Last updated

November 24, 2025

{x} minute read

Meeting the Third-Party Risk Requirements of 23 NY CRR

Get a demo

Free trial

Download the PDF guide

Free trial

Written by

Edward Kost

Senior Cybersecurity Writer

Edward is a cyber writer with a mechanical engineering background. His work has been referenced by academic institutions and government bodies.

Reviewed by

Kaushik Sen

Chief Marketing Officer

Kaushik has a background in software engineering, enterprise solution architecture, and data analytics. He brings a unique, data-driven perspective to cybersecurity education.

Table of contents

The NY CRR 500 legislation was instituted by the New York Department of Financial Services (NYDFS) in 2017 in response to the rising trend of cyberattacks in the finance industry.

Sometimes regarded as the GDPR for financial services, the NY CRR 500 has a very high standard for sensitive data protection, requiring protection strategies for ensuring the confidentiality, integrity, and security of information systems and nonpublic information (including customer data).

Included in the set of cybersecurity expectations of the law is the implementation of a risk management program, and since the third-party attack surface is a major component in such a program, compliance with the New York cybersecurity law is much simpler when its third-party risk management requirements are satisfied.

To learn how to comply with the critical third-party risk requirements of NY CRR 500, read on.

A brief summary of the NY CRR 500 legislation

23 NY CRR 500 is section 500 of the overarching cybersecurity regulation outlined by the New York State Department of Financial Services (NYDFS). The law requires financial institutions to implement a cybersecurity program to discover and mitigate security risks, data privacy threats, and data breach events.

Section 500 of the NYDFS cybersecurity regulation comprises 24 subsections, ranging from 500.0 to 500.23.

Some of the cybersecurity requirements of NY CRR 500 are listed below. The entire 23 NY CRR 500 legislation can be accessed here.

Section 500.02 - The implementation of a cybersecurity program for discovering cybersecurity threats and remediation management - Section 500.02
Section 500.04 - The appointment of a (Chief Information Security Officer) CISO (which could be a third-party service provider) and a senior officer for overseeing the cybersecurity program.
Section 500.05 - Regular penetration testing.
Section 500.05 and Section 500.09 - A regular third-party risk assessment schedule.
Section 500.06 - The establishment of an audit trail for tracking asset access and use.
Section 500.09 - Annual certification of compliance submissions for confirming compliance with NY CRR 500.
Section 500.11 - The implementation of a Third-Party Risk Management program with the ability to map risk controls, cybersecurity risks, and questionnaire submissions against a number of cybersecurity frameworks, including NIST.
Section 500.15 - A minimum due diligence standard of information security best practices, such as data encryption and access controls.
Section 500.17 - The establishment of a communication stream for rapidly notifying the Department of Financial Services of data breaches involving third-party vendors (even if a third-party vendor has already notified the DFS) within 72 hours of an event.
Section 500.16 - The creation of Cybersecurity Incident Response Plans to ensure the timely notification of cyber incidents to the DFS.

What are the key components of the NYDFS cybersecurity regulation?

The initial phase of the NYDFS Cybersecurity Regulation came into effect on February 18, 2018, and requires Covered Entities to develop a cybersecurity policy, including an incident response plan that includes data breach notifications within 72 hours. The policy must align with industry best practices and ISO 27001 standards by covering:

Information security
Access controls and identity management
Business continuity and disaster recovery planning
Capacity and performance planning
Security of information systems, operations, and availability
Systems and network security
Systems and application development and quality assurance
Periodic risk assessments

The second phase went into effect on March 1, 2018, and requires Chief Information Security Officers (CISOs) to prepare an annual report that includes:

The organization's cybersecurity policies and procedures
Cybersecurity risks
Effectiveness of current cybersecurity measures and remediation processes

Phase three went into effect on September 3, 2018, requiring Covered Entities to have a comprehensive cybersecurity program in place that aligns with the NIST Cybersecurity Framework by:

Continuously evaluating vulnerabilities and proactively responding to cyber threats

Maintaining an audit trail reflecting threat detection and risk-based response activities
Writing documentation, e.g. an information security policy, of procedures, standards, and guidelines for in-house applications and evaluating third-party applications
Detailing data retention policy documentation, including how non-public personally identifiable information (PII) is disposed of
Investing in data security controls like data encryption, data governance, and data protection, as well as other security controls
Creating the defensive infrastructure that safeguards covered information and asset inventory
Detecting cybersecurity events such as data breaches
Restoring normal operations and services after a cybersecurity event

