The NY CRR 500 legislation was instituted by the New York Department of Financial Services (NYDFS) in 2017 in response to the rising trend of cyberattacks in the finance industry.
Sometimes regarded as the GDPR for financial services, the NY CRR 500 has a very high standard for sensitive data protection, requiring protection strategies for ensuring the confidentiality, integrity, and security of information systems and nonpublic information (including customer data).
Included in the set of cybersecurity expectations of the law is the implementation of a risk management program, and since the third-party attack surface is a major component in such a program, compliance with the New York cybersecurity law is much simpler when its third-party risk management requirements are satisfied.
To learn how to comply with the critical third-party risk requirements of NY CRR 500, read on.
Before diving into the substance of this article, a quick refresher of some prerequisite knowledge is helpful. If you prefer to skip ahead to the third-party risk compliance section, click here. —> insert hyperlink
A Brief Summary of the NY CRR 500 Legislation
23 NY CRR 500 is section 500 of the overarching cybersecurity regulation outlined by the New York State Department of Financial Services (NYDFS). The law requires financial institutions to implement a cybersecurity program to discover and mitigate security risks, data privacy threats, and data breach events.
Section 500 of the NYDFS cybersecurity regulation comprises 24 subsections, ranging from 500.0 to 500.23.
Some of the cybersecurity requirements of NY CRR 500 are listed below. The entire 23 NY CRR 500 legislation can be accessed here.
- Section 500.02 - The implementation of a cybersecurity program for discovering cybersecurity threats and remediation management - Section 500.02
- Section 500.04 - The appointment of a (Chief Information Security Officer) CISO (which could be a third-party service provider) and a senior officer for overseeing the cybersecurity program.
- Section 500.05 - Regular penetration testing.
- Section 500.05 and Section 500.09 - A regular third-party risk assessment schedule.
- Section 500.06 - The establishment of an audit trail for tracking asset access and use.
- Section 500.09 - Annual certification of compliance submissions for confirming compliance with NY CRR 500.
- Section 500.11 - The implementation of a Third-Party Risk Management Program (TPRM) with the ability to map risk controls, cybersecurity risks, and questionnaire submissions against a number of cybersecurity frameworks, including NIST.
- Section 500.15 - A minimum due diligence standard of information security best practices, such as data encryption and access controls.
- Section 500.17 - The establishment of a communication stream for rapidly notifying the Department of Financial Services of data breaches involving third-party vendors (even if a third-party vendor has already notified the DFS) within 72 hours of an event.
- Section 500.16 - The creation of Cybersecurity Incident Response Plans to ensure the timely notification of cyber incidents to the DFS.
Learn more about the requirements of the NYDFS cybersecurity regulation >
Who Needs to Comply with NY CRR 500?
The cybersecurity requirements for financial service companies outlined in the NY CRR 500 apply to covered entities. A covered entity is defined as:
- An individual or organization operating in the State of New York.
- Any individual or organization required to operate under a license, registration, charter, certificate permit, or accreditation under the laws of the State of New York related to banking law, insurance law, or financial services law.
- Insurance companies.
- Health Maintenance Organizations (HMOs) and Continuing Care Retirement Communities (CCRCs).
- Foreign banks and State Chartered Banks operating in the State of New York.
- Mortgage entities.
For a more comprehensive definition of a covered entity, see the Cybersecurity FAQ section of the New York State Cybersecurity Resource Center.
Limited Exemptions to the NYDFS Cybersecurity Regulation
The NYDFS compliance requirements do not apply to entities with:
- Less than 10 employees
- Less than $5 million in gross annual revenue for three years, or
- Less than $10 million in total year-end assets
Learn about the top Third-Party Risk Management solutions on the market >
Complying with the Third-Party Risk Component of 23 NY CRR 500
All of the components of the NY CRR 500 explicitly relating to third-party risk management are primarily found in section 500.11 of the legislation - Third-Party Service Provider Security Policy.
The regulatory items within section 500.11 are outlined below alongside suggested actions for attaining compliance.
Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable:
The Identification and Risk Assessment of Third Party Service Providers
How to comply with this requirement:
- Monitor security postures of all third-party vendors to identify potential risk assessment requirements.
- Establish a regular third-party vulnerability assessment and questionnaire schedule and maintain an audit trail of all submissions.
- Track changes in cybersecurity practices for all third-party vendors by monitoring security rating deviations and risk assessment submissions.
Minimum Cybersecurity Practices Required to be Met by Such Third Party Service Providers in Order for Them to do Business With The Covered Entity
How to comply with this requirement:
- Create a risk appetite statement to define a minimal cybersecurity baseline for all third-party vendors
- Clearly outline minimal security standards in cybersecurity policies within vendor onboarding contracts.
- Establish data retention security controls.
- Track failing security posture performance below minimal standards with a security rating solution.
- Specific third-party application security protocols in onboarding contracts and risk assessments.
Due Diligence Processes Used to Evaluate The Adequacy of Cybersecurity Practices of Such Third Party Service Providers
How to comply with this requirement:
- Confirm the legitimacy and efficacy of third-party risk remediation processes with security ratings.
- Implement a vendor risk management solution for managing third-party cybersecurity events.
- The CISO should prepare an annual cybersecurity report verifying the adequacy of cybersecurity best practices across the third-party network. This report should be via the NYDFS website.
