It has not escaped the notice of regulators that the breaches of financial information at Target and Home Depot may have been caused by vulnerabilities in the cybersecurity safeguards of vendors and business partners. On October 21, 2014, the New York State Department of Financial Services (“the Department”) directed financial institutions to provide information about the cybersecurity safeguards of their vendors, including law firms. The financial institution business relationship fate of the firms whose responses do not measure up to generally accepted cybersecurity standards and regulatory requirements for security of financial information is not yet known.
The letter, issued by Department Superintendent Benjamin M. Lawsky, was addressed to Chief Executives, General Counsel and Chief Information Officers of financial institutions. It is available here. The intention of the Department is unequivocally stated in the first paragraph:
It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors. . . It is important that financial institutions are able to identify, monitor and mitigate any security risks posed by third-party relationships, including but not limited to law firms and accounting firms (emphasis added).
Five inquiries regarding cybersecurity protection are addressed to the institutions, but the first question was probably designed to quickly grab the attention of the recipients and their law firms in a significant way. It requests a description of “any due diligence processes used to evaluate the adequacy of information security practices” at law firms and other service providers.
Due diligence processes as they pertain to law firms will, as a result of this inquiry, become more stringent within the next several months. Superintendent Lawsky also noted “the Department is considering a requirement that financial institutions obtain representations and warranties from third-party vendors with respect to the third parties’ cybersecurity standards and policies.”
For further information on regulatory cybersecurity requirements for law firms and other business providers for financial services institutions, please contact Kenneth N. Rashbaum.