New York: What 23 NYCRR Part 500 Means for Third Party Cyber Risk Assessments — and How to Prepare For the March 2019 Update

September 25, 2018

In an article we published in April of 2017, we explored the 23 NYCRR Part 500 and gave an overview of what the law means for financial services companies operating in the state of New York. Now that the law is just a few months away from an update going into effect (March 2019), we’re revisiting this critical topic to provide insight into the regulation’s new requirements for third party due diligence, and give your financial institution guidance on how Whistic can help you meet these new requirements.

Before we jump in, here’s a quick refresher from our previous article:

What is 23 NYCRR Part 500?

The NYCRR 500 is a law establishing cybersecurity requirements for financial services companies operating in the State of New York. The law was promulgated by the Superintendent of Financial Services for the State of New York and became effective March 1, 2017 (there is a grace period of 180 days for entities to become compliant, which ends on September 30, 2017).

The law is focused on financial institutions and requires them to create and implement a cybersecurity program based on risk management, document cybersecurity related policies and procedures, and protect the confidentiality, integrity, and availability (CIA) of non-public data.

What Types of Businesses Does NYCRR Part 500 Affect?

According to Part 500, Financial Institutions or “covered entities” operating in the State of New York must comply with the new requirements. A covered entity is defined as an individual or organization that operates under (or is required to operate under) a license, registration, charter, certificate, permit, or accreditation under the laws of the State of New York related to banking, insurance, or financial services. Foreign banks operating in the State of New York are also included, as well as State Chartered Banks.

There are some exceptions for smaller entities that may not have the resources to comply with all of the regulations — note that the exception does not allow entities to completely avoid Part 500, only portions of it. An entity is considered exempt from the regulations if they have fewer than 10 employees (including contractors), or they have earned less than $5 million in Revenue in the last three years, or they have less than $10 million in year-end assets.

Regulation Requirements for Third Party Due Diligence

Now that we’ve established a baseline, let’s review the update’s new regulation requirements for third party due diligence. The new DFS rules apply to all entities under its jurisdiction, including insurance companies, insurance agents, banks, charitable foundations, consumer lenders, mortgage brokers, holding companies and premium finance agencies.

What’s the reason for the 23 NYCRR Part 500 update? “The New York State Department of Financial Services (DFS) wants banks and related institutions to do their utmost to ensure that any third party technology firms or other service providers don’t have a cybersecurity breach that affects critical non-public customer data.” FinOps states that these new rules, which go into effect on March 1st of 2019, “are a bit easier to follow than originally drafted ones. However, similar to the first draft, the regulations call for banks and similar entities to establish a cybersecurity risk management program under the jurisdiction of the chief information security officer (CISO). Monitoring third party vendors must be included in that program.”

What does this monitoring entail, and what do CISOs need to do to prepare? For starters, financial institutions need to:

  • Review contracts with third party relationships and, if necessary, amend them to incorporate the DFS’ new requirements.
  • Consider limiting the customer data or non-public data to as few third parties as possible.
  • Request third party certifications and audits.
  • Ask tough questions about the vendor’s cybersecurity risk management program.
  • Understand where the data is stored, because many vendors have multiple data centers.
  • Have documented plans for dealing with data breaches if and when they occur.

How Whistic Can Help Your Financial Institution

A recent article asks the question, “So what should a bank’s CISO or board be doing to protect themselves and the bank from regulatory action?” Of course, reviewing that seems like a monumental task given that a bank could have dozens if not hundreds of relationships with counterparties, technology providers, consultants, accountants and even public relations agencies that could fall under the broad category of third-party vendors.

This is where Whistic’s vendor assessment platform plays a critical role. When it comes to managing finances — whether your firm is a bank, credit union, broker-dealer, investment adviser, investment company, asset management firm, or any other type of B2C or B2B business — managing risk and being proactive with security safeguards is a requirement, thanks to the 23 NYCRR Part 500 requirements.

Whistic assists any bank, credit union, broker-dealer, investment adviser, investment company, or asset management firm in protecting against vendor risk by identifying, assessing, and tracking vendors through their lifecycle. Here’s a glimpse into how it works:

  • Identify: Your InfoSec and Compliance team can make more informed risk decisions by using a custom Whistic intake form or API integration to gather vendor information from internal stakeholders before a purchase is made. Use the platform on an ongoing basis to identify risks that arise at contract renewal or throughout the lifecycle of your vendor relationship — or turn on an integration via Whistic to continuously monitor your third party vendor relationships.
  • Assess: Your financial services organization can discover potential cybersecurity threats before they have the chance to compromise your data and employees, and you can compare third parties against a set of predefined criteria by reviewing industry-standard or custom vendor questionnaires, documentation and metadata on an ongoing basis. Leverage a robust review workflow or opt for a more streamlined approach. With either choice, you can be up and running with Whistic in weeks, not months.
  • Track: Whistic allows you to centralize your vendor security information into a single source of truth so your InfoSec team can say goodbye to the painstaking manual, back-and-forth vendor assessment routine and adopt a dynamic, automated process. Store third-party vendor documentation, assessment details, past issues, contract information, contacts and any other custom data you’d like to track in an intuitive and easy to use interface. Report on all of this information through a robust custom reporting suite designed to help you unlock insights previously trapped in spreadsheets.

How Financial Services Can Benefit From a Whistic Security Profile

One unique cornerstone feature of the Whistic platform is the Security Profile, which is especially helpful for financial services organizations that are highly regulated and compliance-driven. The Security Profile is not just a storage unit for security and compliance documentation, but a living, breathing record of your company’s security and compliance posture that you can use to respond to inbound security reviews from your customers, prospects, regulators or partners. With Whistic’s vendor assessment platform, you can now conduct security reviews (traditional vendor risk management) and respond to security reviews in the same platform. This wholistic approach to both sides of the vendor risk assessment is setting a new standard for how third party vendor assessments will be completed in the future.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.


Why Third Party Security is Critically Important

Request a Live Demo with a Whistic Product Specialist

cybersecurity vendor risk management third party risk New York regulatory compliance

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.