New York updates third-party risk guidance, adds AI provisions
The New York Department of Financial Services published updates this week to longstanding industry guidance that urges financial services companies to closely watch their third-party providers.
While the guidance’s updates are numerous, they are, according to the state, mostly intended to provide clarity as the technology landscape shifts. A department press release notes that the guidance “does not impose new requirements or obligations,” but Bob Maley, chief information security officer at the cyber risk firm Black Kite, said there some clauses, like those about AI, that are worth noting, particularly after this week’s Amazon Web Services outage illustrated the outsized role a single service provider can have on internet health.
The clarified rules apply to banking, insurance and financial services companies transacting with people in New York. The rules, called Part 500 of the state’s cybersecurity regulations, were created in 2017 to protect the financial services industry from the growing tide of data breaches that were compromising the personal information of the state’s residents. The rules include reporting requirements, the use of two-factor authentication and data-retention requirements.
Maley, who headed PayPal’s global third party security division in the early days of New York’s third-party service provider rules, said the new additions of AI were likely deemed necessary because of the technology’s ubiquity. He noted that such regulations are deliberately written in a broad way so that they don’t become outdated too quickly or become overly restrictive.
“This is kind of like walking the edge of a sword,” Maley said. “They’ve added language about AI and AI use and they’re recommending clauses to put into contracts around how your vendors are training their models and how AI should be treated at third parties.”
Maley said the AI guidance is “an amazing thing” but also potentially problematic for service providers. He anticipated that some companies, unsure of how to restrict their vendors, will take a “shotgun approach.” He recalled seeing one contract prohibiting a vendor from making a single change to its AI models without customer authorization, potentially hampering agility.
Maley said he also liked the clauses encouraging heads of business to be appraised of potential risks of third-party providers. Business leaders need to be aware of the technology landscape more so than in years past, he said.
New York’s rules have undergone many revisions. Maley said that some versions of the rules haven’t always made sense, but that that’s what revisions are for.
“Originally in the act they said it’s important that you continuously monitor your third parties or you get an annual penetration test,” he said. “Those two are extremely different concepts.”
