The Time is Now: NYDFS Deadline Means Risk Managers Need to Focus on Third-Party Risk

Alex Campanelli | February 1, 2019 | tag: Regulation & Compliance

In March 2017, the New York Department of Financial Services (NYDFS) cybersecurity regulations — known as 23 NYCRR Part 500 — went into effect. According to the regulation, “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” is considered a covered entity and must comply.

With the NYDFS transition period ending soon, businesses need to keep their third-party risk management (TPRM) programs top of mind. By March 1, 2019, organizations need to have an established third-party provider policy that complies with the NYDFS regulation section 500.11. Additionally, by February 15, 2020, the Board of Directors (or a senior officer) of each organization must certify that their company’s TPRM program is in compliance. Without a program that can be certified as being “in place” as of March 1st, 2019, companies will incur financial penalties and potential business interruption.

When establishing steps to meet NYDFS compliance, meeting the “compliance checkbox” is not enough; ultimately, this will make it more difficult to report to senior leadership on your cybersecurity program. Due diligence is required to “ensure the security of information systems and nonpublic information” — however, a  point-in-time cyber security assessment does not achieve this. It simply reflects that moment in time; as we know, cyber risk is dynamic and can change or evolve at any moment. These days, having a solid third-party risk management program isn’t just necessary for compliance, however — it’s a best practice. While it can be overwhelming to start a third-party risk program — as well as resource-intensive — there are solutions, like security ratings, that can make the process much easier.

BitSight can help get businesses’ TPRM programs up and running quickly and efficiently, providing a continuous view into your third-party risk and an easy way to quantify and report cyber risk to internal stakeholders while demonstrating compliance.

Here are three steps to launch your TPRM program and comply with section 500.11 before the deadline:

1. Identify and tier your third parties based on criticality and business function.

First and foremost, you need to determine every vendor, contractor, third party, business unit, and partner that works with you. But simply having this list is not sufficient; you then need to tier those vendors based on their criticality to the business and potential risk they pose.

2. Use continuous monitoring solutions.

Relying solely on a vendor risk assessment template to evaluate the security posture of a third party poses a challenge for many organizations. Why? Because templates like questionnaires and assessments aren’t scalable. Beyond that, they can’t be easily verified. Instead of relying on traditional security assessments, which only show an organization’s security posture at a point-in-time, continuous monitoring allows you to instantly assess your third parties’ security posture. As the threat landscape evolves, so should your security assessments.

For example, with BitSight Security Ratings you’ll immediately know if a third- or fourth-party experiences a cybersecurity issue, allowing you to address the issue rapidly.

3. Emphasize the importance of third- and fourth-party cybersecurity to the Board of Directors.

CISOs (or designated officers) need to be able to report to the Board a summary of their security program and policies, AND a report of their effectiveness in this area. It’s important to have a way to aggregate data on the security posture of your third and fourth parties to report to the Board or to external stakeholders like regulators.

Using security ratings to monitor and pull together a comprehensive report on all your third parties is the best way to do this. You can walk through which vendors have improved their security, which has not, and how you plan to address any current vendor-related cybersecurity concerns. The cybersecurity program must include monitoring and testing designed to assess the effectiveness of the program.

nydfs cybersecurity regulations

Suggested Posts

Top 3 Most Common Cybersecurity Models Explained

Security risk managers often face a lot of the same roadblocks, even if they’re managing programs of different sizes or in different industries. Basing security practices on well-known, and sometimes government-regulated cybersecurity...


7 Cybersecurity Frameworks That Help Reduce Cyber Risk

While security ratings are a great way to demonstrate that you’re paying attention to the cyber health of the organization you also need to show that you’re adhering to industry and regulatory best practices for IT security and making...


FFIEC IT Handbook Updates: Business Continuity Is 2020 Focus

In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released an update to the Information Technology Examination Handbook (IT Handbook). This handbook is a guide for examiners at its member agencies, which...


Subscribe to get security news and updates in your inbox.