The NY CRR 500 legislation was instituted by the New York Department of Financial Services (NYDFS) in 2017 in response to the rising trend of cyberattacks in the finance industry.
Sometimes regarded as the GDPR for financial services, the NY CRR 500 has a very high standard for sensitive data protection, requiring protection strategies for ensuring the confidentiality, integrity, and security of information systems and nonpublic information (including customer data).
Included in the set of cybersecurity expectations of the law is the implementation of a risk management program, and since the third-party attack surface is a major component in such a program, compliance with the New York cybersecurity law is much simpler when its third-party risk management requirements are satisfied.
To learn how to comply with the critical third-party risk requirements of NY CRR 500, read on.
Before diving into the substance of this article, a quick refresher of some prerequisite knowledge is helpful. If you prefer to skip ahead to the third-party risk compliance section, click here. —> insert hyperlink
A Brief Summary of the NY CRR 500 Legislation
23 NY CRR 500 is section 500 of the overarching cybersecurity regulation outlined by the New York State Department of Financial Services (NYDFS). The law requires financial institutions to implement a cybersecurity program to discover and mitigate security risks, data privacy threats, and data breach events.
Section 500 of the NYDFS cybersecurity regulation comprises 24 subsections, ranging from 500.0 to 500.23.
Some of the cybersecurity requirements of NY CRR 500 are listed below. The entire 23 NY CRR 500 legislation can be accessed here.
- Section 500.02 - The implementation of a cybersecurity program for discovering cybersecurity threats and remediation management - Section 500.02
- Section 500.04 - The appointment of a (Chief Information Security Officer) CISO (which could be a third-party service provider) and a senior officer for overseeing the cybersecurity program.
- Section 500.05 - Regular penetration testing.
- Section 500.05 and Section 500.09 - A regular third-party risk assessment schedule.
- Section 500.06 - The establishment of an audit trail for tracking asset access and use.
- Section 500.09 - Annual certification of compliance submissions for confirming compliance with NY CRR 500.
- Section 500.11 - The implementation of a Third-Party Risk Management Program (TPRM) with the ability to map risk controls, cybersecurity risks, and questionnaire submissions against a number of cybersecurity frameworks, including NIST.
- Section 500.15 - A minimum due diligence standard of information security best practices, such as data encryption and access controls.
- Section 500.17 - The establishment of a communication stream for rapidly notifying the Department of Financial Services of data breaches involving third-party vendors (even if a third-party vendor has already notified the DFS) within 72 hours of an event.
- Section 500.16 - The creation of Cybersecurity Incident Response Plans to ensure the timely notification of cyber incidents to the DFS.
Learn more about the requirements of the NYDFS cybersecurity regulation.
Who Needs to Comply with NY CRR 500?
The cybersecurity requirements for financial service companies outlined in the NY CRR 500 apply to covered entities. A covered entity is defined as:
- An individual or organization operating in the State of New York.
- Any individual or organization required to operate under a license, registration, charter, certificate permit, or accreditation under the laws of the State of New York related to banking law, insurance law, or financial services law.
- Insurance companies.
- Health Maintenance Organizations (HMOs) and Continuing Care Retirement Communities (CCRCs).
- Foreign banks and State Chartered Banks operating in the State of New York.
- Mortgage entities.
For a more comprehensive definition of a covered entity, see the Cybersecurity FAQ section of the New York State Cybersecurity Resource Center.
Limited Exemptions to the NYDFS Cybersecurity Regulation
The NYDFS compliance requirements do not apply to entities with:
- Less than 10 employees
- Less than $5 million in gross annual revenue for three years, or
- Less than $10 million in total year-end assets
Complying with the Third-Party Risk Component of 23 NY CRR 500
All of the components of the NY CRR 500 explicitly relating to third-party risk management are primarily found in section 500.11 of the legislation - Third-Party Service Provider Security Policy.
The regulatory items within section 500.11 are outlined below alongside suggested actions for attaining compliance.
Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable:
The Identification and Risk Assessment of Third Party Service Providers
How to comply with this requirement:
- Monitor security postures of all third-party vendors to identify potential risk assessment requirements.
- Establish a regular third-party vulnerability assessment and questionnaire schedule and maintain an audit trail of all submissions.
- Track changes in cybersecurity practices for all third-party vendors by monitoring security rating deviations and risk assessment submissions.
