Laws are like Marmite — you both love them or hate them. Final 12 months, when the SEC revealed its proposed rule on cybersecurity threat administration, I used to be in love! For an analyst who covers threat and compliance, there’s nothing fairly like an impartial federal company placing out a rule change with enamel, particularly on a subject that continuously lacks clear, harmonized, and industry-agnostic regulatory necessities: third-party threat administration (TPRM).

The SEC Rule May Have Been A TPRM Recreation Changer

Indisputably, the SEC’s proposed rule on cybersecurity threat administration, technique, and governance launched final 12 months made it clear that the period of nominal cybersecurity oversight is over. However Merchandise 106(b) that may require SEC-registered firms to make “disclosure regarding [their] choice and oversight of third-party entities” had the potential to be a TPRM sport changer. However the finalized rule adopted on July 23, 2023, watered down any significant TPRM necessities to a sure/no box-check train by asking firms to reveal whether or not they have “processes to supervise and establish materials dangers from cybersecurity threats related to [ … ] use of any third-party service supplier.”

The New NYDFS Cybersecurity Rule Fills The Void Left By The SEC’s Rule

The New York State Division of Monetary Providers (NYDFS) could not have the identical gravitas and title recognition because the SEC, however in relation to cybersecurity and threat laws, it punches properly above its weight. The NYDFS necessities are recognized to be rigorous and pioneering — each of which describe the amended Cybersecurity Regulation, 23 NYCRR, Half 500, launched on November 1, 2023. There’s quite a bit that’s new within the up to date rule in comparison with its 2017 predecessor, together with necessities for incident and ransomware cost disclosure, enhanced governance, and extra controls that surpass these of the SEC’s rule.

When you assume that the NYDFS has restricted attain, think about that it supervises and regulates over 3,000 monetary establishments, together with banks, insurance coverage firms, well being insurers, and managed care organizations which might be licensed, registered, or chartered in New York and, by extension, unregulated third-party service suppliers of regulated entities, which principally signifies that it additionally applies to the third-party ecosystems of firms regulated by the NYDFS.

4 TPRM NYDFS Necessities To Put together For Now

When you weren’t searching for it, you may need missed the third-party service supplier safety coverage in part 500.11(a) stating that every lined entity should implement written insurance policies and procedures to make sure the safety of knowledge techniques and nonpublic data “accessible to, or held by, third-party service suppliers.” However that’s not all! The rule’s insurance policies and procedures for third-party service suppliers are risk-based and require a degree of TPRM program maturity and automation that exceeds the established order of most organizations. Safety, threat, and compliance professionals accountable for their organizations’ TPRM program ought to start planning for these 4 necessities:

1. Third events should meet minimal cybersecurity practices to do enterprise with the lined entity, which flips the “contract now, assess cybersecurity later” equation.
2. Due diligence should consider whether or not their cybersecurity practices are enough, which implies you could’t race by way of the due diligence course of simply so you’ll be able to onboard third events faster.
3. Periodic evaluation of third events’ continued adequacy all however bans a “one and performed” method that ignores reassessment of long-term third events since you don’t need to poke the bear.
4. Insurance policies and procedures would require contractual protections, which signifies that you’ll want stronger clauses in your contracts as we speak and must replace legacy grasp providers agreements to make sure that they deal with MFA, knowledge encryption, breach notification, and reps and warranties of their cybersecurity practices. This creates a fair larger tie between contract lifecycle administration (CLM) and TPRM.

For a better have a look at TPRM know-how market and the 27 distributors that assist third-party threat program necessities, learn the brand new report, The Third-Occasion Danger Administration Platforms Panorama, This fall 2023. For Forrester purchasers, schedule an inquiry or steering session with me to debate the NYDFS third-party threat necessities, the hyperlink between TPRM and CLM, or this report.