New York State Seal

NYDFS Part 500 Cybersecurity Requirements

Financial Services (New York)

Mandatory cybersecurity regulations for financial services companies licensed or operating in New York State

Overview

The New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) establishes minimum cybersecurity standards for covered financial institutions. It aims to protect customer information and the integrity of the financial services industry from cyber threats.

A key component of Part 500 is Section 500.11, which specifically addresses Third-Party Service Provider Security Policy, requiring covered entities to implement robust risk management practices for their vendors.

Status

Active - Effective March 1, 2017 (with phased implementation)

Jurisdiction

New York State, USA

Regulatory Authority

New York Department of Financial Services (NYDFS)

Applicability

Entities operating under or required to operate under DFS licensure, registration, or charter (banks, insurers, etc.)

Key Requirements for TPRM (Section 500.11)

Specific mandates for managing cybersecurity risks associated with third-party service providers

Written Policies & Procedures

Establish and maintain written policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties.

Risk Assessment & Due Diligence

Conduct risk assessments of third parties and perform due diligence to evaluate the adequacy of their cybersecurity practices.

Minimum Security Practices

Require third parties to implement minimum acceptable cybersecurity practices, based on the risk assessment.

Periodic Assessments

Conduct periodic assessments of third-party risks and the continued adequacy of their cybersecurity controls.

Contractual Protections

Include relevant cybersecurity requirements in contracts, such as use of multi-factor authentication, encryption, incident notification, and audit rights.

Incident Notification

Ensure contracts address the third party's obligation to notify the covered entity of cybersecurity events.

Broader Part 500 Requirements Impacting TPRM

Other sections of the regulation influence how third-party risk is managed

Cybersecurity Program (500.02)

Requires maintaining a comprehensive cybersecurity program based on the entity's Risk Assessment. This program inherently includes managing risks from third-party access.

Cybersecurity Policy (500.03)

Mandates written policies approved by senior management covering areas like data governance, access controls, and vendor management, aligning with Section 500.11.

Chief Information Security Officer (CISO) (500.04)

Requires designating a qualified CISO responsible for overseeing the cybersecurity program, including third-party security aspects.

Access Privileges & Management (500.07)

Requires limiting access privileges to sensitive systems and data, including those granted to third parties, based on the principle of least privilege.

Risk Assessment (500.09)

Mandates periodic risk assessments to inform the cybersecurity program design, which must consider threats related to third-party connectivity and data access.

Multi-Factor Authentication (MFA) (500.12)

Requires risk-based MFA for accessing internal networks from external networks, often applicable to third-party remote access.

Incident Response Plan (500.16)

Requires a written plan to respond to cybersecurity incidents, which should include procedures related to incidents originating from third parties.

Notices to Superintendent (500.17)

Requires prompt notification (within 72 hours) of significant cybersecurity events, including those affecting third parties that impact the covered entity.

Compliance & Certification

Annual certification requirement for covered entities

Covered Entities are required to submit an annual certification of compliance with 23 NYCRR Part 500 to the NYDFS Superintendent, typically by February 15th each year. This certification affirms that the entity materially complied with the regulation during the prior calendar year.

Robust third-party risk management under Section 500.11 is a critical component of achieving and certifying compliance.

Additional Resources

Official NYDFS resources and related information

Full Text of 23 NYCRR Part 500

Official text of the NYDFS Cybersecurity Regulation.

Access Regulation

NYDFS Cybersecurity FAQs

Frequently Asked Questions addressing various aspects of the regulation.

Access FAQs

Annual Certification Portal

Information and portal for submitting the required annual compliance certification.

Access Portal

NYDFS Enforcement Actions

Examples of enforcement actions related to cybersecurity non-compliance.

View Actions

Tools for NYDFS Part 500 Compliance

Solutions focused on meeting the third-party risk requirements of the regulation

Vendor Risk Assessment

Conducting due diligence and risk assessments aligned with NYDFS expectations.

Contract Review & Clause Library

Ensuring contracts include necessary cybersecurity protections and notification clauses.

Periodic Assessment Automation

Scheduling and tracking periodic vendor security assessments.

Compliance Documentation

Maintaining records of TPRM policies, procedures, and assessments for certification.

Incident Management Integration

Linking vendor incidents to the entity's incident response and notification process.

Certification Support

Gathering evidence and supporting documentation for the annual compliance certification.

Meet NYDFS Part 500 Vendor Security Requirements

Implement a robust TPRM program to satisfy Section 500.11 and support overall compliance.