Third Party Risk Management - Consultancy, Assessment & Advisory

How To Meet 23 NY CRR 500 Third-Party Risk Management Compliance

NPCI DSS Third Party Risk card 3ew York State Department of Financial Services (DFS) 23 NY CRR 500 is designed to protect the confidentiality, integrity and availability of financial services customer information. Here’s what you can do to comply.

In early 2017, the New York State Department of Financial Services (DFS) instituted a regulation to establish cybersecurity requirements for financial services companies. This legislation, known as 23 NY CRR 500, was enacted after the realisation that data breaches and cyber threats were rising at an alarming rate, exposing sensitive data and costing organisations millions of dollars.

According to the regulation, “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorisation under the Banking Law, the Insurance Law or the Financial Services Law” is considered a “covered entity” and must comply.

Designed to protect the confidentiality, integrity, and availability of customer information as well as information technology systems, this regulation demands that covered entities must:

As it relates to third-party risk management, a key component of complying with 23 NY CRR 500 is managing your vendors’ IT security controls and data privacy policies.


Where Third-Party Providers Come Into Play

Two sections of the regulation specifically address third-party providers. Section 500.04 relates to the appointment of a CISO who can be employed by an affiliate or third-party. If not a direct employee, the covered entity must still retain responsibility for compliance, designate a senior person responsible for direction and oversight of the third party service provider, and require the third-party to maintain a cybersecurity program that is compliant with the regulation. A report by the CISO must be provided annually regardless of whether they are a direct employee or a third party.

Section 500.11 directly addresses third-party service provider security policy. It requires covered entities to have a written policy that addresses third-party information systems security based on a risk assessment, and it requires the policy to cover:


How DVV Solutions & Prevalent Address Third-Party Compliance Requirements In 23 NY CRR 500

23 NYCRR 500 specifically requires that covered entities develop written policies and procedures to ensure the security of information systems and the integrity of data accessed or held by third parties. Implementing a third-party service provider security policy should include the following elements:

Prevalent’s Third-Party Risk Management Platform enables financial institutions to fulfill these requirements across their entire vendor ecosystem. It provides a complete solution for performing assessments – including questionnaires; an environment to include and manage documented evidence in response; workflows for managing the review and address findings; and robust reporting to give each level of management the information it needs to properly review the third party’s performance and risk. It also includes cyber and business intelligence monitoring to capture ongoing potential threats to a covered entity.

The responsibility for properly overseeing the IT security of outsourced relationships lies with the covered entity’s CISO, who must present an annual report. With advanced reporting capabilities by compliance requirement and industry framework, the Prevalent TPRM platform can simplify compliance reporting and clarify risks.

Author: Sara Muckstadt, Product Marketing Manager, Prevalent Inc.


Trust DVV Solutions To Help You Manage Regulatory Compliance

DVV Solutions has developed a range of services and solutions to deliver more effective and efficient third-party risk management. Our suite of consultative and managed services deliver significant improvements in

developing and maturing current risk methodologies and compliance programs,

scaling resources to supplement and enhance existing risk assessment programs, and

delivering time and cost efficiencies through established best-practice and workflow automation

to enable risk assurance teams to spend more time on what’s important: eliminating control gaps, raising security standards and reducing enterprise risk.

Call us on +44 (0) 161 476 8700, or

Complete our Contact Form



This blog was originally published by Prevalent Inc. and is shared with the kind permission of Prevalent Inc.