Periodic Assessment of Such Third Party Service Providers Based on the Risk they Present and the Continued Adequacy of Their Cybersecurity Practices
How to comply with this requirement:
- Implement an attack surface monitoring solution to streamline the management of periodic third-party risk assessments and track compliance against multiple cybersecurity frameworks.
- Personalize cybersecurity risk assessment based on the unique risks each vendor presents with custom questionnaires.
- Track compliance for regulated entities in your third-party network against popular cybersecurity standards and regulations.
Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers, including to the extent applicable guidelines addressing:
The Third-Party Service Provider’s Policies and Procedures For Access Controls, Including Its use of Multi-Factor Authentication as Required by Section 500.12 of this part, to Limit Access to Relevant Information Systems And Nonpublic Information
How to comply with this requirement:
- Implement Multi-Factor Authentication (MFA) for all login events.
- Enforce the use of MFA for all staff, including privileges accounts across cybersecurity personnel and even the board of directors.
- Block unauthorized access attempts with a Zero-Trust Architecture (access privileges and MFA are addressed in this framework).
The Third-Party Service Provider’s Policies and Procedures for use of Encryption as Required by Section 500.15 of this part to Protect Nonpublic Information in Transit And at Rest
How to comply with this requirement:
- Enforce a secure standard of data encryption in data governance policies, ideally the Advanced Encryption Standard (AES).
- Enforce data encryption both at rest and in motion in application security policies
Notice to be Provided to the Covered Entity in the Event of a Cybersecurity Event Directly Impacting the Covered Entity’s Information Systems or the Covered Entity’s Nonpublic Information Being Held by the Third Party Service Provider
How to comply with this requirement
- Outline a cyber event communication channel to DFS in a Cybersecurity Incident Response Plan (no more than 72 hours following a cyber event)
- Modify your business continuity plan to align with the cyber event notification standards outlined in your Incident Response Plan.
Checklist for Complying with 23 NY CRR 500
The following checklist can help you track your compliance efforts with the NY CRR 500 financial services law. For a more comprehensive list of tasks, download this free editable checklist.
Cybersecurity Program
- Develop and implement policies and procedures for monitoring and assessing cybersecurity risks.
- Regularly test and update the effectiveness of your cybersecurity program.
- Maintain an inventory of information systems and data, and classify the data according to its sensitivity.
- Develop and implement policies and procedures for incident response, including notification procedures and contingency plans.
- Conduct regular cybersecurity training for all employees and third-party service providers.
CISO and Senior Officer
- Establish roles and responsibilities for the CISO and senior officer.
- Ensure that the CISO and senior officer have sufficient authority and resources to carry out their responsibilities.
- Provide regular updates to the board of directors on cybersecurity matters.
- Establish policies and procedures for reporting cybersecurity incidents to senior management and the board of directors.
- Establish policies and procedures for the termination of employees and third-party service providers.
Penetration Testing
- Conduct regular vulnerability assessments and penetration testing.
- Test all external-facing applications and systems for vulnerabilities.
- Develop and implement policies and procedures for remediating identified vulnerabilities.
- Document all testing activities, including the results of tests and any remediation efforts.
Third-Party Risk Assessment
- Develop and implement policies and procedures for assessing third-party risks.
- Maintain a register of all third-party service providers, including their access to nonpublic information.
- Develop and implement policies and procedures for due diligence when selecting third-party service providers.
- Monitor third-party service providers for compliance with cybersecurity requirements.
Audit Trail
- Establish and maintain an audit trail for tracking asset access and use.
- Monitor the audit trail for unauthorized access attempts or other suspicious activity.
- Conduct regular reviews of the audit trail to identify potential vulnerabilities.
Annual Certification
- Develop and implement policies and procedures for certifying compliance with NY CRR 500.
- Document the certification process and all related activities.
Third-Party Risk Management Program
- Develop and implement a Third-Party Risk Management Program (TPRM) based on the risk assessment of the covered entity.
- Establish policies and procedures for evaluating the adequacy of cybersecurity practices of third-party service providers.
- Monitor third-party service providers for compliance with minimum cybersecurity practices.
- Establish guidelines for due diligence and contractual protections relating to third-party service providers.
- Conduct regular assessments of third-party service providers based on the risk they present.
Encryption
- Implement data encryption for data in transit and at rest.
- Establish policies and procedures for managing encryption keys.
- Test the effectiveness of encryption controls regularly.
Incident Response Plans
- Develop and implement Cybersecurity Incident Response Plans.
- Test the effectiveness of the Cybersecurity Incident Response Plans regularly.
- Establish procedures for communicating with the DFS in the event of a cybersecurity event.
Notification of Data Breaches
- Establish policies and procedures for notifying the DFS of data breaches involving third-party service providers.
- Test the effectiveness of the notification procedures regularly.
- Document all data breaches and notification procedures.
Get your free editable 23 NY CRR checklist >
How UpGuard Supports Compliance with 23 NY CRR 500
UpGuard helps the financial services industry comply with NY CRR 500 with a platform that streamlines Third-Party Risk Management - a vtal component of legislation. With UpGuard, financial services can monitor and address all security risks breaching the minimal cybersecurity standards stipulated in the NY CRR 500. UpGuard also maps third-party security controls against popular cybersecurity frameworks and regulations to help security teams identify and address critical compliance gaps that could impact the NY CRR 500 legislation.
