Risk ManagementWhat the Recent OCC Bulletin Means For Your Risk Management Program

What the Recent OCC Bulletin Means For Your Risk Management Program

The Office of the Comptroller of the Currency recently produced a supplemental “Frequently Asked Questions” to Bulletin 2013-29, “Third Party Relationships: Risk Management Guidance”  which was originally issued October 30, 2013. This bulletin provides guidance to banks for the assessment of risks and more broadly, managing risks associated with third-party relationships. The FAQs stress the importance of a sound risk management program and how banks can operationalize their assessment of third-party risk.

The OCC Bulletin 2013-29 defines a third-party relationship as any business arrangement between the bank and another entity, by contract or otherwise. Neither a written contract nor monetary exchange is necessary to establish a business arrangement. All that is necessary is an agreement between the bank and the third party. Once a business arrangement has been established, a bank should adopt risk management processes commensurate with the level of risk and complexity of the third-party relationships. This will require a bank to measure the risk of each of its business arrangements, and plan accordingly.  

The OCC requires an effective third-party risk management program that addresses the following:

Planning – develop a plan to manage the relationship.  When critical activities are involved, this is required; Conducting a thorough due diligence review prior to signing a contract;

Contract Negotiation – develop a contract that clearly defines the expectations and responsibilities of the third party; review the enforceability, limitations of liability and provisions addressing disputes about performance;

Termination – develop a contingency plan in the event the third-party does not deliver. This analysis should consider the process to transition to another third-party, bring in-house, or discontinue the service altogether;

Oversight and Accountability – a third-party risk management program should be integrated with the broader enterprise risk management framework;

Independent Reviews – management reviews of the effectiveness of the risk management process allow for overall assessments of whether the process aligns with the bank’s business objectives and strategy.

Practically speaking, bank management is often limited in its ability to conduct the type of due diligence, contract negotiation, and ongoing monitoring that it normally would, despite the critical nature of the service being provided. This could be for any number of reasons, including the third-party does not allow the bank to negotiate changes to their standard contract, or as a matter of policy, they do not share their disaster recovery and business continuity plans, also more commonly, they do not respond to a bank’s due diligence questionnaire. In these circumstances, bank management still needs to take steps to manage the risks presented. Despite these limits in its ability, banks should perform a “sound analysis” to support the decision that the third-party is still the most appropriate provider available and maintain supporting documentation to demonstrate the analysis. The OCC Bulletin 2013-29 (October, 2013) outlines the following suggested attributes related to due diligence a bank should incorporate:  strategies and goals, legal and regulatory compliance, financial condition, business experience and reputation, fee structures, personnel qualifications, internal risk management, information security, IT operational management, resilience, and incident reporting, physical security, HR management, reliance on sub-service providers, Insurance coverages, and conflicting contractual arrangements with other parties. Additional suggested attributes to be included in contracts is also outlined in the 2013-29 Bulletin.  

The risk management function may sit in different places depending on the bank and how it structures its risk management function. There is no one-size fits all. Regardless of the structure, the various business lines within the bank can provide valuable input into the third-party risk management process. They may for example complete risk assessments as it pertains to their function, review the due diligence questionnaires received from third-party entities, and ultimately provide feedback on the adequacy of the controls over the third-party relationship.  

The recent release of FAQ’s provides a significant amount of information for an organization and its journey toward managing third party risk. The complexity of the third-party relationship with a bank, the type of data handled, and overall risk presented, are just a few of attributes to be considered when evaluating the level of due diligence, and ongoing monitoring to be applied. For additional information and guidance on third party risk management, you can contact Beckage attorneys and risk professionals.  

Our team includes nationally-recognized leaders in data breach response and cybersecurity and privacy law, as well as former federal regulators, former in-house counsels of international companies, tech entrepreneurs, business owners and public–company executives. Our lawyers and technology specialists help you grow your business and achieve strategic objectives, adapt to new technologies and regulations, identify and reduce risk, and manage the response to data breaches, cybersecurity incidents, privacy matters and other crises.

*Attorney Advertising: Prior Results Do Not Guarantee a Similar Outcome

Subscribe to our newsletter.

