The NY Department of Financial Services (NYDFS) Cybersecurity Regulation places significant cybersecurity requirements on covered financial institutions operating in New York. While there are certain, limited exemptions from this regulation, most state-chartered banks, licensed lenders, private bankers, mortgage companies, insurance companies, service providers and other foreign banks licensed to operate in New York are required to comply.
The NYDFS created a four-phased process to implement the new framework. Each phase had its own effective date, giving financial institutions sufficient time to integrate stronger policies and controls in their organizations.
The final phase (Phase 4) went into effect on March 1, 2019, and focused on the security of information accessed, processed or maintained by third-party service providers. To comply with the Phase 4 requirements, a financial institution’s third-party security policy is expected to define, at a minimum:
- Written policies and procedures designed to protect users from risks posed by third-party service providers
- The identification and risk assessment of third-party service providers
- Minimum cybersecurity practices required of third parties
- The evaluation of third-party cybersecurity practices through due diligence
- Periodic, ongoing third-party risk assessments and due diligence
Additionally, policies and procedures pertaining to third-party service providers are required to include relevant guidelines for due diligence as well as contractual protections addressing:
- Access controls, including the use of multi-factor authentication
- Encryption of nonpublic information in transit and at rest
- Notifications to be provided in response to a cybersecurity event
- Representations and warranties for a third party’s cybersecurity policies and procedures
Establishing a NY DFS Compliant Third-Party Management Program
In order to meet the Phase 4 requirements, covered entities have been refining existing vendor / third-party management programs or, in many cases, building them from the ground up. While compliance with 500.11 of the NYDFS regulations is driving the urgency, many covered entities are taking a holistic view of how they manage third-party relationships and are adopting new systems and general best practices in addition to the minimum compliance requirements.
We recommend that every third-party risk management program incorporate the following elements in their policies and procedures to not only be compliant with the NY DFS, but to also establish a strong foundation for managing contracts, compliance and risk with third parties.
- Governance structure – who will own and manage the program?
- Roles and responsibilities – which stakeholders are involved and what’s their role?
- Applicability – which categories of third parties will be managed through the program?
- Risk categories – what types of risk are to be managed?
- Risk tiering – what is the level of risk in each third-party relationship and what are the criteria that determine that risk level?
- Standards and Procedures – what are the minimum standards third-parties are expected to meet, and what are the procedures for executing oversight activities inclusive of questionnaires, forms and tools employees will use?
- System – how will all of the tasks, metadata and documents be tracked and managed?
- Reports – what type of executive, management and regulatory reports are required?
All of these elements should be thought through and right-sized to the organization to create a compliant yet practice third-party risk management program.
Though Phase 4 was required to be implemented as of March 1, 2019, it is important to point out that financial institutions are not required to certify their compliance with the regulation’s third-party service provider risk management provisions until February 15, 2020. So while many financial institutions have created the underlying policies and procedures, many are still working towards full integration throughout their operations.
If you need help getting your vendor / third-party risk management program fully compliant by February 2020, Vendor Centric can help by:
- Assessing your program to ensure it complies with regulations
- Supporting your change management initiatives to incorporate the new policies and procedures throughout you operations
- Provide ongoing risk assessment and due diligence support
If you’d like to learn more, contact me at: firstname.lastname@example.org
Author: Tom Rogers
Job Title: CEO
Organization: Vendor Centric
Tom is the founder and CEO of Vendor Centric, he has been a trusted advisor to nonprofit organizations for 30 years, with a focus on helping them align the right people, processes and systems to mitigate third-party risk and drive more value from third-party contracts and relationships.