Banks need to tighten their cyber defences around third-party vendors that provide everything from legal services to heating system maintenance, which could provide a way in for hackers, says New York’s financial regulator.

The New York State Department of Financial Services (NYDFS) has released a report indicating that it sees significant potential vulnerabilities with banks’ third-party vendors. The regulator notes that third-party vendors, including everything from law firms to the companies that run their HVAC systems, often have access to financial institutions’ information technology systems, which could represent a potential entry point for hackers.

The report details the results of a survey conducted by the NYDFS of 40 banks about the cyber security standards they have in place with third-party suppliers. Among other things, it found that approximately 30% do not require these vendors to notifythem of a cyber security breach; that fewer than half conduct anyon-site assessments of their third-party vendors; approximately 20% do not require outside vendors to represent that they have established minimum information security requirements; and, nearly half do not require a warranty of the integrity of the vendor’s data or products.

The regulator says that, in the coming weeks, it expects to move forward on regulations strengthening cyber security standards for banks’ third-party vendors, includingmeasures related to the assurances that banks receive about the cyber security protections in place at those firms.

“A bank’s cyber security is often only as good as the cyber security of its vendors,” said Benjamin Lawsky, New York’s Superintendent of Financial Services. “Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data. We will move forward quickly, together with the banks we regulate, to address this urgent matter.”

The NYDFS is in the process of conducting a similar survey with the insurers it regulates, and says that it also expects to impose higher cyber security standards for vendors providing services to insurance companies.