Abstracts Black and White hallwayReminder – March 1, 2019 Deadline for Third-Party Vendor Policies

Reminder – March 1, 2019 Deadline for Third-Party Vendor Policies

Once again, March 1st nears. And with it comes a cybersecurity compliance milestone for those entities operating under New York’s insurance, finance and banking laws. This date now looms large thanks to the New York State Department of Financial Services (“DFS”) and its Cybersecurity Regulation (“Regulation”) first put into effect on March 1, 2017. Let’s breakdown what this means.

Who?

“Covered Entities” under the Regulation, includes those entities that are operating or are required to operate under the New York insurance, finance and banking laws.

What?

The next compliance milestone pertains to putting in place policies for Third Party Service Providers. The policies and procedures need to address the security of vendors who are accessing a Covered Entity’s systems or “non-public information” as addressed under the Regulation.

The policies shall be based upon a risk assessment and address, to the extent applicable:

1.     The identification and risk assessment of Third-Party Service Providers (as defined under the Regulation);

2.     Minimum cybersecurity practices required to be met by such Third-Party Service Providers in order for them to do business with the Covered Entity;

3.     Due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third-Party Service Providers; and

4.     Periodic assessment of such Third-Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.

Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third-Party Service Providers including to the extent applicable guidelines addressing:

1.     The Third-Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication, as required by section 500.12, to limit access to relevant Information Systems and Nonpublic Information;

2.     The Third-Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;

3.     Notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity’s Information Systems or the Covered Entity’s Nonpublic Information being held by the Third-Party Service Provider; and

4.     Representations and warranties addressing the Third-Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.

Note, the DFS has advised that it is insufficient to rely solely on the Certification of Compliance submitted by the Third-Party Service Providers to the DFS under the Regulation as their only means of evaluating their compliance with this milestone.  

What else?

There have been a number of milestones for Covered Entities to address since the Regulation went into effect on March 1, 2017.  

When?

The process of developing and implementing Third Party Service Provider policies can be cumbersome and time-consuming given to the complexity of the relationships your company may have with a variety of Third-Party Service Providers.

Begin as soon as possible, as there are often several components to the analysis and March 1, 2019 is nearing.

Why?

Because the DFS Regulation says so.

The contents of the Regulation,23 NYCRR Part 500, can be found here: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.

How (to take Next Steps)?

Consult legal counsel to confirm whether your policies comply with the Regulation and other applicable laws.

The attorneys at Beckage PLLC can help you navigate through policy drafting the Third-Party Service Provider risk assessment and other regulatory compliance matters by offering practical legal advice that will help arm your company with the knowledge to assist in making sound business decisions.  

DISCLAIMER: This alert is for general information purposes only.  It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem.  Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage: www.beckage.com or info@beckage.com.

Attorney Advertising: Prior results do not guarantee a similar outcome.

Black and White upward view of buildings in cityNext Compliance Milestone Approaches Under the NYS DFS Cybersecurity Regulation

Next Compliance Milestone Approaches Under the NYS DFS Cybersecurity Regulation

The New York State Department of Financial Services issued a Cybersecurity Regulation (23 NYCRR 500)(“Regulation”) that went into effect on March 1, 2017.  The Regulation carried with it several compliance milestones applicable to “Covered Entities” under the Regulation, which includes those entities that are operating or required to operate under the New York insurance, finance and banking laws.  

SUMMARY OF COMPLIANCE MILESTONES TO DATE

The Regulation first required Covered Entities to establish a number of Cybersecurity and IT policies and procedures by August 28, 2017.  Next,Covered Entities were required to submit a Certification to the Department of Financial Services by February 5, 2018, that they complied with the first milestone under the Regulation.  By March 1, 2018, the Regulation required Covered Entities to additional CISO reporting,Annual Penetration Testing and Vulnerability Assessments, Risk Assessments and implement Multi-Factor Authentication where necessary based on the results of the Risk Assessments.

