What NY CRR 500 Means for Vendor Compliance Management

by Sarah Harvey / August 7th, 2018

NY CRR 500 and Vendor Compliance

NY CRR 500 and Vendor ComplianceIn March 2017, the New York State Department of Financial Services Cybersecurity Requirements Regulation for Financial Services Companies Part 500 (NY CRR 500) of Title 23 went into effect, establishing new cybersecurity requirements for financial services companies. NY CRR 500 requires that financial services companies (covered entities) develop a cybersecurity program that protects the confidentiality, integrity, and availability of sensitive customer information and information technology systems.

Information technology systems today are extremely interconnected, but this comes with a price. Because most organizations conduct some portion of their business in cyberspace, they open themselves up to a new level of risk. This regulation was developed after the monitoring of cybersecurity threats to information and financial systems and the realization that the threats are keeping pace with advances in technology. The threats are complex, mature, and widespread. If your organization is a financial services company in the state of New York, implementing NY CRR 500 is a must-do for your organization.

A key component of complying with NY CRR 500 is managing your vendors’ compliance and cybersecurity efforts. Vendors hold so much of your security in their hands; we’ve learned this time and time again in the headlines. The regulation defines a vendor or third-party service provider as a person or entity that is not an affiliate of the covered entity but provides services to them and maintains, processes, or has privileged access to nonpublic information. Vendors that have access to nonpublic information must be held accountable to the cybersecurity requirements that the covered entity decides upon. NY CRR 500 requires two elements for effective vendor compliance management: a cybersecurity policy and a third-party service provider security policy.

Cybersecurity Policy

As a regulation focused on cybersecurity, NY CRR Section 500.03 requires covered entities to create and maintain a cybersecurity policy based on the findings from a risk assessment. This risk assessment is an integral part to NY CRR 500, but especially in terms of vendor compliance. Through a formal risk assessment, your organization can determine what types of risks a vendor presents and how dangerous those risks are. Among other elements like business continuity, asset inventory, and physical security, this cybersecurity policy must include information on vendor and third-party service provider management.

We believe that the vendor compliance aspect of your cybersecurity policy should align with the CIS Controls™. These 20 controls range from basic to foundational to organizational, but they will help your organization create a cybersecurity policy that is intentional and prioritized in order to protect your organization from cyber threats. Incorporating the CIS Controls™ into your cybersecurity policy is the perfect starting point to execute a policy that maps to NY CRR 500.

Third-Party Service Provider Security Policy

Policies and procedures are a core element of any organization. Without them, how can you implement secure and correct processes? NY CRR 500 requires that covered entities develop and implement a third-party service provider security policy, which should include the following elements:

  • Identification of vendors
  • Risk assessment of vendors
  • The minimum cybersecurity requirements to be met by vendors in order to do business together
  • The due diligence process used to evaluate the competency of cybersecurity practices of vendors
  • Periodic assessment of vendors based on the risk they present
  • Periodic assessment of vendors to ensure the continued competency of their cybersecurity practices
  • Access control management, including use of MFA
  • Use of encryption for information in transit and at rest
  • Incident response procedures, including notification to the covered entity of any cybersecurity event

If you’ve already implemented a cybersecurity risk management program or are beginning to create one at your organization, you’ve probably realized that there’s no widely-accepted approach for cybersecurity assessments. NY CRR 500 could function alongside other helpful cybersecurity-related frameworks, such as SOC for Cybersecurity, ISO 27001, or the NIST Cybersecurity Framework.

As stipulated by Section 500.22 of NY CRR 500, all covered entities must have a vendor compliance management program in place by March 1st, 2019. If you need help creating this program or have other questions pertaining to this law, contact us today.