While third-party risk management has been a required component
of an effective enterprise risk management program for many years,
the topic is receiving elevated attention at insurance companies
and related businesses.
The recently effective New York State Department of Financial
Services (NYDFS) cybersecurity standards for NYDFS licensed
financial institutions and the current proposed draft of the NAIC
Insurance Data Security Model Law require licensees to implement
specific policies and procedures designed to protect the security
of company information systems and nonpublic information (including
personally identifiable information of customers and policyholders)
that are accessible to, or held by, outside service providers as
part of an overall cybersecurity program.
The regulators recognize that an entity's cybersecurity
program should start with, and be based on, the results of a risk
assessment. The risk assessment should take into account factors
specific to the entity, such as its size and complexity. However,
regardless of specific regulatory mandates, every well-designed
third-party risk management program should include the
an analysis of the particular risks
associated with the service organization and the services to be
baseline cybersecurity and other
requirements to be eligible for hire;
due diligence steps to be followed
prior to contracting with a third-party;
standard contractual provisions;
mechanisms to monitor performance and
compliance under the contract; and
address termination and
Implementing an appropriate third-party risk management program
will require enterprise-wide engagement, including the
participation of representatives from areas such as business units,
procurement, sourcing, IT, risk, compliance, internal audit, legal,
privacy, and the individual designated to manage the program.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
With corporate data security breaches on the rise, the NYDFS has adopted rules requiring financial institutions to take certain measures to safeguard their data and inform state regulators about cybersecurity incidents.
The United States District Court for the Southern District of Florida granted preliminary approval of a nearly $31 million FACTA class action settlement against Doctor's Associates, Inc., doing business as...
The New York State Department of Financial Services recently promulgated cyber regulations for financial institutions that are likely to increase the risks to directors & officers, resulting in an increase in claims.
One of the regulatory pillars of the EMIR is the requirement for parties to collateralize the marked-to-market exposure in over-the-counter derivatives transactions that are not cleared by a central clearing system.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).