How to Meet 23 NY CRR Requirements for Third-Party Risk Management

In early 2017, the New York State Department of Financial Services (DFS) instituted a regulation to establish cybersecurity requirements for financial services companies. This legislation, known as 23 NY CRR 500, was enacted after the realization that data breaches and cyber threats were rising at an alarming rate, exposing sensitive data, and costing organizations millions of dollars.

According to the regulation, “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” is considered a “covered entity” and must comply.

23 NY CRR 500 Requirements Overview

Designed to protect the confidentiality, integrity, and availability of customer information as well as information technology systems, this regulation mandates that covered entities take the following steps:

• Establish risk controls against a baseline assessment using any number of frameworks or standards, such as the Federal Financial Institutions Examination Council (FFIEC) Cyber Assessment Tool or National Institute of Standards and Technology (NIST) Cybersecurity Framework
• Create a cybersecurity program that addresses its risks in a robust fashion, including an audit trail
• Appoint a CISO, and senior management must be responsible for and review the organization’s cybersecurity program
• Create a third-party risk management program
• Notify DFS in the case of a cybersecurity incident involving a third party – even if the third party notifies DFS
• File an annual certification confirming compliance with these regulations

As it relates to third-party risk management, a key component of complying with 23 NY CRR 500 is managing your vendors’ IT security controls and data privacy policies.

Where Third-Party Providers Come Into Play

Two sections of the regulation specifically address third-party providers. Section 500.04 relates to the appointment of a CISO who can be employed by an affiliate or third-party. If not a direct employee, the covered entity must still retain responsibility for compliance, designate a senior person responsible for direction and oversight of the third party service provider, and require the third-party to maintain a cybersecurity program that is compliant with the regulation. A report by the CISO must be provided annually regardless of whether they are a direct employee or a third party.

Section 500.11 directly addresses third-party service provider security policy. It requires covered entities to have a written policy that addresses third-party information systems security based on a risk assessment, and it requires the policy to cover:

• Identification and risk assessment of the third party
• Minimum cybersecurity practices
• Due diligence used to evaluate the adequacy of their cybersecurity practices, and
• Periodic assessment of the provider based on risk and continued adequacy of their cybersecurity practices