The final phase went into effect on March 1, 2019, requiring Covered Entities to finalize their vendor management policies regarding third-party vendors who are given permissions to access systems and files covered by the new regulation. Covered Entities must develop a written policy for vendor risk management that details:

A third-party risk assessment framework
The Covered Entity's minimum security requirements for third-party vendors, e.g. every vendor must have SOC 2 assurance
A vendor risk assessment questionnaire template and due diligence process that details how to evaluate the effectiveness of a third party's security practices
Periodic assessment of third-party policies and controls

Learn how to comply with the Third-Party Risk Management requirements of NY CRR 500.

Additional requirements include:

Use of qualified, continuously trained cybersecurity personnel to manage evolving cyber threats and to provide mandatory, ongoing cybersecurity education and training
Notification of any cybersecurity events that carry a reasonable likelihood of causing material harm, e.g. data breaches and data leaks to external networks
Usage of the principle of least privilege to minimize this risk of certain types of privilege escalation attacks
Covered Entities must employ multi-factor authentication for all inbound connections to their network
Penetration testing

Covered Entities and regulated entities must complete an annual certification process that requires their board of directors to review the organization's cybersecurity program and provide a Certification of Compliance with the NYDFS Cybersecurity Regulation.

2025 updates to the NYDFS cybersecurity regulation

By November 1, 2025, organizations under the NYDFS jurisdiction, including banks, must meet updated cybersecurity requirements. These updates aim to enhance the cybersecurity framework for financial services companies, addressing increasing cyber threats and protecting sensitive information. Newly updated requirements include:

Enhanced Governance and Reporting: The Chief Information Security Officer (CISO) must report material cybersecurity issues, including significant cybersecurity incidents and changes in the cybersecurity program, to the senior governing body or officers.
Senior Officer Oversight: The senior governing body must actively oversee cybersecurity practices, stay informed about cybersecurity threats, and review regular management reports.
Data Encryption Standards: Organizations must implement a written policy mandating encryption that meets industry standards to protect nonpublic information and customer data. Alternatives for data at rest are allowed if the CISO approves them in writing.
Incident Response Plan Updates: The updated plan should include steps for responding to cybersecurity events, recovery from backups, and conducting a root cause analysis post-incident.
Business Continuity and Disaster Recovery: Organizations must maintain a disaster recovery plan with backups to ensure the restoration of critical operations and train employees on their roles in these plans. The incident response plan, disaster recovery plan, and backup systems must be tested at least annually.
Multi-Factor Authentication (MFA): Covered entiies must implement MFA to all individuals that can access the entity's information systems.

Who needs to comply with NY CRR 500?

The cybersecurity requirements for financial service companies outlined in the NY CRR 500 apply to covered entities. A covered entity is defined as:

An individual or organization operating in the State of New York.
Any individual or organization required to operate under a license, registration, charter, certificate permit, or accreditation under the laws of the State of New York related to banking law, insurance law, or financial services law.
Insurance companies.
Health Maintenance Organizations (HMOs) and Continuing Care Retirement Communities (CCRCs).
Foreign banks and State Chartered Banks operating in the State of New York.
Mortgage entities.

For a more comprehensive definition of a covered entity, see the Cybersecurity FAQ section of the New York State Cybersecurity Resource Center.

What are the penalties for not complying with the New York Cybersecurity Regulations?

One frustrating aspect for Covered Entities is that the New York Department of Financial Services has not clearly communicated what will result from noncompliance. It has simply stated that fines for noncompliance will be calculated and no fines have been imposed.

That said, the regulation is now in full force and violations will have fines imposed soon.

Limited exemptions to the NYDFS cybersecurity regulation

The NYDFS compliance requirements do not apply to entities with:

Less than 10 employees
Less than $5 million in gross annual revenue for three years, or
Less than $10 million in total year-end assets

Learn about the top Third-Party Risk Management solutions on the market >

Complying with the third-party risk component of 23 NY CRR 500

All of the components of the NY CRR 500 explicitly relating to third-party risk management are primarily found in section 500.11 of the legislation - Third-Party Service Provider Security Policy.

The regulatory items within section 500.11 are outlined below alongside suggested actions for attaining compliance.

Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable:

(1) The identification and risk assessment of third-party service providers