Hero compliance shield

New York SHIELD Act Compliance

New York SHIELD and Third-Party Risk Management

Signed into law by the Governor of the US State New York on July 25, 2019, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act is a data protection law that has broadened the definition of personal information to include username and password for an online account and biometrics; requires specific data security controls for organizations to protect the personal information of New York residents; and sets specific data breach notification requirements and penalties on organizations where the data of New York residents has been compromised.

Largely an update to previous New York state laws, the SHIELD Act will go into effect on March 21, 2020 and is meant to improve cybersecurity protections and data breach notification, with penalties ranging from $5,000 per violation to $20 per failed notification (capped at $250,000). Much like what the California Consumer Privacy Act (CCPA) does for that state, if your organization collects any kind of personal information from a resident of New York State – or you exchange information with a business partner that does – the law applies to you regardless of where your organization is located.

Relevant Requirements

  • Designate and train employees to coordinate cybersecurity compliance

  • Use third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract

  • Assess the risk of the company’s cybersecurity program, including network and software design, as well as information processing, transmission and storage

  • Apply processes and physical safeguards to detect, prevent and respond to attacks or system failures

  • Monitor and test the effectiveness of the cybersecurity program

  • Apply processes to safely, securely and permanently dispose of data within a reasonable amount of time after it is no longer needed

  • Update the program periodically to address changes in the business or other circumstances

Satisfying Third-Party Risk Management Compliance Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how Prevalent maps to specific mandates so you can achieve compliance while mitigating vendor risk.

Read the Paper
Featured resource compliance white paper

Meeting NY SHIELD Requirements

Here's how Prevalent can help you address SHIELD third-party risk management requirements:

SHIELD Requirements How We Help

Using third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract

  • Is the organization conducting internal controls-based assessments of third-parties based on the requirements in applicable laws such as GLBA, HIPAA, or NYCRR Part 500?
  • Is the organization monitoring external third-party networks and utilizing business risk intelligence such as news events, financials, layoffs, leadership changes, lawsuits, etc. that can serve as predictors of future vulnerabilities?
  • Is there a defined process in place to identify, categorize, prioritize, and manage risks to an acceptable level?
  • Does the organization have a defined workflow process in place to escalate identified risks for remediation?

Assessing the risk of the company’s cybersecurity program, including both the network and software design and the information processing, transmission and storage

  • Is the organization utilizing external network vulnerability scanning along with multiple external sources for cyber threat intelligence?
  • Aside from external monitoring, is the organization conducting penetration testing to highlight vulnerabilities?
  • Is the organization monitoring relationships between different third-parties to gain visibility on how personal information could be shared?

Monitoring and testing of the effectiveness of the cybersecurity program

  • Is there a central audit trail in place that keeps track of all interactions between suppliers and the organization?
  • Is there a central risk register in place to centralize all identified risks from internal control failures or external cyber scanning results so that a clear risk score is communicated?
  • Is there a live reporting capability to show existing risks and effects of planned remediations?
  • Is there compliance-specific reporting showing percent attainment or progress to compliance?

Updating the program periodically to address changes in the business or circumstances that would require the program to be changed

Does the organization have options to maintain program flexibility including:

  • Multiple industry standard questionnaire options with the ability to customize one appropriate to the business?
  • Defining assessment schedules to determine what third-parties to assess with automated chasing reminders?
  • The ability to outsource the collection and analysis of vendor surveys to focus internal risk management teams on risk management?
  • Leveraging pre-completed surveys and supporting vendor evidence to accelerate the risk management process?
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo