The New York State Department of Financial Services (NYDFS) recently issued a report identifying common cybersecurity issues and concerns caused by the failure of some banks to sufficiently manage vulnerabilities posed by third-party vendors. 

In the wake of these findings and the increasing number and sophistication of cyberattacks on both banks and insurers, NYDFS announced it is considering new regulations to strengthen cybersecurity standards for banks, which will likely include new requirements in bank relationships with third-party vendors.  

“A bank’s cybersecurity is often only as good as the cybersecurity of its vendors,” New York Superintendent of Financial Services Benjamin Lawsky said. “Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data. We will move forward quickly, together with the banks we regulate, to address this urgent matter.” 

Third-party vendors provide a broad range of services to banking institutions, including check/ payment processing, online banking, and trading and settlement operations. The report summarized findings from NYDFS’s survey of 40 banking organizations’ policies and procedures for managing third-party vendors. It identified multiple deficiencies, including:

  • Nearly a third of surveyed institutions do not require third-party vendors to notify them of an information security or other cybersecurity breach.
  • Fewer than half of the banks conduct on-site assessments of third-party vendors.
  • The vast majority of banks have implemented encryption for data in transit, but only 38 percent of the surveyed institutions (50 percent of large institutions, defined as having assets of more than $1 trillion) use encryption for data “at rest,” that is, in storage.
  • Seventy percent of the surveyed institutions require multi-factor authentication for at least some third-party vendors to access sensitive data or systems.
  • While 79% of the banks require third-party vendors to meet minimum information security requirements, only 36 percent mandate that requirements be extended to their vendors’ subcontractors.
  • Nearly half of the banks do not require the third-party vendor to provide a warranty as to the integrity of the vendor’s data or products (i.e., that the data or products are free of viruses). 
  • While 63 percent of surveyed institutions (78 percent of large institutions) carry insurance for cyberattacks, less than half have insurance that explicitly covers information security failures by a third-party vendor.

The report concludes that banking organizations appear to be working to address the cybersecurity risks posed by third-party service providers, but progress varies depending on the size and type of institution. Banks and other financial institutions should look carefully at their own due diligence processes, policies, and procedures governing relationships with third-party vendors, and at protections for safeguarding sensitive data and protections against loss incurred due to third-party information security failures. 

Members of Ballard Spahr’s Consumer Financial Services and Privacy and Data Security Groups regularly advise financial institutions on compliance with consumer financial services laws related to data security and privacy issues. Our attorneys conduct reviews of information security programs to help clients ensure that they and their third-party service providers are meeting regulatory standards and are prepared to assist clients when data breaches or regulatory infractions are identified.

If you have questions, please contact Phil Yannella, at 215.864.8180 or, or Daniel JT McKenna at 215.864.8321 or

Copyright © 2015 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices

Consumer Financial Services
Privacy and Data Security
White Collar Defense/Internal Investigations


Visit CFPB Monitor, our blog on the Consumer Financial Protection Bureau >

Subscribe to the blog via e-mail >