Understanding and Managing Cybersecurity Risks Posed by Third Parties

Data security laws and regulations increasingly require businesses and organizations to perform sufficient oversight of their third-party vendor’s data security protocols. The interconnectedness of businesses and organizations in today’s marketplace means that it is critical to assess your contracts with third-party vendors and service providers to evaluate that your data is adequately protected and that you have appropriate legal recourse in the event of a data security incident.

Some new rules, laws and regulations have stressed the importance of third-party vendor management.

Third-Party Compliance with the New General Data Protection Regulation

The European Union has established new regulations applicable to all organizations that control or process the personal data of European Union residents. Effective May 25, 2018, under the General Data Protection Regulation (“GDPR”), any organization that holds or processes any European Union resident’s personal data (including name, email address, photos and social media posts), must have a legal basis for doing so. The regulations impose new obligations on each organization that accesses such data and provide for substantial penalties for noncompliance, so it is important to review all contracts with third-party vendors to ensure that they provide for GDPR compliance where applicable.

NYSDFS Cybersecurity Regulation Requires Oversight of Third-Party Service Providers

Under the New York State Department of Financial Services (“NYSDFS” or “DFS”) Cybersecurity Regulation (23 NYCRR 500) (“DFS Regulation”), Covered Entities that are regulated by New York banking, insurance and finance laws are required to have a written cybersecurity program that addresses various data security issues, including management of vendors and third-party service providers.

The DFS Regulation requires Covered Entities to implement a written third-party service provider security policy to ensure the security of sensitive information held by or accessible to such a provider. That written policy should address applicable issues such as the minimum cybersecurity practices that a third party must demonstrate in order to do business with the Covered Entity, the due diligence process used to evaluate a third party’s cybersecurity protocols and a method for ongoing periodic assessment of the third party’s cybersecurity practices.

Insurance Data Security Model Law Promotes Oversight of Third-Party Service Providers

The National Association of Insurance Commissioners (“NAIC”) recently adopted the Insurance Data Security Model Law (the “Model Law”), which is to be applicable to insurers, brokers and other state-regulated entities subject to a state’s insurance law. The requirments in the Model Law resemble those in DFS Regulation.

NAIC’s Model Law indicates that an effective information security program must establish a due diligence process for selection and continuing oversight of third-party service providers. Insurers must require third-party service providers to implement appropriate administrative, technical and physical measures to protect and secure information systems and protected data that are either held by or accessible to the third party. If an insurer learns that a cybersecurity incident has occurred in a system maintained by a third-party service provider, the insurer would be obligated to determine the nature and scope of the incident, identify any protected data that may have been involved and take reasonable measures to restore the security of the system, or, alternatively, the insurer could confirm that the third party has completed those required tasks itself. An insurer has an obligation to notify the state’s Insurance Commissioner even where a cybersecurity incident has taken place in a system maintained by a third-party service provider.

Evaluation of Third-Party Cybersecurity Risks is of Utmost Importance to Business Leaders

Third-party risk management is an area of growing concern for organizations. Many organizations plan to end or change their third-party relationships because of heightened risk levels. In part, organizations are motivated to end or change third-party relationships due to a lack of internal skills required to adequately assess a third party’s risk management strategies, especially with respect to cybersecurity protocols. Deciding what to move to the cloud, if anything, is also being discussed in many boardrooms.

As always, regular review of contracts by legal and risk management professionals is one of the most straightforward and achievable ways to reduce third-party risk along with periodic risk assessments.


Now more than ever, it is essential to have trusted advisers and experienced legal counsel to review contracts with third-party service providers. Allowing advisors who are proficient in the technology and data security fields to review contracts with third-party vendors can help mitigate the risk to the organization in the event a third-party vendor experiences a data security incident.

Phillips Lytle is uniquely situated to provide legal advice and services in this area because its Data Security & Privacy Practice Team is comprised of former technology business owners and computer programmers who have hands-on experience dealing with issues and concerns related to cybersecurity matters – from data breach prevention practices to on-the-ground breach response, and then interfacing with the government and responding to litigation in connection with any data breach.