The final step in the two-year phase-in of the DFS cybersecurity regulations came in March 2019, when Section 500.11 regarding vendors became effective. DFS can’t directly regulate your vendors, but they can do so indirectly by telling banks, insurance companies, and everyone else DFS licenses, charters, permits, or regulates who they can, and can not, do business with.

Part 500.11 provides a compliance road map. You must have written policies and procedures designed to protect against cybersecurity risks posed by your vendors. You must cover both risks to your systems (disabling your network by inserting crypto-locker malware) and risks of the release of confidential information (vendors with customer data who let that data out onto the dark web).

Your vendor policies and procedures should explain (i) how will you identify vendors; (ii) what risk assessment of your vendors will you perform; (iii) what minimum cybersecurity practices must your vendors meet in order to qualify to do business with you; (iv) what due diligence will you conduct to evaluate the adequacy of vendor practices; and (v) what are you periodic re-assessment procedures.

Today’s Takeaway? Make sure that you have WRITTEN policies and procedures covering vendor cybersecurity issues. If you are a "Covered Entity” under Part 500, we recommend that you specifically mention Part 500 – state regulators are often offended when only federal rules are mentioned and on this issue, there is no federal rule. Cross-check your policies and procedures to make sure that they cover the five areas identified above. Next week, I will go through some specific issues that you need to cover.