NEW WHITE PAPER: See how Prevalent TPRM Platform capabilities map to specific compliance requirements!

New York SHIELD Act: Where Third-Party Risk Management Comes into Play

The New York SHIELD Act will go into effect in March 2020 with several implications for third-party risk management.

by Scott Lang, VP, Product Marketing

August 27th, 2019

S

Signed into law by the Governor of New York on July 25, 2019, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act is a data protection law that has broadened the definition of personal information to include username and password for an online account and biometrics; requires specific data security controls for organizations to protect the personal information of New York residents; and sets specific data breach notification requirements and penalties on organizations where the data of New York residents has been compromised.

Largely an update to previous New York state laws, the SHIELD Act will go into effect on March 21, 2020 and is meant to improve cybersecurity protections and data breach notification, with penalties ranging from $5,000 per violation to $20 per failed notification (capped at $250,000). Much like what the California Consumer Privacy Act (CCPA) does for that state, if your organization collects any kind of personal information from a resident of New York State – or you exchange information with a business partner that does – the law applies to you regardless of where your organization is located.

SHIELD Act Compliance Requirements

What’s notably different about the SHIELD Act versus other related data protection laws is that it provides some criteria for compliance. The Act defines three (3) types of safeguards to measure compliance against – Administrative, Physical, and Technical – with requirements including:

  • Designating and training employees to coordinate cybersecurity compliance
  • Using third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract
  • Assessing the risk of the company’s cybersecurity program, including both the network and software design and the information processing, transmission and storage
  • Applying processes and physical safeguards to detect, prevent and respond to attacks or system failures
  • Monitoring and testing of the effectiveness of the cybersecurity program
  • Applying processes to safely, securely and permanently dispose of data within a reasonable amount of time after it is no longer needed for business purposes
  • Updating the program periodically to address changes in the business or circumstances that would require the program to be changed

According to definitions in the Act, compliance can be achieved (called a “safe harbor”) if an organization meets the requirements of the GLBA Safeguards Rule, HIPAA, or 23 NYCRR Part 500 – although the Act is not clear on how an organization can prove that it is compliant with any of these regulatory regimes.

Third-Party Risk Management Considerations

In examining the SHIELD Act requirements, we see that there are several areas where third-party business relationships will have to be considered in ensuring compliance. We will use the bullets in the section above to identify these specific areas and pose several questions to determine your organization’s readiness for SHIELD Act compliance. Please review the Act’s text for a complete view of requirements. The table below should not be construed as compliance recommendations – merely questions to assess what your organization might need to address. 

New York SHIELD Act

Requirement Control Examination
Using third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract


  • Is the organization conducting internal controls-based assessments of third-parties based on the requirements in applicable laws such as GLBA, HIPAA, or NYCRR Part 500?
  • Is the organization monitoring external third-party networks and utilizing business risk intelligence such as news events, financials, layoffs, leadership changes, lawsuits, etc. that can serve as predictors of future vulnerabilities?
  • Is there a defined process in place to identify, categorize, prioritize, and manage risks to an acceptable level?
  • Does the organization have a defined workflow process in place to escalate identified risks for remediation?


Assessing the risk of the company’s cybersecurity program, including both the network and software design and the information processing, transmission and storage


  • Is the organization utilizing external network vulnerability scanning along with multiple external sources for cyber threat intelligence?
  • Aside from external monitoring, is the organization conducting penetration testing to highlight vulnerabilities?
  • Is the organization monitoring relationships between different third-parties to gain visibility on how personal information could be shared?


Monitoring and testing of the effectiveness of the cybersecurity program

  • Is there a central audit trail in place that keeps track of all interactions between suppliers and the organization?
  • Is there a central risk register in place to centralize all identified risks from internal control failures or external cyber scanning results so that a clear risk score is communicated?
  • Is there a live reporting capability to show existing risks and effects of planned remediations?
  • Is there compliance-specific reporting showing percent attainment or progress to compliance?


Updating the program periodically to address changes in the business or circumstances that would require the program to be changed


Does the organization have options to maintain program flexibility including: 


  • Multiple industry standard questionnaire options with the ability to customize one appropriate to the business?
  • Defining assessment schedules to determine what third-parties to assess with automated chasing reminders?
  • The ability to outsource the collection and analysis of vendor surveys to focus internal risk management teams on risk management?
  • Leveraging pre-completed surveys and supporting vendor evidence to accelerate the risk management process?



How Prevalent Can Help Address SHIELD Act Third-Party Risk Management Requirements

Prevalent delivers the industry’s only purpose-built, unified platform for third-party risk management. Delivered in the simplicity of the cloud, the Prevalent platform combines automated vendor assessments, continuous threat monitoring, assessment workflow, and remediation management across the entire vendor life cycle, with expert advisory and consulting services, network, and outsourced options to optimize your risk management program. With 50+ built-in questionnaire options – including for NYCRR 500 and other others helpful for the SHIELD Act – Prevalent can help organizations gain a 360-degree view of vendors to simplify compliance, reduce risks, and improve efficiency for a scalable third-party risk management program.

Watch for more SHIELD Act-specific questionnaire options in the Prevalent platform and be sure to contact us today with questions on how SHIELD will impact your organization. In the meantime, be sure to download our compliance white paper which details the third-party risk management requirements in multiple regulations and standards and maps Prevalent’s capabilities into those regimes.