- Key insight: New NYDFS guidance reinforces that banks are “ultimately accountable” for cybersecurity risks from third-party vendors and cannot delegate compliance.
- What’s at stake: Banks face enforcement actions, like those previously taken against OneMain and LifeMark, if their third-party risk management and oversight are found lacking.
- Forward look: The guidance details specific actions banks must take, including assessing a vendor’s “fourth parties,” contingency plans and geopolitical risks.
Overview bullets generated by AI with editorial review
While the New York Department of Financial Services on Tuesday issued new cybersecurity guidance, the regulator’s position that banks assume third party risk has not changed.
The NYDFS is not imposing “new requirements or obligations” on banks, per the guidance, but it clearly warns institutions that they “may not delegate responsibility for compliance” with the department’s cybersecurity regulation to third party vendors.
This focus on banks bearing third-party risks outlasts the recently ended tenure of Adrienne Harris, whose four-year term as the NYDFS superintendent ended on Saturday. Acting superintendent Kaitlin Asrow issued the…
