<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Regulation & Compliance

The Time is Now: NYDFS Deadline Means Risk Managers Need to Focus on Third-Party Risk

Alex Campanelli | February 1, 2019

In March 2017, the New York Department of Financial Services (NYDFS) cybersecurity regulations — known as 23 NYCRR Part 500 — went into effect. According to the regulation, “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” is considered a covered entity and must comply.

With the NYDFS transition period ending soon, businesses need to keep their third-party risk management (TPRM) programs top of mind. By March 1, 2019, organizations need to have an established third-party provider policy that complies with the NYDFS regulation section 500.11. Additionally, by February 15, 2020, the Board of Directors (or a senior officer) of each organization must certify that their company’s TPRM program is in compliance. Without a program that can be certified as being “in place” as of March 1st, 2019, companies will incur financial penalties and potential business interruption.

When establishing steps to meet NYDFS compliance, meeting the “compliance checkbox” is not enough; ultimately, this will make it more difficult to report to senior leadership on your cybersecurity program. Due diligence is required to “ensure the security of information systems and nonpublic information” — however, a  point-in-time security assessment does not achieve this. It simply reflects that moment in time; as we know, cyber risk is dynamic and can change or evolve at any moment. These days, having a solid third-party risk management program isn’t just necessary for compliance, however — it’s a best practice. While it can be overwhelming to start a third-party risk program — as well as resource-intensive — there are solutions, like security ratings, that can make the process much easier.

BitSight can help get businesses’ TPRM programs up and running quickly and efficiently, providing a continuous view into your third-party risk and an easy way to quantify and report cyber risk to internal stakeholders while demonstrating compliance.

Here are three steps to launch your TPRM program and comply with section 500.11 before the deadline:

1. Identify and tier your third parties based on criticality and business function.

First and foremost, you need to determine every vendor, contractor, third party, business unit, and partner that works with you. But simply having this list is not sufficient; you then need to tier those vendors based on their criticality to the business and potential risk they pose.

2. Use continuous monitoring solutions.

Relying solely on a vendor risk assessment template to evaluate the security posture of a third party poses a challenge for many organizations. Why? Because templates like questionnaires and assessments aren’t scalable. Beyond that, they can’t be easily verified. Instead of relying on traditional security assessments, which only show an organization’s security posture at a point-in-time, continuous monitoring allows you to instantly assess your third parties’ security posture. As the threat landscape evolves, so should your security assessments.

For example, with BitSight Security Ratings you’ll immediately know if a third- or fourth-party experiences a cybersecurity issue, allowing you to address the issue rapidly.

3. Emphasize the importance of third- and fourth-party cybersecurity to the Board of Directors.

CISOs (or designated officers) need to be able to report to the Board a summary of their security program and policies, AND a report of their effectiveness in this area. It’s important to have a way to aggregate data on the security posture of your third and fourth parties to report to the Board or to external stakeholders like regulators.

Using security ratings to monitor and pull together a comprehensive report on all your third parties is the best way to do this. You can walk through which vendors have improved their security, which has not, and how you plan to address any current vendor-related cybersecurity concerns. The cybersecurity program must include monitoring and testing designed to assess the effectiveness of the program.

nydfs cybersecurity regulations

Suggested Posts

NERC CIP-013-1: Effective Date, Preparation Strategies, & Impact

The North American Electric Reliability Corporation (NERC) has developed a new set of cybersecurity standards designed to help power and utility (P&U) companies limit their exposure to third-party cyber risks and preserve the reliability...

READ MORE »

Is Your Risk Management Program Ready for the New European Banking Authority’s Guidelines?

In June 2018, the European Banking Authority (EBA) put forth guidelines on outsourcing arrangements that highlighted the importance of risk management within financial organizations. The notice of these guidelines was announced in June...

READ MORE »

Top 5 Trends in Telecom Risk Management

As regulations shift and providers enter new markets, the telecom industry is changing rapidly. In preparation for these changes, telecom risk management professionals must become aware of new risks on the horizon. Privacy and net...

READ MORE »

Subscribe to get security news and updates in your inbox.