Client
Legal & General AmericaIndustry
InsuranceServices
Vendor Management ProgramMeeting NYDFS Compliance Requirements and Designing a Vendor Management Program in Less Than 6 Months
For nearly 70 YEARS, Legal & General America has been in the business of providing FINANCIAL PROTECTION for American families. Their corporate history dates back to 1836, when their parent company was founded in London, England. They are a financially strong and fiscally responsible, Top 5 Life Insurance provider in the U.S. Keeping life insurance affordable, protecting their client’s retirement, and providing high quality, efficient customer service are just the fundamentals for Legal & General America as they service their 1.3 million U.S. customers.
Executive management recognized the requirement to meet the 4 th and final milestone of the New York Department of Financial Services (NYDFS) regulations (specifically the 23 NYCRR 500) by the March 15, 2019 implementation date. In their initial research of the regulation, they recognized an important component was to exercise due diligence concerning data security in the selection of third-party service providers, and require third-party service providers to maintain reasonable safeguards. Given the timeframe and the new regulatory requirements they reached out to Vendor Centric to help.
Vendor Centric worked with our colleagues in CohnReznick’s Cybersecurity Advisory practice to create a comprehensive solution which included:
- Creation of vendor management policy and required infrastructure which includes a vendor management office (VMO)
- Implementation of the VendorRisk system to automate and document the required activities
- Identification of all vendors which were covered by the regulation
- Administration of risk assessment and due diligence reviews & analysis for all required vendors
- Delivery of a documented program and summary reporting to LGA executive management to
enable them to certify that their program was compliant.
- Documented vendor management policies, standards and procedures ensuring LGA’s compliance with NYDFS requirements under the Cybersecurity Requirements for Financial Services companies.
- Completed all of the required risk and due diligence reviews & analysis and provided a Due Diligence Scorecard and Remediation Report documenting that all required vendors were reviewed to comply with the regulation.
- Automated third-party risk management activities (using VendorRisk, a cloud-based vendor management system) to centralize information and eliminate time consuming manual tasks (such as performing excel based risk assessments and due diligence reviews).
- Delivered the program on-time allowing LGA’s executive management team time to review and
certify the program to NYDFS commissioner.


Vendor Centric led our process for getting compliant with NYDFS third-party requirements, including the implementation of VendorRisk. We now have a best-in-class program and confidence that we’re compliant with the regulations.”
Justin Holden
VMO