23 NY CRR 500 and Third-Party Risk Management
23 NY CRR 500 was enacted in response to the alarming growth in data breaches and cyber threats against financial institutions. A key component of complying with 23 NY CRR 500 is managing vendor IT security controls and data privacy policies.
Two sections of the regulation specifically address third-party providers:
- Section 500.04 relates to the appointment of a CISO, who can be employed by an affiliate or third-party.
- Section 500.11 directly addresses third-party service provider security policy. It requires covered entities to have a written policy that addresses third-party information systems security based on a risk assessment.