Mandatory cybersecurity regulations for financial services companies licensed or operating in New York State
The New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) establishes minimum cybersecurity standards for covered financial institutions. It aims to protect customer information and the integrity of the financial services industry from cyber threats.
A key component of Part 500 is Section 500.11, which specifically addresses Third-Party Service Provider Security Policy, requiring covered entities to implement robust risk management practices for their vendors.
Active - Effective March 1, 2017 (with phased implementation)
New York State, USA
New York Department of Financial Services (NYDFS)
Entities operating under or required to operate under DFS licensure, registration, or charter (banks, insurers, etc.)
Specific mandates for managing cybersecurity risks associated with third-party service providers
Establish and maintain written policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties.
Conduct risk assessments of third parties and perform due diligence to evaluate the adequacy of their cybersecurity practices.
Require third parties to implement minimum acceptable cybersecurity practices, based on the risk assessment.
Conduct periodic assessments of third-party risks and the continued adequacy of their cybersecurity controls.
Include relevant cybersecurity requirements in contracts, such as use of multi-factor authentication, encryption, incident notification, and audit rights.
Ensure contracts address the third party's obligation to notify the covered entity of cybersecurity events.
Other sections of the regulation influence how third-party risk is managed
Requires maintaining a comprehensive cybersecurity program based on the entity's Risk Assessment. This program inherently includes managing risks from third-party access.
Mandates written policies approved by senior management covering areas like data governance, access controls, and vendor management, aligning with Section 500.11.
Requires designating a qualified CISO responsible for overseeing the cybersecurity program, including third-party security aspects.
Requires limiting access privileges to sensitive systems and data, including those granted to third parties, based on the principle of least privilege.
Mandates periodic risk assessments to inform the cybersecurity program design, which must consider threats related to third-party connectivity and data access.
Requires risk-based MFA for accessing internal networks from external networks, often applicable to third-party remote access.
Requires a written plan to respond to cybersecurity incidents, which should include procedures related to incidents originating from third parties.
Requires prompt notification (within 72 hours) of significant cybersecurity events, including those affecting third parties that impact the covered entity.
Annual certification requirement for covered entities
Covered Entities are required to submit an annual certification of compliance with 23 NYCRR Part 500 to the NYDFS Superintendent, typically by February 15th each year. This certification affirms that the entity materially complied with the regulation during the prior calendar year.
Robust third-party risk management under Section 500.11 is a critical component of achieving and certifying compliance.
Official NYDFS resources and related information
Official text of the NYDFS Cybersecurity Regulation.
Access RegulationFrequently Asked Questions addressing various aspects of the regulation.
Access FAQsInformation and portal for submitting the required annual compliance certification.
Access PortalExamples of enforcement actions related to cybersecurity non-compliance.
View ActionsSolutions focused on meeting the third-party risk requirements of the regulation
Conducting due diligence and risk assessments aligned with NYDFS expectations.
Ensuring contracts include necessary cybersecurity protections and notification clauses.
Scheduling and tracking periodic vendor security assessments.
Maintaining records of TPRM policies, procedures, and assessments for certification.
Linking vendor incidents to the entity's incident response and notification process.
Gathering evidence and supporting documentation for the annual compliance certification.
Implement a robust TPRM program to satisfy Section 500.11 and support overall compliance.