In early 2017, the New York State Department of Financial Services (DFS) instituted 23 NYCRR 500 to establish new cybersecurity requirements for financial services companies. The regulation is designed to protect the confidentiality, integrity and availability of customer information and related IT systems.
23 NYCRR 500 was enacted in response to the alarming growth in data breaches and cyber threats against financial institutions. A key component of complying with the law is managing vendor IT security controls and data privacy policies.
Multiple sections of the regulation specifically address third-party providers:
Section 500.11 directly addresses third-party service provider security policy. It requires covered entities to implement written policies and procedures that address third-party information systems security based on a risk assessment.
Section 500.16 requires covered entities to establish plans and measures to ensure operational resilience, including incident response, business continuity and disaster recovery plans.
Section 500.17 requires specific reporting on third-party cybersecurity events.
Maintain a cybersecurity program that includes risk assessments, independent audits, and supporting documentation
Implement and maintain information security policies based on risk assessments – including for vendor and third-party service provider management
Appoint a CISO who must be responsible for, review, and report on the organization’s cybersecurity program
Include specific cybersecurity technologies and practices
Create a third-party risk management program
File an annual certification confirming compliance with these regulations
How Will 23 NYCRR 500 Impact Your TPRM Program?
Download this guide to uncover how to comply with mandates for third-party risk assessment and documentation, including those covered in the November 2022 amendment.
Meeting 23 NYCRR 500 TPRM Requirements
Here's how Prevalent can help you address 23 NYCRR 500 third-party risk management requirements:
23 NYCRR 500 Requirements | How We Help |
---|---|
SECTION 500.11 |
|
(1) the identification and risk assessment of third party service providers; |
Prevalent enables you to assess and monitor third parties based on the extent of threats to their information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification include:
From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments. |
(2) minimum cybersecurity practices required to be met by such third party service providers in order for them to do business with the covered entity; |
Prevalent centralizes and automates the distribution, comparison, and management of requests for proposals (RFPs) and requests for information (RFIs). Our solutions also deliver business, reputational, financial, and data breach risk insights to inform and add context to vendor selection decisions. Prevalent moves each selected vendor into contracting and/or onboarding due diligence phases, automatically progressing the vendor through the third-party lifecycle. |
(3) due diligence processes used to evaluate the adequacy of cybersecurity practices of such third party service providers; and |
Prevalent automates risk assessments to extend the visibility, efficiency and scale of your third-party risk management program across every stage of the third-party lifecycle. With a library of 750+ standardized assessments, customization capabilities, and built-in workflow and remediation, the solution automates everything from survey collection and analysis to risk rating and reporting. With Prevalent, you can easily gather and correlate intelligence on a wide range of vendor controls to determine threats to information management, based on the criticality of the third party as determined by the inherent risk assessment. Results of assessments and continuous monitoring are collated in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk and have ready-made remediation recommendations for third parties to mitigate the risks. |
(4) periodic assessment of such third party service providers based on the risk they present and the continued adequacy of their cybersecurity practices. |
Assessments can be conducted pre-contract, at the time of contract renewal or at any required frequency (e.g., quarterly or annually). Integrated, native cyber, business, reputational, and financial risk monitoring capabilities flag material changes between periodic assessments and can trigger notifications, follow-up assessments, or other actions. Prevalent delivers built-in remediation recommendations based on risk assessment results. These are backed by workflow and task management capabilities to ensure that third parties address risks in a timely and satisfactory manner. |
SECTION 500.16 |
|
(2) Business continuity and disaster recovery plan (for purposes of this Part, BCDR plan). BCDR plans shall be reasonably designed to ensure the availability and functionality of the covered entity’s services and protect the covered entity’s personnel, assets and nonpublic information in the event of an emergency or other disruption to its normal business activities. Such plans shall, at minimum: (iii) include a plan to communicate with essential persons in the event of an emergency or other disruption to the operations of the covered entity, including employees, counterparties, regulatory authorities, third party service providers, disaster recovery specialists, the senior governing body and any other persons essential to the recovery of documentation and data and the resumption of operations; (vi) identify third parties that are necessary to the continued operations of the covered entity’s business. |
Prevalent automates the assessment, continuous monitoring, analysis, and remediation of third-party business resilience and continuity – while automatically mapping results to NIST, ISO, and other control frameworks. This proactive approach enables your organization to minimize the impact of third-party disruptions and stay on top of compliance requirements. The Prevalent Platform includes a comprehensive business resilience assessment based on ISO 22301 standard practices that enables organizations to:
When a termination or exit is required for critical services, Prevalent leverages customizable surveys and workflows to report on system access, data destruction, access management, compliance with relevant laws, final payments, and more. The solution also suggests actions based on answers to offboarding assessments and routes tasks to reviewers as necessary. |
SECTION 500.17 |
|
(3) Each covered entity that is affected by a cybersecurity event at a third party service provider shall notify the superintendent electronically in the form set forth on the department’s website as promptly as possible but in no event later than 72 hours from the time the covered entity becomes aware of such cybersecurity event. |
Prevalent enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor incidents by centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance. Key capabilities include:
|
Align Your TPRM Program with 14 Industry Standards
Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.
NYDFS 23 NYCRR 500 is designed to protect the confidentiality, integrity and availability of financial services...
The third-party service provider security policy requirements set forth in NYDFS Part 500 go a long...
The New York SHIELD Act will go into effect in March 2020 with several implications for...