The two-year implementation period for the New York Department of Financial Services (NYDFS) cybersecurity regulation, 23 NYCRR 500, will be over on March 1. This means that the final requirement involving entities that use third-party providers will soon become effective.
What do companies need to know about the NYDFS regulation and deadline? Read on for some key guidelines.
The NYDFS regulation requires all DFS regulated entities to adopt the core requirements of a cybersecurity program. This includes:
The final phase of implementation requires regulated entities that use third-party service providers—including banks, insurance, mortgage companies and other financial services institutions—to implement third-party risk management programs. This is the last remaining requirement that will become effective on March 1.
According to the regulation, each covered entity must implement written policies and procedures regarding data held by third-party service providers, including:
The policies and procedures must include guidelines relating to third parties, addressing:
Covered entities will need to work with a solution that can provide the following:
Scalability: Financial institutions will need to evaluate all of their third parties and hold each one to a minimum security standard. To comply by the deadline, they will need to ensure that their process can easily, quickly and accurately manage the evaluation of third parties, regardless of the number.
Visibility: To properly assess risk, financial institutions will not only need to have visibility into their third parties, but also have context around the business and technology relationship between themselves and their third parties.
Want to learn more about how Panorays can help you comply with NYDFS? Contact us today for more information.