Executive management recognized the requirement to meet the 4 th and final milestone of the New York Department of Financial Services (NYDFS) regulations (specifically the 23 NYCRR 500) by the March 15, 2019 implementation date. In their initial research of the regulation, they recognized an important component was to exercise due diligence concerning data security in the selection of third-party service providers, and require third-party service providers to maintain reasonable safeguards. Given the timeframe and the new regulatory requirements they reached out to Vendor Centric to help.
Vendor Centric worked with our colleagues in CohnReznick’s Cybersecurity Advisory practice to create a comprehensive solution which included:
- Creation of vendor management policy and required infrastructure which includes a vendor management office (VMO)
- Implementation of the VendorRisk system to automate and document the required activities
- Identification of all vendors which were covered by the regulation
- Administration of risk assessment and due diligence reviews & analysis for all required vendors
- Delivery of a documented program and summary reporting to LGA executive management to
enable them to certify that their program was compliant.
- Documented vendor management policies, standards and procedures ensuring LGA’s compliance with NYDFS requirements under the Cybersecurity Requirements for Financial Services companies.
- Completed all of the required risk and due diligence reviews & analysis and provided a Due Diligence Scorecard and Remediation Report documenting that all required vendors were reviewed to comply with the regulation.
- Automated third-party risk management activities (using VendorRisk, a cloud-based vendor management system) to centralize information and eliminate time consuming manual tasks (such as performing excel based risk assessments and due diligence reviews).
- Delivered the program on-time allowing LGA’s executive management team time to review and
certify the program to NYDFS commissioner.