In early 2017, the New York State Department of Financial Services (DFS) instituted a regulation to establish cybersecurity requirements for financial services companies. This legislation, known as 23 NYCRR 500, was enacted in response to data breaches and cyber threats that were rising at an alarming rate, exposing sensitive data, and costing organizations millions of dollars. The law was amended in November 2022 to account for the latest risks to information systems and data, with the updates set to go into effect in 2023.
This post examines which organizations must comply with the law, key third-party risk management provisions in 23 NYCRR 500, and best practices for meeting the requirements.
According to the regulation, “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law regardless of whether the covered entity is also regulated by other government agencies” is considered a “covered entity” and must comply – even organizations that are not headquartered in New York.
However, there are a few exemptions to the law. The November 2022 amendment updated the exemption criteria to exclude covered entities with:
Furthermore, the November 2022 amendments to the regulation designate “Class A” companies in order to place stricter requirements on larger financial services organizations. Class A companies are those with at least $20 million in gross annual revenue in each of the last two fiscal years from business operations of the covered entity and its affiliates in the state of New York and:
Class A companies must meet additional requirements beyond what all covered entities must meet, including:
With recent NYCRR 500 penalties totaling up to $4.5 million, it is essential that organizations understand how the regulation impacts them.
Designed to protect the confidentiality, integrity and availability of customer information as well as of information technology systems, this cybersecurity regulation mandates that covered entities take the following steps:
A key component of complying with 23 NYCRR 500 is managing your vendors’ IT security controls and data privacy policies. Section 500.11(a) directly addresses third-party service provider security policy. It requires covered entities to have a written policy that addresses third-party information system security based on a risk assessment, and it requires the policy to cover:
Section 500.11(b) goes on to describe specific policies and procedures that covered entities should conduct further due diligence on, such as access controls, multi-factor authentication (MFA), encryption, and incident response reporting. Additional sections of the regulation with applicability to third-party risk management are 500.16 (business continuity) and 500.17 (third-party incident response).
How Will 23 NYCRR 500 Impact Your TPRM Program?
Download this guide to uncover how to comply with mandates for third-party risk assessment and documentation, including those covered in the November 2022 amendment.
Implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third party service providers.
Implementing a third-party service provider security policy should include the following elements:
Prevalent’s Third-Party Risk Management Platform enables financial institutions to fulfill these requirements across their entire vendor ecosystem. It provides a complete solution for performing vendor risk assessments – including:
The Prevalent Platform also includes cyber, business, reputational and financial intelligence monitoring to capture ongoing potential threats to a covered entity.
Establish written plans that contain proactive measures to investigate and mitigate disruptive events and ensure operational resilience, including but not limited to incident response, business continuity and disaster recovery plans.
Ensuring business resilience should include automating the assessment, continuous monitoring, analysis and remediation of third-party business resilience and continuity practices – while automatically mapping results to NIST, ISO, and other control frameworks. This proactive approach enables your organization to minimize the impact of third-party disruptions and stay on top of compliance requirements. The Prevalent Platform includes a comprehensive business resilience assessment based on ISO 22301 standard practices.
Notice of cybersecurity events.
To meet the requirement of notifying the Department of Financial Services within 72 hours from the time you become aware of a cybersecurity event, establish proactive third-party incident response plans that include:
Effectively addressing the requirements communicated in 23 NYCRR 500 is an impossible task if you rely solely on spreadsheets to collect, analyze, remediate and report on cybersecurity controls. The Prevalent Third-Party Risk Management Platform enables your financial services institution to fulfill 23 NYCRR 500 requirements across its entire vendor ecosystem. The Platform provides: