New Report: The 2022 Gartner® Market Guide for IT Vendor Risk Management Solutions

How to Meet 23 NY CRR Requirements for Third-Party Risk Management

NYDFS 23 NY CRR 500 is designed to protect the confidentiality, integrity, and availability of financial services customer information. Here's how to comply with key requirements regarding third-party risk.
Scott Lang
VP, Product Marketing
January 31, 2022
Blog Compliance Nydfs Aug 2019

In early 2017, the New York State Department of Financial Services (DFS) instituted a regulation to establish cybersecurity requirements for financial services companies. This legislation, known as 23 NY CRR 500, was enacted after the realization that data breaches and cyber threats were rising at an alarming rate, exposing sensitive data, and costing organizations millions of dollars.

According to the regulation, “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” is considered a “covered entity” and must comply.

23 NY CRR 500 Requirements Overview

Designed to protect the confidentiality, integrity, and availability of customer information as well as information technology systems, this regulation mandates that covered entities take the following steps:

As it relates to third-party risk management, a key component of complying with 23 NY CRR 500 is managing your vendors’ IT security controls and data privacy policies.

Where Third-Party Providers Come Into Play

Two sections of the regulation specifically address third-party providers. Section 500.04 relates to the appointment of a CISO who can be employed by an affiliate or third-party. If not a direct employee, the covered entity must still retain responsibility for compliance, designate a senior person responsible for direction and oversight of the third party service provider, and require the third-party to maintain a cybersecurity program that is compliant with the regulation. A report by the CISO must be provided annually regardless of whether they are a direct employee or a third party.

Section 500.11 directly addresses third-party service provider security policy. It requires covered entities to have a written policy that addresses third-party information systems security based on a risk assessment, and it requires the policy to cover:

  • Identification and risk assessment of the third party
  • Minimum cybersecurity practices
  • Due diligence used to evaluate the adequacy of their cybersecurity practices, and
  • Periodic assessment of the provider based on risk and continued adequacy of their cybersecurity practices

Navigate the TPRM Compliance Landscape

The Third-Party Risk Management Compliance Handbook reveals TPRM requirements in key regulations and industry frameworks, so you can achieve compliance while mitigating vendor risk.

Read Now
Feature tprm compliance handbook 0821

How Prevalent Solutions Address Third-Party Compliance Requirements in 23 NY CRR 500

23 NYCRR 500 specifically requires that covered entities develop written policies and procedures to ensure the security of information systems and the integrity of data accessed or held by third parties. Implementing a third-party service provider security policy should include the following elements:

  • An accurate and comprehensive list of third-party service providers, including the identification of the specific services provided by each
  • Cybersecurity practices to be followed by third parties, based on the policies and security controls of the covered entity’s baseline risk assessment
  • Periodic assessment of vendors based on those requirements, including due diligence processes to be utilized
  • Applicable contract requirements and guidelines

Prevalent’s Third-Party Risk Management Platform enables financial institutions to fulfill these requirements across their entire vendor ecosystem. It provides a complete solution for performing vendor risk assessments – including

  • Questionnaires based on NY DFS recommended frameworks and standards
  • An environment to include and manage documented evidence in response
  • Workflows for managing the review and address findings
  • Robust reporting to give each level of management the information it needs to properly review the third party's performance and risk
  • Incident response for simplifying third-party incident discovery, triage and reporting

The Prevalent Platform also includes cyber, business, reputational, and financial intelligence monitoring to capture ongoing potential threats to a covered entity.

The responsibility for properly overseeing the IT security of outsourced relationships lies with the covered entity’s CISO, who must present an annual report. With advanced reporting capabilities by compliance requirement and industry framework, the Prevalent TPRM platform can simplify compliance reporting and clarify risks.

Prevalent Can Help You Manage Regulatory Compliance

To learn more about achieving NY CRR 500 compliance, as well as compliance with many of the most common industry standards, frameworks, and guidelines, download our white paper, The Third-Party Risk Management Compliance Handbook. It reviews the key third-party risk management requirements in common regulatory and security frameworks, while mapping Prevalent Third-Party Risk Management capabilities to specific mandates. It’s essential reading for anyone responsible for managing supply-chain compliance initiatives.

Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo