NYDFS 23 NYCRR 500 Compliance

Prevalent enables you to assess and monitor third parties based on the extent of threats to their information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification include:

• Type of content required to validate controls
• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties (to avoid concentration risk)
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.
Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations.

Prevalent centralizes and automates the distribution, comparison, and management of requests for proposals (RFPs) and requests for information (RFIs). Our solutions also deliver business, reputational, financial, and data breach risk insights to inform and add context to vendor selection decisions.

Prevalent moves each selected vendor into contracting and/or onboarding due diligence phases, automatically progressing the vendor through the third-party lifecycle.

Prevalent automates risk assessments to extend the visibility, efficiency and scale of your third-party risk management program across every stage of the third-party lifecycle.

With a library of 750+ standardized assessments, customization capabilities, and built-in workflow and remediation, the solution automates everything from survey collection and analysis to risk rating and reporting.

With Prevalent, you can easily gather and correlate intelligence on a wide range of vendor controls to determine threats to information management, based on the criticality of the third party as determined by the inherent risk assessment.

Results of assessments and continuous monitoring are collated in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk and have ready-made remediation recommendations for third parties to mitigate the risks.

Assessments can be conducted pre-contract, at the time of contract renewal or at any required frequency (e.g., quarterly or annually).

Integrated, native cyber, business, reputational, and financial risk monitoring capabilities flag material changes between periodic assessments and can trigger notifications, follow-up assessments, or other actions.

Prevalent delivers built-in remediation recommendations based on risk assessment results. These are backed by workflow and task management capabilities to ensure that third parties address risks in a timely and satisfactory manner.

Prevalent automates the assessment, continuous monitoring, analysis, and remediation of third-party business resilience and continuity – while automatically mapping results to NIST, ISO, and other control frameworks.

This proactive approach enables your organization to minimize the impact of third-party disruptions and stay on top of compliance requirements.

The Prevalent Platform includes a comprehensive business resilience assessment based on ISO 22301 standard practices that enables organizations to:

• Categorize suppliers according to their risk profile and criticality to the business
• Outline recovery point objectives (RPOs) and recovery time objectives (RTOs)
• Centralize system inventory, risk assessments, RACI charts, and third parties
• Ensure consistent communications with suppliers during business disruptions

When a termination or exit is required for critical services, Prevalent leverages customizable surveys and workflows to report on system access, data destruction, access management, compliance with relevant laws, final payments, and more. The solution also suggests actions based on answers to offboarding assessments and routes tasks to reviewers as necessary.

Prevalent enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor incidents by centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance. Key capabilities include:

• Continuously updated and customizable event and incident management questionnaires
• Real-time questionnaire completion progress tracking
• Defined risk owners with automated chasing reminders to keep surveys on schedule
• Proactively vendor reporting
• Consolidated views of risk ratings, counts, scores, and flagged responses for each vendor
• Workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
• Guidance from built-in remediation recommendations to reduce risk
• Built-in report templates
• Data and relationship mapping to identify relationships between your organization and third parties to visualize information paths and determine at-risk data