NYDFS 23 NYCRR 500: How to Meet Third-Party Risk Management Requirements

In early 2017, the New York State Department of Financial Services (DFS) instituted a regulation to establish cybersecurity requirements for financial services companies. This legislation, known as 23 NYCRR 500, was enacted in response to data breaches and cyber threats that were rising at an alarming rate, exposing sensitive data, and costing organizations millions of dollars. The law was amended in November 2022 to account for the latest risks to information systems and data, with the updates set to go into effect in 2023.

This post examines which organizations must comply with the law, key third-party risk management provisions in 23 NYCRR 500, and best practices for meeting the requirements.

Which Organizations Must Comply with 23 NY CRR 500?

According to the regulation, “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law regardless of whether the covered entity is also regulated by other government agencies” is considered a “covered entity” and must comply – even organizations that are not headquartered in New York.

However, there are a few exemptions to the law. The November 2022 amendment updated the exemption criteria to exclude covered entities with:

• fewer than 20 employees (including independent contractors) or
• less than $15 million in year-end total assets.

Furthermore, the November 2022 amendments to the regulation designate “Class A” companies in order to place stricter requirements on larger financial services organizations. Class A companies are those with at least $20 million in gross annual revenue in each of the last two fiscal years from business operations of the covered entity and its affiliates in the state of New York and:

• over 2,000 employees averaged over the last two fiscal years, including those of both the covered entity and all of its affiliates no matter where located; or
• over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates.

Class A companies must meet additional requirements beyond what all covered entities must meet, including:

• Conducting independent audits (using external auditors) of the cybersecurity program at least annually, and using external experts to conduct a risk assessment at least every three years
• Implementing privileged access management and an automated method of blocking commonly used passwords
• Implementing endpoint detection and response to monitor anomalous activity (including lateral movement), and a solution centralizing logging and security event alerting

With recent NYCRR 500 penalties totaling up to $4.5 million, it is essential that organizations understand how the regulation impacts them.

What Are the 23 NY CRR 500 Requirements?

Designed to protect the confidentiality, integrity and availability of customer information as well as of information technology systems, this cybersecurity regulation mandates that covered entities take the following steps:

• Maintain a cybersecurity program that includes risk assessments, independent audits, and supporting documentation (Section 500.2)
• Implement and maintain information security policies based on risk assessments – including for vendor and third-party service provider management (Section 500.3)
• Appoint a chief information security officer (CISO) who must be responsible for, review and report on the organization’s cybersecurity program (Section 500.4)
• Include specific cybersecurity technologies and practices (Sections 500.5-500.10; 500.12-500.17)
• Create a third-party risk management program (Section 500.11)
• File an annual certification confirming compliance with these regulations (Section 500.17b)

How to Meet 23 NYCRR 500 Third-Party Risk Management Requirements

A key component of complying with 23 NYCRR 500 is managing your vendors’ IT security controls and data privacy policies. Section 500.11(a) directly addresses third-party service provider security policy. It requires covered entities to have a written policy that addresses third-party information system security based on a risk assessment, and it requires the policy to cover:

• Identification and risk assessment of each third party
• Minimum cybersecurity practices
• Due diligence used to evaluate the adequacy of their cybersecurity practices
• Periodic assessment of the provider based on risk and continued adequacy of their cybersecurity practices

Section 500.11(b) goes on to describe specific policies and procedures that covered entities should conduct further due diligence on, such as access controls, multi-factor authentication (MFA), encryption, and incident response reporting. Additional sections of the regulation with applicability to third-party risk management are 500.16 (business continuity) and 500.17 (third-party incident response).