INSURANEWS Logo
Top Stories
Life
Health
Medicare
Property & Casualty
Annuity
Industry

NY DFS Issues Cybersecurity Guidance for Third-Party Service Providers in Insurance

Share:

The New York Department of Financial Services (DFS) has released guidance for insurance companies and other covered entities on managing cybersecurity risks associated with third-party service providers (TPSPs), following a series of recent settlements in the health and auto insurance sectors. This directive aims to reinforce critical aspects of DFS's cybersecurity regulation, Part 500, emphasizing the growing cybersecurity threats posed by third parties in areas such as compliance, cloud computing, and fintech services. \n\nDFS underscores that TPSP cyber risks vary widely, necessitating a tailored, risk-based approach where entities classify providers by factors like system access, data sensitivity, and operational criticality. The guidance recommends comprehensive due diligence practices including cybersecurity questionnaires and direct engagement during the procurement process to evaluate TPSP risks thoroughly.\n\nContractual agreements with TPSPs should incorporate key cybersecurity clauses including access controls, data encryption, and event notifications. DFS also highlights the emerging need to address risks related to artificial intelligence (AI) by potentially requiring TPSPs to adhere to recognized AI risk management frameworks such as ISO 42001, NIST AI RMF, or the Cloud Security Alliance STAR for AI.\n\nThe DFS encourages covered entities to maintain dynamic oversight procedures, factoring in evolving cyber threats, regulatory updates, and changes in services or TPSP security incidents. Entities should leverage self-service monitoring tools provided by TPSPs for efficient risk management, such as automated reports and trust portals.\n\nMoreover, the guidance addresses the often-overlooked cybersecurity challenges during TPSP offboarding. It advises revocation of system access, disabling identity federations, and ensuring smooth data transfer or export to avoid 'data hostage' scenarios. Termination clauses should be clear and prevent proprietary formats that impede data portability.\n\nOverall, this guidance reinforces DFS's role as a cybersecurity regulatory leader and sets a benchmark for the insurance industry's approach to third-party cyber risk management, aligning compliance efforts with practical risk mitigation strategies. The outlined practices are pertinent to insurers across the U.S. as third-party dependencies continue to deepen in the digital landscape.