The most recent milestone was on September 3, 2018.  Covered Entities were responsible for establishing audit trails to reconstruct material financial transactions creating policies and procedures around in-house developed applications and assessing the security of externally developed applications.  In addition, Covered Entities were required to establish policies on Data Retention limitations, continue Cybersecurity training and monitoring and develop procedures for the encryption of Non-Public Information that is transmitted over external networks and at rest, unless infeasible.  

NEW MILESTONE – MARCH 1, 2019 DEADLINE

The next compliance milestone pertains to Third Party Service Providers. This milestone must be met by March 1, 2019 and involves the oftentimes complex process of evaluating the Third-Party Service providers utilized by your company.  This process can be a cumbersome and time-consuming given to the complexity of the relationships your company may have with a variety of Third-Party Service Providers.  Accordingly, it is recommended that you begin this process as soon as possible as there are often several components to the analysis.  

SUGGESTED NEXT STEPS

Moving towards the March deadline, Covered Entities should assess the risk that each Third-Party Service Provider poses to their data and systems and then determine an effective solution to address those risks.  It is insufficient to rely solely on the Certification of Compliance submitted by theThird-Party Service Providers the DFS under the Regulation as their only means of evaluating their compliance with this milestone.  

Covered Entities should take steps to determine what, if any, Third Party Service Providers are being utilized by the company, evaluate them as it relates to security, and review the relevant policies and procedures. Covered Entities should consider whether or not it makes sense to require Third Party Service Providers to carry adequate insurance including Cyber Insurance to cover both the entity and the Covered Entity should a breach occur.  

ADDITIONAL INSIGHT INTO THE REGULATION

It is helpful to note that the DFS regularly answers FAQs pertaining to the DFS Cybersecurity Regulation that provide valuable insight.  The complete list of FAQs can be found at the following link: https://www.dfs.ny.gov/about/cybersecurity_faqs.htm

The contents of  23 NYCRR Part 500 can be found here: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf

The attorneys at Beckage PLLC are fully equipped to help you navigate through the Third-Party Service Provider Risk Assessment and all other components required under the Regulation by offering practical legal advice that will help arm your company with the knowledge to assist in making sound business decisions.  

DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage. www.beckage.com.or info@beckage.com.

Attorney Adverting: Prior results to not guarantee a similar outcome.

circuit boardThe Importance of an Incident Response Plan

The Importance of an Incident Response Plan

As recent news headlines confirm, data breaches continue to be a threat to companies regardless of size. From reputational harm, disruption to your daily business, to significant monetary penalties and litigation, the potential consequences of a data breach are significant. It is more important than ever that companies evaluate their cybersecurity readiness plan, from policies and procedures to privacy concerns under the GDPR to ensure they are ready if a breach occur. While there is no one-size fits all approach to preventing data breaches, there are many best practices companies can employ to help minimize the risk of being breached. From regular conducting risk assessments and inventorying of the data that you collect to developing and testing your incident response plan, preparation is the name of the game. One component of your data security program, an Incident Response Plan, is an important step you should have in place to help mitigate and contain an incident if one occurs.

What is an Incident Response Plan?

An Incident Response Plan sets forth the company’s procedure for identifying, reporting and responding to an incident should one occur. It ensures that everyone is on the same page if a data breach happens. At a minimum, here are some key elements that an Incident Response Plan should include:  

   1) Policy scope and definitions.

   2) Identify Incident Response Team Members and outline roles for each.

   3) Outline procedures for identifying, reporting and responding to an incident.

   4) Set forth the legal obligations for reporting and notice to potentially impacted persons.

   5) Identify how often the Incident Response Plan will be reviewed and updated.

   6) Post-incident analysis procedures.

Developing an Incident Response Plan is not the end of the road, however. Your Incident Response Plan is a living and breathing document and the best way to know if it actually works is to test it consistently. Simulated cyber incidents that force your company to work through the procedures in your plan must be tested, gaps fixed, and improvements made. Simulated incidents with counsel are ideal to help identify legal risks along the way and help put the company in a legally defensible position.

It is very important to have your Incident Response Plan reviewed by Legal Counsel to ensure it satisfies your legal obligations under various state, federal and international laws. Beckage attorneys are fully equipped to help you navigate this process and help reduce your risk and exposure should a data breach occur.

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.