The ever-increasing privacy and security risks via third-party vendors and service providers were apparent in 2023 with news of large organizations such as MOVEit, Okta and AT&T being affected. Research has shown that 98 percent of organizations have at least one third-party vendor that experienced a cyber incident within the past two years. With this growing trend, it is increasingly important for organizations to develop robust third-party risk management programs and to consistently review their third-parties to safeguard against security threats and ensure the security and privacy of their data.

On December 20, the Federal Trade Commission released a notice of proposed rulemaking to update the Children’s Online Privacy Protection Rule, known as the “COPPA Rule.” (We are linking to the official version of the proposed rule that was published in the Federal Register on January 11.) In a press release published on December 20, the FTC announced that the proposed amendments “would place new restrictions on the use and disclosure of children’s personal information and further limit the ability of companies to condition access to services on monetizing children’s data.”

The New York Department of Financial Services recently amended its Cybersecurity Regulation. The revisions aim to strengthen cybersecurity and technology controls to address evolving threats to consumer data and ensure the continued integrity of financial systems. Here are a few key elements of the amendments to Regulation and what we think will be their immediate impact on financial institutions.