Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Hero  Image  Solutions  Compliance  Ny  Crr 500

NYDFS 23 NYCRR 500 Compliance

23 NYCRR 500 and Third-Party Risk Management

In early 2017, the New York State Department of Financial Services (DFS) instituted 23 NYCRR 500 to establish new cybersecurity requirements for financial services companies. The regulation is designed to protect the confidentiality, integrity and availability of customer information and related IT systems.

23 NYCRR 500 was enacted in response to the alarming growth in data breaches and cyber threats against financial institutions. A key component of complying with the law is managing vendor IT security controls and data privacy policies.

Multiple sections of the regulation specifically address third-party providers:

  • Section 500.11 directly addresses third-party service provider security policy. It requires covered entities to implement written policies and procedures that address third-party information systems security based on a risk assessment.

  • Section 500.16 requires covered entities to establish plans and measures to ensure operational resilience, including incident response, business continuity and disaster recovery plans.

  • Section 500.17 requires specific reporting on third-party cybersecurity events.

Relevant Requirements

  • Maintain a cybersecurity program that includes risk assessments, independent audits, and supporting documentation

  • Implement and maintain information security policies based on risk assessments – including for vendor and third-party service provider management

  • Appoint a CISO who must be responsible for, review, and report on the organization’s cybersecurity program

  • Include specific cybersecurity technologies and practices

  • Create a third-party risk management program

  • File an annual certification confirming compliance with these regulations

How Will 23 NYCRR 500 Impact Your TPRM Program?

Download this guide to uncover how to comply with mandates for third-party risk assessment and documentation, including those covered in the November 2022 amendment.

Read Now
Feature nydfs 23 nycrr 500 0223

Meeting 23 NYCRR 500 TPRM Requirements

Here's how Prevalent can help you address 23 NYCRR 500 third-party risk management requirements:

23 NYCRR 500 Requirements How We Help

SECTION 500.11
(a) Each covered entity shall implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third party service providers. Such policies and procedures shall be based on the risk assessment of the covered entity and shall address to the extent applicable:

(1) the identification and risk assessment of third party service providers;

Prevalent enables you to assess and monitor third parties based on the extent of threats to their information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification include:

  • Type of content required to validate controls
  • Criticality to business performance and operations
  • Location(s) and related legal or regulatory considerations
  • Level of reliance on fourth parties (to avoid concentration risk)
  • Exposure to operational or client-facing processes
  • Interaction with protected data
  • Financial status and health
  • Reputation

From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.
Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations.

(2) minimum cybersecurity practices required to be met by such third party service providers in order for them to do business with the covered entity;

Prevalent centralizes and automates the distribution, comparison, and management of requests for proposals (RFPs) and requests for information (RFIs). Our solutions also deliver business, reputational, financial, and data breach risk insights to inform and add context to vendor selection decisions.

Prevalent moves each selected vendor into contracting and/or onboarding due diligence phases, automatically progressing the vendor through the third-party lifecycle.

(3) due diligence processes used to evaluate the adequacy of cybersecurity practices of such third party service providers; and

Prevalent automates risk assessments to extend the visibility, efficiency and scale of your third-party risk management program across every stage of the third-party lifecycle.

With a library of 200+ standardized assessments, customization capabilities, and built-in workflow and remediation, the solution automates everything from survey collection and analysis to risk rating and reporting.

With Prevalent, you can easily gather and correlate intelligence on a wide range of vendor controls to determine threats to information management, based on the criticality of the third party as determined by the inherent risk assessment.

Results of assessments and continuous monitoring are collated in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk and have ready-made remediation recommendations for third parties to mitigate the risks.

(4) periodic assessment of such third party service providers based on the risk they present and the continued adequacy of their cybersecurity practices.

Assessments can be conducted pre-contract, at the time of contract renewal or at any required frequency (e.g., quarterly or annually).

Integrated, native cyber, business, reputational, and financial risk monitoring capabilities flag material changes between periodic assessments and can trigger notifications, follow-up assessments, or other actions.

Prevalent delivers built-in remediation recommendations based on risk assessment results. These are backed by workflow and task management capabilities to ensure that third parties address risks in a timely and satisfactory manner.

SECTION 500.16
(a) As part of its cybersecurity program, each covered entity shall establish written plans that contain proactive measures to investigate and mitigate disruptive events and ensure operational resilience, including but not limited to incident response, business continuity and disaster recovery plans.

(2) Business continuity and disaster recovery plan (for purposes of this Part, BCDR plan). BCDR plans shall be reasonably designed to ensure the availability and functionality of the covered entity’s services and protect the covered entity’s personnel, assets and nonpublic information in the event of an emergency or other disruption to its normal business activities. Such plans shall, at minimum:

(iii)  include a plan to communicate with essential persons in the event of an emergency or other disruption to the operations of the covered entity, including employees, counterparties, regulatory authorities, third party service providers, disaster recovery specialists, the senior governing body and any other persons essential to the recovery of documentation and data and the resumption of operations;

(vi) identify third parties that are necessary to the continued operations of the covered entity’s business.

Prevalent automates the assessment, continuous monitoring, analysis, and remediation of third-party business resilience and continuity – while automatically mapping results to NIST, ISO, and other control frameworks.

This proactive approach enables your organization to minimize the impact of third-party disruptions and stay on top of compliance requirements.

The Prevalent Platform includes a comprehensive business resilience assessment based on ISO 22301 standard practices that enables organizations to:

  • Categorize suppliers according to their risk profile and criticality to the business
  • Outline recovery point objectives (RPOs) and recovery time objectives (RTOs)
  • Centralize system inventory, risk assessments, RACI charts, and third parties
  • Ensure consistent communications with suppliers during business disruptions

When a termination or exit is required for critical services, Prevalent leverages customizable surveys and workflows to report on system access, data destruction, access management, compliance with relevant laws, final payments, and more. The solution also suggests actions based on answers to offboarding assessments and routes tasks to reviewers as necessary.

SECTION 500.17
(a) Notice of cybersecurity event.

(3) Each covered entity that is affected by a cybersecurity event at a third party service provider shall notify the superintendent electronically in the form set forth on the department’s website as promptly as possible but in no event later than 72 hours from the time the covered entity becomes aware of such cybersecurity event.

Prevalent enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor incidents by centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance. Key capabilities include:

  • Continuously updated and customizable event and incident management questionnaires
  • Real-time questionnaire completion progress tracking
  • Defined risk owners with automated chasing reminders to keep surveys on schedule
  • Proactively vendor reporting
  • Consolidated views of risk ratings, counts, scores, and flagged responses for each vendor
  • Workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
  • Guidance from built-in remediation recommendations to reduce risk
  • Built-in report templates
  • Data and relationship mapping to identify relationships between your organization and third parties to visualize information paths and determine at-risk data

Align Your TPRM Program with 14 Industry Standards

Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.

Read Now
Featured resource compliance handbook industry standards
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo