for the DFS claims of deceptive practices. Don’t give your adversary the rope she will use to hang you.
The “safe harbor” is to operate one’s business conservatively. Are your disclosures in order? Are you fully in compliance with Regulation 206? Does your cybersecurity program meet all requirements of the regulation?
Third, silence is golden.
Resist the lure of a request for comment from a reporter “on a tight deadline”. If you have seen some of the news stories, you can see how innocuous statements can appear disparaging to the entire industry.
As we learn more about the implications of the DFS appeal, more information will be forthcoming to Members. Town Halls are being planned for Westchester and Long Island. Details to follow.
The Underwriters and the Agent Members have funded a significant victory for the title industry. A handful of people have dedicated hundreds of hours to prosecuting this case for the benefit of everyone.
Thank you for your support.
Thank you for being the New York State Land Title Association.
Tags:
Article 78
DFS
litigation
Reg 208
Regulations
Permalink
| Comments (0)
|
|
Print Page
Blog Home
All Blogs
RSS