The two-year implementation period for the New York Department of Financial Services (NYDFS) cybersecurity regulation, 23 NYCRR 500, will be over on March 1. This means that the final requirement involving entities that use third-party providers will soon become effective.
What do companies need to know about the NYDFS regulation and deadline? Read on for some key guidelines.
What is NYDFS?
The NYDFS regulation requires all DFS regulated entities to adopt the core requirements of a cybersecurity program. This includes:
- A cybersecurity policy
- Effective access privileges
- Cybersecurity risk assessment
- Training and monitoring for all authorized users
- The establishment of governance processes
The final phase of implementation requires regulated entities that use third-party service providers—including banks, insurance, mortgage companies and other financial services institutions—to implement third-party risk management programs. This is the last remaining requirement that will become effective on March 1.
What does NYDFS require from companies working with third parties?
According to the regulation, each covered entity must implement written policies and procedures regarding data held by third-party service providers, including:
- The identification and risk assessment of third-party service providers
- A minimum standard to be met by third-party service providers in order to do business with the covered entity
- Due diligence processes used to evaluate the adequacy of third-party cybersecurity practices
- Periodic risk assessment of third parties
The policies and procedures must include guidelines relating to third parties, addressing:
- Use of multi-factor authentication (MFA)
- Use of encryption
- Notice provided to the covered party in the event of a breach
- Representations and warranties about third-party procedures relating to the security of an entity’s data
How can companies comply with the NYDFS cybersecurity regulation?
Covered entities will need to work with a solution that can provide the following:
Scalability: Financial institutions will need to evaluate all of their third parties and hold each one to a minimum security standard. To comply by the deadline, they will need to ensure that their process can easily, quickly and accurately manage the evaluation of third parties, regardless of the number.
Visibility: To properly assess risk, financial institutions will not only need to have visibility into their third parties, but also have context around the business and technology relationship between themselves and their third parties.
Want to learn more about how Panorays can help you comply with NYDFS? Contact us today for more information.