Covering financial services firms operating in the State of the New York, the pending Cybersecurity Regulation has an extensive set of requirements, but did you know it includes your vendors and third party, non-employees?
The Cybersecurity Regulation specifically identifies the risks posed by the use of third parties. When it comes to business process, third party risk, and Identity and Access Management (IAM) for your third party, non-employee populations, do you think you are going to be compliant? If not, perhaps it is time to look at how your organization is managing your third party populations as it will play a pivotal role in meeting compliance and the Regulation’s broader coverage of third parties.
Put into effect in early 2017 (background), the New York Department of Financial Services (NY DFS) Cybersecurity Regulation has been described as the first in the nation for its detailed cybersecurity requirements covering all individuals and non-governmental entities (i.e., corporations, partnerships, associations, etc.). Essentially any company or other entity that is not a government agency doing business in the insurance and financial services industry in New York. Mandating a risk-driven and comprehensive cybersecurity approach designed to impose new policies, procedures and technical protections to prevent unauthorized access to protected data. The regulation is aimed at addressing weak cybersecurity practices to avoid declining consumer confidence. The breaches tied to a third party are well known and are in fact some of the largest breaches recorded that include Target, Equifax and Dominos to name a few.
This regulation goes beyond past mandates by requiring companies to have a well thought out cybersecurity strategy and assigning a Chief Information Security Officer (CISO). Expectations include; designing and implementing business process, documentation, management systems, controls (including access controls, multi-factor authentication, encryption, monitoring, and application security) to explicitly tackle the risks to a broader definition of customer data exposure or attack – your thinking right, it means no longer will a checkbox approach to compliance be acceptable. This is the trifecta of business change, repeat after me, PEOPLE, PROCESS, AND TECHNOLOGY.
The impact of the new emphasis on risk containment to IAM programs at covered entities is likely going to have huge impact on companies leveraging third parties as part of their supply chain. We expect to see regulations such as this to force companies to “watch the third party gap,” and connect the dots between broader GRC/Third Party Risk Programs (TPRP) and IAM for third parties, which includes properly managing the data about people from as well as aligning access governance policies (especially privileged users with elevated RISK profiles of third parties with access to sensitive data). Here is an article about identity risk management (https://seczetta.com/blog/preventing-breaches-identity-risk-management/) that highlights some of our thoughts on this topic.
The Expected Outcomes
Simply put, the regulation expects organizations to build and maintain a long-term strategy for maintaining an effective cybersecurity program based on an initial risk-based security assessment, including requirements around:
- Document and build appropriate business process
- Ability to identify potential cyber risks
- Protect against unauthorized access
- Detect cybersecurity events
- Respond to cybersecurity events
- Recover from cybersecurity events
- Continuous improvement of cybersecurity strategies
This regulation differs from past compliance. It is a great step towards making organizations responsible for protecting consumer data/information as it takes cybersecurity from nice to have, to a cost of doing business.
It applies to a company’s entire supply chain including partners and vendors something MOST organizations fail to address effectively. It expects organizations to understand and mitigate the risks to their business caused by weak third party risk strategies, business process, poor identity management and limited ability to detect or respond to unauthorized access. By now, many organizations have begun to address various identity initiatives focused on their internal users but likely have not yet addressed the need to focus on managing identity risk, access risk, and governance of third party identities.
Lastly, the regulation expands the scope of data that needs to be protected beyond the traditional compliance requirements such as PCI. This regulation extends to any “business related information” that would have a material impact if exposed. The expectation is that companies are doing all that is necessary to protect ANY/ALL sensitive data regardless of past regulations.
Given most organizations have likely not done a great job in getting control of the risks the extended supply chain poses, the mandates being imposed will force business change as it is based on a current assessment and how well the current processes and controls in place mitigate risk.
Third party risk and identity security measures downstream are top of the list of requirements that will likely be outcomes of an assessment. Such measures help an organization reduce the risk of unauthorized access and exposure to potential risk. While this is true, when it comes to third party risk, there are a series of gaps that must be addressed well before an organization begins to think about access risk and access governance. After all, if you don’t know the “who” how can you possibly grant and govern the what? In order to address the “who” companies need to consider what the business process is for onboarding and managing the lifecycle of third parties from vendor to identity.
Looking at the vendor to identity life cycle reveals key relationships that require monitoring, e.g.
- Do we still have a contract with the Vendor/Partner (relationship of Business to Vendor/Partner)?
- Is this non-employee still employed by the Vendor/Partner (relationship of non-employee to Vendor/Partner)?
- Is this non-employee still engaged by the Business (relationship of non-employee to project/Business)?
- Who is the current internal sponsor of the non-employee (relationship of non-employee to internal sponsor)?
- Changes to any of these relationships can have a huge impact on risk, especially if the changes go undetected.
Note that we are not yet talking about access, only identity. In IAM world, accounts and identities are often viewed as the same entity. While they are closely related, each has its own lifecycle and relationships. This confusion contributes to the lack of focus on managing Identities, introducing greater risk to the Business.
The regulation being put forth is certainly specific and calls out third party risk and IAM, but still doesn’t address the real problem as it relates to third party risk. The risk begins when you grant access and if you don’t know who you are granting access to, and can manage from vendor to identity, your risk isn’t being reduced, in fact it may be increased and harder to manage. This is not just a technology problem, this is a strategy problem for a long unaddressed population of people/identities that are gaining access to sensitive data.
Getting Control of Third Party Identity Risk – It’s about the relationships
Simply identifying risky partner organizations is not enough. Rating that risk about these organizations should drive conditional action such as more frequent assessments, tighter controls on the level of access granted to their employees, and more frequent validation of identities. Building a bridge between vendor risk management and identity and access management is the only way to appropriately take that conditional action. A centralized approach to evaluating all the factors such as relating the third party people to their vendor organization, to their internal sponsor, to the physical and logical access, etc. is critical.
Organizations that invest the time and effort into a thoughtful third party identity risk program that is based on how companies are managing risk from third party vendors to third party identities, will ensure that they are complying with regulation but also improving the business.