NEW WHITE PAPER: See how Prevalent TPRM Platform capabilities map to specific compliance requirements!

New York State DFS NY CRR 500 Compliance

Complying with 23 NY CRR 500

In early 2017, the New York State Department of Financial Services (DFS) instituted 23 NY CRR 500 to establish new cybersecurity requirements for financial services companies. The regulation is designed to protect the confidentiality, integrity and availability of customer information and related IT systems.

23 NY CRR 500 and Third-Party Risk Management

23 NY CRR 500 was enacted in response to the alarming growth in data breaches and cyber threats against financial institutions. A key component of complying with 23 NY CRR 500 is managing vendor IT security controls and data privacy policies. 

Two sections of the regulation specifically address third-party providers: 

  • Section 500.04 relates to the appointment of a CISO, who can be employed by an affiliate or third-party. 
  • Section 500.11 directly addresses third-party service provider security policy. It requires covered entities to have a written policy that addresses third-party information systems security based on a risk assessment.

Relevant Requirements

Under NY CRR 500, covered entities must:

  • Establish risk controls against a baseline assessment
  • Create a cybersecurity program that addresses its risks in a robust fashion
  • Appoint a CISO, and senior management must be responsible for organization’s cybersecurity program
  • Create a third-party risk management program
  • File an annual certification confirming compliance with these regulations

White Paper: Satisfying Compliance with Third-Party Risk Management Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how the Prevalent Third-Party Risk Management Platform maps to specific mandates enabling you to achieve compliance while mitigating vendor risk. 

Read Now

Meeting 23 NY CRR 500 Third-Party Risk Management Requirements

Here's how Prevalent can help you address NY CRR 500 third-party risk management requirements:

New York State Department of Financial Services (DFS): Cybersecurity Requirements for Financial Services Companies Part 500 (NY CRR 500) of Title 23 (23 NY CRR 500)

NY CRR 500 Requirements How Prevalent Helps

23 NYCRR 500.04 - Chief Information Security Officer

"(a) The CISO may be employed by the Covered Entity, one of its Affiliates or a Third-Party Service Provider. To the extent this requirement is met using a Third-Party Service Provider or an Affiliate, the Covered Entity shall:

  1. Retain responsibility for compliance with this Part;
  2. Designate a senior member of the Covered Entity’s personnel responsible for direction and oversight of the Third-Party Service Provider; and
  3. Require the Third-Party Service Provider to maintain a cybersecurity program that protects the Covered Entity in accordance with the requirements of this Part."

Prevalent delivers the industry’s only purpose-built, unified platform for third-party risk management. The Prevalent Third-Party Risk Management platform combines automated vendor assessments and continuous threat monitoring to simplify compliance, reduce security risks, and improve efficiency. The platform provides CISOs with a 360-degree view of their vendor risks, via clear and concise reporting tied to specific regulations and control frameworks for improved visibility and decision making.

23 NYCRR 500.04 - Chief Information Security Officer

“(b) The CISO shall report on the Covered Entity’s cybersecurity program and material cybersecurity risks. The CISO shall consider to the extent applicable:

  1. The confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems; 
  2. The Covered Entity’s cybersecurity policies and procedures; 
  3. Material cybersecurity risks to the Covered Entity;
  4. Overall effectiveness of the Covered Entity’s cybersecurity program; and
  5. Material Cybersecurity Events involving the Covered Entity during the time period addressed by the report.

The Prevalent Third-Party Risk Management platform provides a complete solution to perform assessments including questionnaires; an environment to include and manage documented evidence in response; workflows for managing the review and address findings; and robust reporting to give each level of management the information it needs to properly review the third party's performance.

23 NYCRR 500.11 -Third Party Service Provider Security Policy

"(a) Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable:

  1. The identification and risk assessment of Third-Party Service Providers;
  2. Minimum cybersecurity practices required to be met by such Third-Party Service Providers in order for them to do business with the Covered Entity;
  3. Due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third-Party Service Providers; and
  4. Periodic assessment of such Third-Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices."

Details follow in this section including requirements for access controls with multi-factor authentication, encryption, notice of cybersecurity events, and representations and warrantees addressing cybersecurity policy.


The Prevalent TPRM Platform unifies internal control-based assessments (based on industry standard framework questionnaires or on custom questionnaires) with continuous vendor threat monitoring to deliver a holistic security risk rating, enabling organizations to zero-in on the most important or impactful risks. 

The platform includes built-in workflow capability enabling assessors to interact efficiently with third parties during the due diligence collection and review periods. 

The platform includes continuous cyber and business risk review and analysis that can be performed at any time – during or between control-based assessments – providing an updated view of important cyber security risks and business developments that could impact risks.


The Prevalent Difference

Prevalent’s Third-Party Risk Management Platform enables financial institutions to fulfill NY CRR 500 requirements across the entire vendor ecosystem. It provides a complete solution for building surveys and performing assessments; an environment to manage documented evidence; workflows for managing reviews and addressing findings; and robust reporting for reviewing the third-party performance and risk. The Platform also includes cyber and business intelligence monitoring to continuously identify potential threats to financial institutions.