The Time is Now: NYDFS Deadline Means Risk Managers Need to Focus on Third-Party Risk

The Time is Now: NYDFS Deadline Means Risk Managers Need to Focus on Third-Party Risk

In March 2017, the New York Department of Financial Services (NYDFS) cybersecurity regulations — known as 23 NYCRR Part 500 — went into effect. According to the regulation, “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” is considered a covered entity and must comply.

With the NYDFS transition period ending soon, businesses need to keep their third-party risk management (TPRM) programs top of mind. By March 1, 2019, organizations need to have an established third-party provider policy that complies with the NYDFS regulation section 500.11. Additionally, by February 15, 2020, the Board of Directors (or a senior officer) of each organization must certify that their company’s TPRM program is in compliance. Without a program that can be certified as being “in place” as of March 1st, 2019, companies will incur financial penalties and potential business interruption.

When establishing steps to meet NYDFS compliance, meeting the “compliance checkbox” is not enough; ultimately, this will make it more difficult to report to senior leadership on your cybersecurity program. Due diligence is required to “ensure the security of information systems and nonpublic information” — however, a point-in-time cyber security assessment does not achieve this. It simply reflects that moment in time; as we know, cyber risk is dynamic and can change or evolve at any moment. These days, having a solid third-party risk management program isn’t just necessary for compliance, however — it’s a best practice. While it can be overwhelming to start a third-party risk program — as well as resource-intensive — there are solutions, like security ratings, that can make the process much easier.

Bitsight can help get businesses’ TPRM programs up and running quickly and efficiently, providing a continuous view into your third-party risk and an easy way to quantify and report cyber risk to internal stakeholders while demonstrating compliance.

Bitsight Executive Report Example

New! The Security Ratings report is now the Executive Report. Request your report to see enhanced analysis such as your rating, likelihood of ransomware incidents, and likelihood of data breach incidents.

Here are three steps to launch your TPRM program and comply with section 500.11 before the deadline:

1. Identify and tier your third parties based on criticality and business function.

First and foremost, you need to determine every vendor, contractor, third party, business unit, and partner that works with you. But simply having this list is not sufficient; you then need to tier those vendors based on their criticality to the business and potential risk they pose.

2. Use continuous monitoring solutions.

Relying solely on a vendor risk assessment template to evaluate the security posture of a third party poses a challenge for many organizations. Why? Because templates like questionnaires and assessments aren’t scalable. Beyond that, they can’t be easily verified. Instead of relying on traditional security assessments, which only show an organization’s security posture at a point-in-time, continuous monitoring allows you to instantly assess your third parties’ security posture. As the threat landscape evolves, so should your security assessments.

For example, with Bitsight Security Ratings you’ll immediately know if a third- or fourth-party experiences a cybersecurity issue, allowing you to address the issue rapidly.

3. Emphasize the importance of third- and fourth-party cybersecurity to the Board of Directors.

CISOs (or designated officers) need to be able to report to the Board a summary of their security program and policies, AND a report of their effectiveness in this area. It’s important to have a way to aggregate data on the security posture of your third and fourth parties to report to the Board or to external stakeholders like regulators.

Using security ratings to monitor and pull together a comprehensive report on all your third parties is the best way to do this. You can walk through which vendors have improved their security, which has not, and how you plan to address any current vendor-related cybersecurity concerns. The cybersecurity program must include monitoring and testing designed to assess the effectiveness of the program.