SolarWinds Third-Party Breach: 7 Questions to Ask Your Vendors
In early 2017, the New York State Department of Financial Services (DFS) instituted 23 NY CRR 500 to establish new cybersecurity requirements for financial services companies. The regulation is designed to protect the confidentiality, integrity and availability of customer information and related IT systems.
23 NY CRR 500 was enacted in response to the alarming growth in data breaches and cyber threats against financial institutions. A key component of complying with 23 NY CRR 500 is managing vendor IT security controls and data privacy policies.
Two sections of the regulation specifically address third-party providers:
Section 500.04 relates to the appointment of a CISO, who can be employed by an affiliate or third-party.
Section 500.11 directly addresses third-party service provider security policy. It requires covered entities to have a written policy that addresses third-party information systems security based on a risk assessment.
Establish risk controls against a baseline assessment
Create a cybersecurity program that addresses its risks in a robust fashion
Appoint a CISO, and senior management must be responsible for organization’s cybersecurity program
Create a third-party risk management program
File an annual certification confirming compliance with these regulations
Satisfying Third-Party Risk Management Compliance Requirements
Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how Prevalent maps to specific mandates so you can achieve compliance while mitigating vendor risk.
Meeting 23 NY CRR 500 TPRM Requirements
Here's how Prevalent can help you address NY CRR 500 third-party risk management requirements:
NY CRR 500 Requirements | How We Help |
---|---|
23 NYCRR 500.04 - Chief Information Security Officer "(a) The CISO may be employed by the Covered Entity, one of its Affiliates or a Third-Party Service Provider. To the extent this requirement is met using a Third-Party Service Provider or an Affiliate, the Covered Entity shall:
|
Prevalent delivers the industry’s only purpose-built, unified platform for third-party risk management. The Prevalent Third-Party Risk Management platform combines automated vendor assessments and continuous threat monitoring to simplify compliance, reduce security risks, and improve efficiency. The platform provides CISOs with a 360-degree view of their vendor risks, via clear and concise reporting tied to specific regulations and control frameworks for improved visibility and decision making. |
23 NYCRR 500.04 - Chief Information Security Officer “(b) The CISO shall report on the Covered Entity’s cybersecurity program and material cybersecurity risks. The CISO shall consider to the extent applicable:
|
The Prevalent Third-Party Risk Management platform provides a complete solution to perform assessments including questionnaires; an environment to include and manage documented evidence in response; workflows for managing the review and address findings; and robust reporting to give each level of management the information it needs to properly review the third party's performance. |
23 NYCRR 500.11 -Third Party Service Provider Security Policy "(a) Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable:
Details follow in this section including requirements for access controls with multi-factor authentication, encryption, notice of cybersecurity events, and representations and warrantees addressing cybersecurity policy. |
The Prevalent TPRM Platform unifies internal control-based assessments (based on industry standard framework questionnaires or on custom questionnaires) with continuous vendor threat monitoring to deliver a holistic security risk rating, enabling organizations to zero-in on the most important or impactful risks. The platform includes built-in workflow capability enabling assessors to interact efficiently with third parties during the due diligence collection and review periods. The platform includes continuous cyber and business risk review and analysis that can be performed at any time – during or between control-based assessments – providing an updated view of important cyber security risks and business developments that could impact risks. |
See why Prevalent is named a Leader among 23 IT VRM providers
This complimentary guide distills 5 key best practices for third-party risk management from our 15+ years...
This free Third-Party Risk Management RFP Kit includes a customizable questionnaire, solution comparison sheet, and scoring...