Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


NYDFS Cybersecurity Regulation Amendment: Increased Focus on Third-Party Risk

4 min read
Featured Image

In 2017, New York released a comprehensive cybersecurity regulation called NYCRR 500 to address growing concerns over increasing cyberattacks and data breaches. Since then, the New York State Department of Financial Services (NYDFS) has amended this regulation to address the increasing complexity and cost of cyber threats that impact organizations and their third parties.

Covered entities in New York must comply with the Second Amendment to 23 NYCRR 500 by April 29, 2024, while certain requirements have been in effect since December 1, 2023. This blog will provide an overview of this amendment and offer some suggested next steps you can take within your third-party risk management (TPRM) program.

Note: Text taken directly from the guidance is noted in italics

Third-Party Risk Highlights From the 23 NYCRR 500 Cybersecurity Amendment

The amendment outlines several requirements regarding reporting cyber incidents and implementing security controls. It’s recommended to read and understand the full guidance to ensure your organization is compliant. 

Here are just a few highlights that may be most relevant to TPRM: 

  • Third-party cybersecurity incidents – Organizations must now report cybersecurity incidents that occur to their third parties. Reportable incidents are those that may have a material impact on the organization or result in ransomware. The guidance states that covered entities are required to report as promptly as possible but in no event later than 72 hours after they determine an incident has occurred. 
  • Business continuity and disaster recovery (BC/DR) plans – Covered entities should develop BC/DR plans that include details about identifying third parties that are necessary to the continued operations of the covered entity’s information systems. These plans should also state how the organization will communicate with its third-party service providers during an operational disruption. BC/DR plans should be tested at least annually and be made accessible to appropriate employees.
  • Cybersecurity policies and procedures – Written cybersecurity policies that protect an organization’s information systems and nonpublic information must be approved by senior management at least annually. Procedures should also be developed and documented to support the written policy, and include details about vendor or third-party risk management, incident response and notification, risk assessments, and more. 
  • Certification of compliance – Each year, organizations must provide a written certification of compliance by April 15. This certification should state whether the organization and its vendors had materially complied with the guidance, according to data and documentation. Organizations that haven’t complied must provide a remediation timeline or confirmation that remediation has been completed

nydfs cybersecurity regulation amendment third-party risk focus

4 Tips to Comply With the 23 NYCRR 500 Cybersecurity Amendment

In order to ensure the success of your TPRM program, it’s imperative to prioritize regulatory compliance. This means actively staying informed of current expectations and proactively seeking out ways to improve your program. 

The following tips can be implemented by any organization, regardless of your current compliance requirements: 

  • Identify critical third parties – Regulators often include terms like “material” and “critical,” but they’re not always clearly defined. Each organization must define for itself what is considered critical to its operations. 

    These three questions can help make that determination about a vendor’s criticality:

    • Would your organization be significantly disrupted if you suddenly lost this vendor?
    • Would your customers be significantly impacted by the sudden loss of this vendor?
    • Would your organization or customers be negatively impacted if the vendor was unable to function for more than 24 hours?

    To enhance your cybersecurity, start by identifying your critical third-party entities. This helps you allocate resources and time efficiently where they are most needed.
  • Review data breach notification procedures – Third-party cyber incidents like breaches or ransomware attacks can have significant impacts to your organization and customers, especially if they aren’t reported in a timely manner. Review your current notification procedures to ensure your third parties understand the expectations for notifying your organization after an incident. You may also want to consider adding data breach notification requirements to your third-party contracts when possible.
  • Implement TPRM into cybersecurity policies – Maybe your organization already has a robust cybersecurity policy in place that includes elements like regular security testing, annual reviews, and periodic updates to address new threats. However, does your policy also address third-party cybersecurity risks? It’s crucial to create a comprehensive policy that clearly outlines the requirements to safeguard your organization and customers against various cybersecurity risks.
  • Stay updated with training and education – The NYDFS said cyber incidents have become easier to execute and more expensive to resolve, but organizations can still protect against most threats they face. Training resources like the Cybersecurity Regulation Training Presentation and other educational tools can help give organizations the best practices they need to protect against third-party cyber risks.  

The recent regulatory changes set forth by the NYDFS emphasize the importance of third-party risk management. Even the most established organizations can be vulnerable to cybersecurity threats if their third-party vendors aren’t properly managed. By implementing a strong TPRM program, your organization will be well-prepared to identify and address these risks, which can otherwise lead to serious consequences.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo