NYDFS 23 NYCRR 500: How to Meet Third-Party Risk Management Requirements

NYDFS 23 NYCRR 500 is designed to protect the confidentiality, integrity and availability of financial services customer information. Here's how to comply with key requirements regarding third-party risk.
By:
Scott Lang
,
VP, Product Marketing
February 27, 2023
Share:
Blog nydfs 23 crr 500 0223

In early 2017, the New York State Department of Financial Services (DFS) instituted a regulation to establish cybersecurity requirements for financial services companies. This legislation, known as 23 NYCRR 500, was enacted in response to data breaches and cyber threats that were rising at an alarming rate, exposing sensitive data, and costing organizations millions of dollars. The law was amended in November 2022 to account for the latest risks to information systems and data, with the updates set to go into effect in 2023.

This post examines which organizations must comply with the law, key third-party risk management provisions in 23 NYCRR 500, and best practices for meeting the requirements.

Which Organizations Must Comply with 23 NY CRR 500?

According to the regulation, “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law regardless of whether the covered entity is also regulated by other government agencies” is considered a “covered entity” and must comply – even organizations that are not headquartered in New York.

However, there are a few exemptions to the law. The November 2022 amendment updated the exemption criteria to exclude covered entities with:

  • fewer than 20 employees (including independent contractors) or
  • less than $15 million in year-end total assets.

Furthermore, the November 2022 amendments to the regulation designate “Class A” companies in order to place stricter requirements on larger financial services organizations. Class A companies are those with at least $20 million in gross annual revenue in each of the last two fiscal years from business operations of the covered entity and its affiliates in the state of New York and:

  • over 2,000 employees averaged over the last two fiscal years, including those of both the covered entity and all of its affiliates no matter where located; or
  • over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates.

Class A companies must meet additional requirements beyond what all covered entities must meet, including:

  • Conducting independent audits (using external auditors) of the cybersecurity program at least annually, and using external experts to conduct a risk assessment at least every three years
  • Implementing privileged access management and an automated method of blocking commonly used passwords
  • Implementing endpoint detection and response to monitor anomalous activity (including lateral movement), and a solution centralizing logging and security event alerting

With recent NYCRR 500 penalties totaling up to $4.5 million, it is essential that organizations understand how the regulation impacts them.

What Are the 23 NY CRR 500 Requirements?

Designed to protect the confidentiality, integrity and availability of customer information as well as of information technology systems, this cybersecurity regulation mandates that covered entities take the following steps:

  • Maintain a cybersecurity program that includes risk assessments, independent audits, and supporting documentation (Section 500.2)
  • Implement and maintain information security policies based on risk assessments – including for vendor and third-party service provider management (Section 500.3)
  • Appoint a chief information security officer (CISO) who must be responsible for, review and report on the organization’s cybersecurity program (Section 500.4)
  • Include specific cybersecurity technologies and practices (Sections 500.5-500.10; 500.12-500.17)
  • Create a third-party risk management program (Section 500.11)
  • File an annual certification confirming compliance with these regulations (Section 500.17b)

How to Meet 23 NYCRR 500 Third-Party Risk Management Requirements

A key component of complying with 23 NYCRR 500 is managing your vendors’ IT security controls and data privacy policies. Section 500.11(a) directly addresses third-party service provider security policy. It requires covered entities to have a written policy that addresses third-party information system security based on a risk assessment, and it requires the policy to cover:

  • Identification and risk assessment of each third party
  • Minimum cybersecurity practices
  • Due diligence used to evaluate the adequacy of their cybersecurity practices
  • Periodic assessment of the provider based on risk and continued adequacy of their cybersecurity practices

Section 500.11(b) goes on to describe specific policies and procedures that covered entities should conduct further due diligence on, such as access controls, multi-factor authentication (MFA), encryption, and incident response reporting. Additional sections of the regulation with applicability to third-party risk management are 500.16 (business continuity) and 500.17 (third-party incident response).

How Will 23 NYCRR 500 Impact Your TPRM Program?

Download this guide to uncover how to comply with mandates for third-party risk assessment and documentation, including those covered in the November 2022 amendment.

Read Now
Feature nydfs 23 nycrr 500 0223

Section 500.11 of 23 NYCRR

Implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third party service providers.

Implementing a third-party service provider security policy should include the following elements:

  • An accurate and comprehensive list of third-party service providers, including the identification of the specific services provided by each third party
  • Cybersecurity practices to be followed by third parties, based on the policies and security controls of the covered entity’s baseline risk assessment
  • Periodic assessment of vendors based on those requirements, including due diligence processes to be utilized
  • Applicable contract requirements and guidelines

Prevalent’s Third-Party Risk Management Platform enables financial institutions to fulfill these requirements across their entire vendor ecosystem. It provides a complete solution for performing vendor risk assessments – including:

  • Building a centralized vendor inventory
  • Inherent risk scoring to determine ongoing due diligence requirements
  • The ability to build cybersecurity requirements into vendor contracts and evaluate vendors based on security practices
  • Questionnaires based on NY DFS recommended frameworks and standards
  • An environment to include and manage documented evidence in response
  • Workflows for managing the review and address findings
  • Robust reporting to give each level of management the information it needs to properly review each third party's performance and risk

The Prevalent Platform also includes cyber, business, reputational and financial intelligence monitoring to capture ongoing potential threats to a covered entity.

Section 500.16 of 23 NYCRR

Establish written plans that contain proactive measures to investigate and mitigate disruptive events and ensure operational resilience, including but not limited to incident response, business continuity and disaster recovery plans.

Ensuring business resilience should include automating the assessment, continuous monitoring, analysis and remediation of third-party business resilience and continuity practices – while automatically mapping results to NIST, ISO, and other control frameworks. This proactive approach enables your organization to minimize the impact of third-party disruptions and stay on top of compliance requirements. The Prevalent Platform includes a comprehensive business resilience assessment based on ISO 22301 standard practices.

Section 500.17 of 23 NYCRR

Notice of cybersecurity events.

To meet the requirement of notifying the Department of Financial Services within 72 hours from the time you become aware of a cybersecurity event, establish proactive third-party incident response plans that include:

  • Centrally managing vendors
  • Conducting proactive event assessments (and enabling vendors to self-submit events)
  • Score identified risks against acceptable thresholds
  • Correlate vendor responses against continuous cyber monitoring
  • Publish remediation guidance

Managing 23 NYCRR 500 Compliance with Prevalent

Effectively addressing the requirements communicated in 23 NYCRR 500 is an impossible task if you rely solely on spreadsheets to collect, analyze, remediate and report on cybersecurity controls. The Prevalent Third-Party Risk Management Platform enables your financial services institution to fulfill 23 NYCRR 500 requirements across its entire vendor ecosystem. The Platform provides:

  • Automated pre-contract due diligence to ensure that third parties have baseline information security policies in place to reduce your firm’s exposure to risk
  • Detailed inherent risk assessments and vendor categorization to provide direction on which areas to conduct further assessments
  • A large library of risk questionnaire templates, providing flexibility to assess vendors according to the controls that matter most to your firm
  • Comprehensive continuous monitoring of cybersecurity events, adding context to and correlating against assessment results
  • Prescriptive business continuity and incident response programs to ensure third parties have the policies and procedures in place to address emerging cybersecurity risks

To learn more about achieving 23 NY CRR 500 compliance, download our compliance checklist or contact us to schedule a demo.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo