The Time is Now: NYDFS Deadline Means Risk Managers Need to Focus on Third-Party Risk

Alex Campanelli | February 1, 2019 | tag: Regulation & Compliance

In March 2017, the New York Department of Financial Services (NYDFS) cybersecurity regulations — known as 23 NYCRR Part 500 — went into effect. According to the regulation, “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” is considered a covered entity and must comply.

With the NYDFS transition period ending soon, businesses need to keep their third-party risk management (TPRM) programs top of mind. By March 1, 2019, organizations need to have an established third-party provider policy that complies with the NYDFS regulation section 500.11. Additionally, by February 15, 2020, the Board of Directors (or a senior officer) of each organization must certify that their company’s TPRM program is in compliance. Without a program that can be certified as being “in place” as of March 1st, 2019, companies will incur financial penalties and potential business interruption.

When establishing steps to meet NYDFS compliance, meeting the “compliance checkbox” is not enough; ultimately, this will make it more difficult to report to senior leadership on your cybersecurity program. Due diligence is required to “ensure the security of information systems and nonpublic information” — however, a  point-in-time cyber security assessment does not achieve this. It simply reflects that moment in time; as we know, cyber risk is dynamic and can change or evolve at any moment. These days, having a solid third-party risk management program isn’t just necessary for compliance, however — it’s a best practice. While it can be overwhelming to start a third-party risk program — as well as resource-intensive — there are solutions, like security ratings, that can make the process much easier.

BitSight can help get businesses’ TPRM programs up and running quickly and efficiently, providing a continuous view into your third-party risk and an easy way to quantify and report cyber risk to internal stakeholders while demonstrating compliance.

Here are three steps to launch your TPRM program and comply with section 500.11 before the deadline:

1. Identify and tier your third parties based on criticality and business function.

First and foremost, you need to determine every vendor, contractor, third party, business unit, and partner that works with you. But simply having this list is not sufficient; you then need to tier those vendors based on their criticality to the business and potential risk they pose.

2. Use continuous monitoring solutions.

Relying solely on a vendor risk assessment template to evaluate the security posture of a third party poses a challenge for many organizations. Why? Because templates like questionnaires and assessments aren’t scalable. Beyond that, they can’t be easily verified. Instead of relying on traditional security assessments, which only show an organization’s security posture at a point-in-time, continuous monitoring allows you to instantly assess your third parties’ security posture. As the threat landscape evolves, so should your security assessments.

For example, with BitSight Security Ratings you’ll immediately know if a third- or fourth-party experiences a cybersecurity issue, allowing you to address the issue rapidly.

3. Emphasize the importance of third- and fourth-party cybersecurity to the Board of Directors.

CISOs (or designated officers) need to be able to report to the Board a summary of their security program and policies, AND a report of their effectiveness in this area. It’s important to have a way to aggregate data on the security posture of your third and fourth parties to report to the Board or to external stakeholders like regulators.

Using security ratings to monitor and pull together a comprehensive report on all your third parties is the best way to do this. You can walk through which vendors have improved their security, which has not, and how you plan to address any current vendor-related cybersecurity concerns. The cybersecurity program must include monitoring and testing designed to assess the effectiveness of the program.

nydfs cybersecurity regulations

Suggested Posts

What Is Cybersecurity Compliance? An Industry Guide

If you operate in specific sectors, cybersecurity maturity is more than a best practice, it’s a regulatory requirement. These regulations are complex and constantly changing. To help you better understand your organization's regulatory...


Taking Data Privacy Further: Prioritizing Privacy and Continuous Improvement

BitSight, the Standard in Security Ratings, has established itself as not only a clear leader in security ratings but now also in the burgeoning field of data privacy.


A Deep Dive into the Digital Operational Resilience Act

The European Union (EU) will soon launch a new regulation that will require banks and firms in the global financial industry to mature their third-party risk management programs to include set cybersecurity requirements – which will...


Get the Weekly Cybersecurity Newsletter.