New York State DFS NY CRR 500 Compliance

23 NYCRR 500.04 - Chief Information Security Officer

"(a) The CISO may be employed by the Covered Entity, one of its Affiliates or a Third-Party Service Provider. To the extent this requirement is met using a Third-Party Service Provider or an Affiliate, the Covered Entity shall:

1. Retain responsibility for compliance with this Part;

2. Designate a senior member of the Covered Entity’s personnel responsible for direction and oversight of the Third-Party Service Provider; and

3. Require the Third-Party Service Provider to maintain a cybersecurity program that protects the Covered Entity in accordance with the requirements of this Part."

Prevalent delivers the industry’s only purpose-built, unified platform for third-party risk management. The Prevalent Third-Party Risk Management platform combines automated vendor assessments and continuous threat monitoring to simplify compliance, reduce security risks, and improve efficiency. The platform provides CISOs with a 360-degree view of their vendor risks, via clear and concise reporting tied to specific regulations and control frameworks for improved visibility and decision making.

23 NYCRR 500.04 - Chief Information Security Officer

“(b) The CISO shall report on the Covered Entity’s cybersecurity program and material cybersecurity risks. The CISO shall consider to the extent applicable:

1. The confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems;

2. The Covered Entity’s cybersecurity policies and procedures;

3. Material cybersecurity risks to the Covered Entity;

4. Overall effectiveness of the Covered Entity’s cybersecurity program; and

5. Material Cybersecurity Events involving the Covered Entity during the time period addressed by the report.

The Prevalent Third-Party Risk Management platform provides a complete solution to perform assessments including questionnaires; an environment to include and manage documented evidence in response; workflows for managing the review and address findings; and robust reporting to give each level of management the information it needs to properly review the third party's performance.

23 NYCRR 500.11 -Third Party Service Provider Security Policy

"(a) Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable:

1. The identification and risk assessment of Third-Party Service Providers;

2. Minimum cybersecurity practices required to be met by such Third-Party Service Providers in order for them to do business with the Covered Entity;

3. Due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third-Party Service Providers; and

4. Periodic assessment of such Third-Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices."

Details follow in this section including requirements for access controls with multi-factor authentication, encryption, notice of cybersecurity events, and representations and warrantees addressing cybersecurity policy.

The Prevalent TPRM Platform unifies internal control-based assessments (based on industry standard framework questionnaires or on custom questionnaires) with continuous vendor threat monitoring to deliver a holistic security risk rating, enabling organizations to zero-in on the most important or impactful risks.

The platform includes built-in workflow capability enabling assessors to interact efficiently with third parties during the due diligence collection and review periods.

The platform includes continuous cyber and business risk review and analysis that can be performed at any time – during or between control-based assessments – providing an updated view of important cyber security risks and business developments that could impact risks.