By David Fagan and Sumon Dantiki

Recently several media outlets reported that the New York State Department of Financial Services (“NYDFS”) sent a letter to many of the nation’s banks, regarding the “level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers.”  The letter requested financial institutions to disclose “any policies and procedures governing relationships with third-party services providers,” and “any due diligence processes used to evaluate” such providers, including law and accounting firms.

The letter from the NYDFS is emblematic of an increasing level of attention by regulators on third party service providers of financial institutions.  In May, an NYDFS “Report on Cyber Security in the Banking Sector,” for instance, identified “the industry’s reliance on third-party service providers for critical bank functions” as a “continuing challenge” and concluded that a financial “institution’s cyber risk level depends in large part on the processes and controls put in place by third parties.”  Similarly, in a speech in July U.S. Secretary of the Treasury Jacob Lew—even while noting that “some banks are already spending as much as $250 million a year” on cybersecurity measures—urged financial institutions to apply the Administration’s cybersecurity framework to evaluations of outside vendors, remarking that “[f]ar too many hedge funds, asset managers, insurance providers, exchanges, financial market utilities, and banks should and could be doing more.”

The head of NYDFS is said to be considering new cybersecurity regulations (described by one former senior Justice Department official as akin to “a consent decree for a company that has already been breached, investigated and found to be lacking in security measures”) to meet the supposed gap in regulating third party service providers; the U.S. Treasury Department is also reportedly considering new cybersecurity regulations to govern third-party service providers of financial institutions.

This push for new authority, however, fails to account for several existing legal requirements.  Significantly, financial institutions—defined broadly to include business engaged in providing financial products or services—are already subject to Title V of the 1999 Graham-Leach Bliley Act (GBLA), which includes a “safeguards rule” for data security, particularly customer information.  Among other means, the safeguards rule is implemented through interagency information security guidelines, which require financial institutions not only to establish administrative, technical, and physical safeguards of customer information under their direct control but also to oversee service providers through:

  • Due diligence in provider selection;
  • Contractually requiring service providers to implement comparable information security procedures; and
  • Monitoring service providers to ensure compliance with information security obligations.

Nor are the safeguard rule requirements unique.  As we previously discussed, the Securities and Exchange Commission announced in April that it would conduct more than 50 cybersecurity examinations of broker-dealers and investment advisers, including of “the risks associated with vendors and other third parties.”  Among other items, SEC examiners focus on an institution’s:

  • Cybersecurity risk assessments of vendors or business partners, including any risk assessments of the segregation of sensitive “network resources accessible to third parties”;
  • Contractual provisions relating to cybersecurity risk with vendors and business partners;
  • Information security trainings for vendors and business partners; and
  • Policies governing any vendors who conduct remote maintenance of networks and devices.

Ultimately, the NYDFS letter is likely the first of many efforts to further regulate the third-party vendors of financial institutions.  Such efforts, moreover, may very well spread beyond the financial sector, since the threat of cyber attacks originating from third-party service providers is not limited to financial institutions.  The hackers who caused massive data breaches at Target (a retail company) in late 2013, for instance, gained access to the company’s network through a third-party heating, ventilation, and air-conditioning (HVAC) vendor.

While the details of any future regulation are currently unclear, regulatory activity to date suggests that the following items may be of particular interest with regard to third party vendors:

  • Selection of third-party service providers;
  • Whether cyber security and data protection requirements are incorporated into an organization’s third-party contracts;
  • Whether such requirements include third-party training on information security and other cybersecurity responsibilities;
  • The level of third-party access to an organization’s network;
  • If a third-party has a high level of access (e.g., to conduct remote maintenance), any corresponding heightened security procedures, including approval and logging processes or controls to prevent unauthorized access;
  • An organization’s due diligence of the cybersecurity practices of its third-party service providers; and
  • Any other policies or procedures (or lack thereof) governing the cybersecurity relationship between an organization and its third-party service providers.
Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer. Clients laud him for “[seeing] far more matters than many other lawyers,” his “incredible insight,” and “know[ing] how to structure deals to facilitate regulatory reviews” (Chambers USA).

David’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues—including through proactive mitigation and carve-outs—is a critical path for the transaction. David has handled transactions for clients across every sector subject to CFIUS review, including some of the most sensitive and complex matters that have set the template for CFIUS compliance and security agreements in their respective industries. He is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, David is regularly engaged by the world’s leading multi-national companies across a range of industries to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China, as well as on emerging legal issues such as outbound investment restrictions and regulations governing information and communications technologies and services (ICTS). David also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In addition, in the foreign investment and national security area, David is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense companies and private equity firms, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

In his cybersecurity practice, David has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. David has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.