New York State Department of Financial Services ($\text{DFS}$) Acting Superintendent Kaitlin Asrow today released new cybersecurity guidance, specifically targeting the heightened risks associated with $\text{DFS}$-regulated entities’ increasing reliance on third-party service providers ($\text{TPSPs}$).
This issuance, timed to coincide with Cybersecurity Awareness Month, is a continuation of the Department’s significant efforts to shield both New Yorkers and the entities it regulates from cyber threats, leveraging its widely recognized and influential cybersecurity regulation. The guidance reinforces the $\text{DFS}$’s proactive stance on digital security in the financial sector.
Acting Superintendent Kaitlin Asrow emphasized that while third-party service providers are instrumental in fostering innovation and driving substantial efficiencies within the financial system, the underlying responsibility for consumer protection and risk management remains squarely with the regulated entities. Her statement makes it clear that accountability cannot be outsourced.
This perspective underscores the need for $\text{DFS}$-regulated firms to maintain rigorous oversight of their external partners to ensure the integrity of the financial system.To safeguard the secure operation of financial services and ensure the protection of nonpublic information, the Acting Superintendent asserts that entities must establish and rigorously maintain appropriate internal risk management controls when engaging with $\text{TPSPs}$. This is a critical component of the guidance, stressing that effective risk management is an ongoing obligation.
It ensures that the convenience and benefits of using third-party services do not come at the cost of diminished security for sensitive data.It is important to note that this new guidance does not introduce any new requirements or legal obligations for $\text{DFS}$-regulated entities. Instead, its primary function is to provide clarity on the existing regulatory requirements already set forth in the $\text{DFS}$’s seminal cybersecurity regulation. This makes the guidance a helpful interpretive tool for compliance officers and risk managers.
Ultimately, the guidance is designed to clarify the regulatory landscape and disseminate best practices that entities should seriously consider implementing to enhance their security posture. By clarifying expectations and sharing effective strategies, the $\text{DFS}$ aims to help regulated entities strengthen protections for New Yorkers, ensuring a more resilient and secure financial environment overall.
Reference:
