New Report: The 2022 Gartner® Market Guide for IT Vendor Risk Management Solutions

Hero  Image  Solutions  Compliance  Ny  Crr 500

New York State DFS NY CRR 500 Compliance

23 NY CRR 500 and Third-Party Risk Management

In early 2017, the New York State Department of Financial Services (DFS) instituted 23 NY CRR 500 to establish new cybersecurity requirements for financial services companies. The regulation is designed to protect the confidentiality, integrity and availability of customer information and related IT systems.

23 NY CRR 500 was enacted in response to the alarming growth in data breaches and cyber threats against financial institutions. A key component of complying with 23 NY CRR 500 is managing vendor IT security controls and data privacy policies.

Two sections of the regulation specifically address third-party providers:

  • Section 500.04 relates to the appointment of a CISO, who can be employed by an affiliate or third-party.

  • Section 500.11 directly addresses third-party service provider security policy. It requires covered entities to have a written policy that addresses third-party information systems security based on a risk assessment.

Relevant Requirements

  • Establish risk controls against a baseline assessment, such as FFIEC or NIST CSF

  • Create a cybersecurity program that addresses its risks in a robust fashion

  • Appoint a CISO, and senior management must be responsible for organization’s cybersecurity program

  • Create a third-party risk management program

  • File an annual certification confirming compliance with these regulations

  • Notify NY DFS of a third-party cybersecurity incident

Navigate the TPRM Compliance Landscape

The Third-Party Risk Management Compliance Handbook reveals TPRM requirements in key regulations and industry frameworks, so you can achieve compliance while mitigating vendor risk.

Read the Handbook
Feature tprm compliance handbook 0821

Meeting 23 NY CRR 500 TPRM Requirements

Here's how Prevalent can help you address NY CRR 500 third-party risk management requirements:

NY CRR 500 Requirements How We Help

23 NYCRR 500.04 - Chief Information Security Officer

"(a) The CISO may be employed by the Covered Entity, one of its Affiliates or a Third-Party Service Provider. To the extent this requirement is met using a Third-Party Service Provider or an Affiliate, the Covered Entity shall:

  1. Retain responsibility for compliance with this Part;

  2. Designate a senior member of the Covered Entity’s personnel responsible for direction and oversight of the Third-Party Service Provider; and

  3. Require the Third-Party Service Provider to maintain a cybersecurity program that protects the Covered Entity in accordance with the requirements of this Part."

Prevalent delivers the industry’s only purpose-built, unified platform for third-party risk management. The Prevalent Third-Party Risk Management platform combines automated vendor assessments and continuous threat monitoring to simplify compliance, reduce security risks, and improve efficiency. The platform provides CISOs with a 360-degree view of their vendor risks, via clear and concise reporting tied to specific and recommended standards and frameworks for improved visibility and decision making.

23 NYCRR 500.04 - Chief Information Security Officer

“(b) The CISO shall report on the Covered Entity’s cybersecurity program and material cybersecurity risks. The CISO shall consider to the extent applicable:

  1. The confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems;

  2. The Covered Entity’s cybersecurity policies and procedures;

  3. Material cybersecurity risks to the Covered Entity;

  4. Overall effectiveness of the Covered Entity’s cybersecurity program; and

  5. Material Cybersecurity Events involving the Covered Entity during the time period addressed by the report.

The Prevalent Third-Party Risk Management platform:

  • A complete solution to perform assessments including questionnaires based on recommended frameworks and standards
  • An environment to include and manage documented evidence in response
  • Workflows for managing the review and to address findings
  • Robust reporting to give each level of management the information it needs to properly review the third party's performance
  • A solution to simplify the discovery, management and reporting of third-party security incidents.

23 NYCRR 500.11 -Third Party Service Provider Security Policy

"(a) Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable:

  1. The identification and risk assessment of Third-Party Service Providers;

  2. Minimum cybersecurity practices required to be met by such Third-Party Service Providers in order for them to do business with the Covered Entity;

  3. Due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third-Party Service Providers; and

  4. Periodic assessment of such Third-Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices."

The Prevalent TPRM Platform unifies internal control-based assessments (based on industry standard framework questionnaires or on custom questionnaires) with continuous vendor threat monitoring to deliver a holistic security risk rating, enabling organizations to zero-in on the most important or impactful risks.

The platform includes built-in workflow capability enabling assessors to interact efficiently with third parties during the due diligence collection and review periods.

The platform includes continuous cyber and business risk review and analysis that can be performed at any time – during or between control-based assessments – providing an updated view of important cyber security risks and business developments that could impact risks.

  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo