Hospitals and hospital systems have, as required by HIPAA, been demanding and examining policies and procedures of third-party business partners for compliance with security provisions for several years. It has not escaped the notice of regulators that the recent breaches of financial information at Target and Home Depot may have been caused by vulnerabilities in the cyber-security safeguards of vendors and business partners.
On Oct. 21, 2014, the New York State Department of Financial Services (DFS) directed financial institutions to provide information about the cyber-security safeguards of their vendors, including law firms. The business-relations fate of the firms whose responses do not measure up to generally accepted cyber-security standards and regulatory requirements for the security of financial information is not yet known.
The call to action, issued by DFS Superintendent Benjamin M. Lawsky, was addressed to CEOs, CIOs and general counsel of financial institutions. It is available here.
Five inquiries regarding cyber-security protection are addressed to the institutions, but the first question was probably designed to quickly grab the attention of the recipients and their vendors in a significant way. It requests a description of “any due-diligence processes used to evaluate the adequacy of information security practices” at law firms and other service providers.
Due diligence processes – as they pertain to retention of business partners such as law firms, accounting firms and IT consultancies – will, as a result of this inquiry, become more stringent within the next several months. Lawsky also noted that DFS “is considering a requirement that financial institutions obtain representations and warranties from third-party vendors with respect to third parties’ cyber-security standards and policies.”
In light of this enhanced scrutiny, financial institutions should inquire into their vendors’ security safeguards before retention, specifically for
evidence of steps vendors should take now, including reviews and updates of cyber-security policies; workforce training on those protocols; reviews of systems and risk assessments; and malware prevention and monitoring.
Kenneth Rashbaum is a partner at Barton LLP with a practice focused on privacy, cyber-security, healthcare compliance and e-discovery on behalf of domestic and multinational corporations as well as healthcare organizations. Ken advises multinational companies on these areas and counsels corporations on the information governance and its compliance with federal, state, and non-U.S. laws.
How Safe Is Your Online Security?
What to expect from upcoming cyber-security audits of third party vendors
By Kenneth N. Rashbaum