23 NYCRR 500 requires Covered Entities to implement a Third Party Service Provider Security Policy in Section 11. In reality, there is more to the requirement than simply crafting a policy. There are several other requirements Covered Entities must contend with in relation to Third Party Service Providers:
- Identification and initial risk assessment of third parties
- Requirement of minimum cybersecurity practices third parties must have in place to do business with Covered Entity
- Periodic diligence of third-party cybersecurity practices based on the risk they pose to the Covered Entity
- Written guidance to third parties communicating required cybersecurity practices and procedures including multi-factor authentication and encryption of Nonpublic Information (NPI)
- Process by which third parties inform the Covered Entity in the event of a cybersecurity event
- Warranties that third parties have adequate policies and procedures in place to protect Covered Entity’s NPI and information systems
I typically prefer to not make definitive statements, but I’m going for it here… Every business, regardless of size, outsources at least some of its operations to a third party.
Several years of my career were dedicated to providing third-party risk management solutions to companies in all different industries and of all different sizes. Without fail, every company I worked with underestimated the number of third parties they engaged with that had access to sensitive data or information systems. Law firms, consultants, payroll processing software providers, cloud storage solutions and even janitorial services could very well have access to regulated data. Point being, I’d urge you to really think about your universe of third parties. Don’t assume that just because you’re a small, independent agency you don’t have any third parties. That could come back to bite you. Section 11 is not just for large companies. It is required, even of small ‘exempt’ companies.
And ensuring your third parties are adequately protecting your NPI isn’t just a requirement – it’s common sense. Third parties are one of the greatest cybersecurity risks in today’s environment. In 2018, Ponemon Institute, a renowned data protection and information technology research group, reported that 59 percent of companies had experienced a breach caused by third parties. If you work with third parties – and again, everyone does – you have third party risks. You cannot afford to ignore them.
The New York DFS cybersecurity regulation is daunting for independent insurance agencies. There’s no doubt about that. To build the policy and questions for identifying and assessing the risk of every one of your third parties could take weeks or months of work to do on your own. Be sure you pick the right partner to help.