Minimum Cybersecurity Practices Required to be Met by Such Third Party Service Providers in Order for Them to do Business With The Covered Entity
How to comply with this requirement:
- Create a risk appetite statement to define a minimal cybersecurity baseline for all third-party vendors
- Clearly outline minimal security standards in cybersecurity policies within vendor onboarding contracts.
- Establish data retention security controls.
- Track failing security posture performance below minimal standards with a security rating solution.
- Specific third-party application security protocols in onboarding contracts and risk assessments.
Due Diligence Processes Used to Evaluate The Adequacy of Cybersecurity Practices of Such Third Party Service Providers
How to comply with this requirement:
- Confirm the legitimacy and efficacy of third-party risk remediation processes with security ratings.
- Implement a vendor risk management solution for managing third-party cybersecurity events.
- The CISO should prepare an annual cybersecurity report verifying the adequacy of cybersecurity best practices across the third-party network. This report should be via the NYDFS website.
Periodic Assessment of Such Third Party Service Providers Based on the Risk they Present and the Continued Adequacy of Their Cybersecurity Practices
How to comply with this requirement:
- Implement an attack surface monitoring solution to streamline the management of periodic third-party risk assessments and track compliance against multiple cybersecurity frameworks.
- Personalize cybersecurity risk assessment based on the unique risks each vendor presents with custom questionnaires.
- Track compliance for regulated entities in your third-party network against popular cybersecurity standards and regulations.
Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers, including to the extent applicable guidelines addressing:
The Third-Party Service Provider’s Policies and Procedures For Access Controls, Including Its use of Multi-Factor Authentication as Required by Section 500.12 of this part, to Limit Access to Relevant Information Systems And Nonpublic Information
How to comply with this requirement:
- Implement Multi-Factor Authentication (MFA) for all login events.
- Enforce the use of MFA for all staff, including privileges accounts across cybersecurity personnel and even the board of directors.
- Block unauthorized access attempts with a Zero-Trust Architecture (access privileges and MFA are addressed in this framework).
The Third-Party Service Provider’s Policies and Procedures for use of Encryption as Required by Section 500.15 of this part to Protect Nonpublic Information in Transit And at Rest
How to comply with this requirement:
- Enforce a secure standard of data encryption in data governance policies, ideally the Advanced Encryption Standard (AES).
- Enforce data encryption both at rest and in motion in application security policies
Notice to be Provided to the Covered Entity in the Event of a Cybersecurity Event Directly Impacting the Covered Entity’s Information Systems or the Covered Entity’s Nonpublic Information Being Held by the Third Party Service Provider
How to comply with this requirement
- Outline a cyber event communication channel to DFS in a Cybersecurity Incident Response Plan (no more than 72 hours following a cyber event)
- Modify your business continuity plan to align with the cyber event notification standards outlined in your Incident Response Plan.
Checklist for Complying with 23 NY CRR 500
The following checklist can help you track your compliance efforts with the NY CRR 500 financial services law.
🔲 Implement a cybersecurity program that includes a Third-Party Risk Management (TPRM) component.
🔲 Appoint a Chief Information Security Officer (CISO)
🔲 CISO to submit an annual report demonstrating compliance with NY CRR 500.
🔲 Monitor the effectiveness of third-party security risk remediation efforts.
🔲 Enforce data retention and deletion policies across all departments.
🔲 Define your third-party risk appetite to establish a cybersecurity baseline for all third-party security risks.
🔲 Maintain audit trail for all asset access sessions (even by authorized users).
🔲 Implement Multi-Factor Authentication across all devices and login sessions.
🔲 Complete an Incident Response Plan
🔲 Document all unauthorized access attempts.
🔲 Implement a Zero-Trust Architecture
🔲 Monitor potential increases in third-party security risks with security ratings.
How UpGuard Supports Compliance with 23 NY CRR 500
UpGuard helps the financial services industry comply with NY CRR 500 with a platform dedicated to streamlining Third-Party Risk Management. With UpGuard, financial services can monitor and address all security risks breaching the minimal cybersecurity standards stipulated in the NY CRR 500. UpGuard also maps third-party security controls against popular cybersecurity frameworks and regulations to help security teams identify and address critical compliance gaps that could impact the NY CRR 500 legislation.
