NYDFS Cybersecurity Regulation Amendment: Increased Focus on Third-Party Risk

In 2017, New York released a comprehensive cybersecurity regulation called NYCRR 500 to address growing concerns over increasing cyberattacks and data breaches. Since then, the New York State Department of Financial Services (NYDFS) has amended this regulation to address the increasing complexity and cost of cyber threats that impact organizations and their third parties.

Covered entities in New York must comply with the Second Amendment to 23 NYCRR 500 by April 29, 2024, while certain requirements have been in effect since December 1, 2023. This blog will provide an overview of this amendment and offer some suggested next steps you can take within your third-party risk management (TPRM) program.

Note: Text taken directly from the guidance is noted in italics. 

Third-Party Risk Highlights From the 23 NYCRR 500 Cybersecurity Amendment

The amendment outlines several requirements regarding reporting cyber incidents and implementing security controls. It’s recommended to read and understand the full guidance to ensure your organization is compliant. 

Here are just a few highlights that may be most relevant to TPRM: 

• Third-party cybersecurity incidents – Organizations must now report cybersecurity incidents that occur to their third parties. Reportable incidents are those that may have a material impact on the organization or result in ransomware. The guidance states that covered entities are required to report as promptly as possible but in no event later than 72 hours after they determine an incident has occurred. 
• Business continuity and disaster recovery (BC/DR) plans – Covered entities should develop BC/DR plans that include details about identifying third parties that are necessary to the continued operations of the covered entity’s information systems. These plans should also state how the organization will communicate with its third-party service providers during an operational disruption. BC/DR plans should be tested at least annually and be made accessible to appropriate employees.
• Cybersecurity policies and procedures – Written cybersecurity policies that protect an organization’s information systems and nonpublic information must be approved by senior management at least annually. Procedures should also be developed and documented to support the written policy, and include details about vendor or third-party risk management, incident response and notification, risk assessments, and more. 
• Certification of compliance – Each year, organizations must provide a written certification of compliance by April 15. This certification should state whether the organization and its vendors had materially complied with the guidance, according to data and documentation. Organizations that haven’t complied must provide a remediation timeline or confirmation that remediation has been completed. 

4 Tips to Comply With the 23 NYCRR 500 Cybersecurity Amendment

In order to ensure the success of your TPRM program, it’s imperative to prioritize regulatory compliance. This means actively staying informed of current expectations and proactively seeking out ways to improve your program. 

The following tips can be implemented by any organization, regardless of your current compliance requirements: 

• Identify critical third parties – Regulators often include terms like “material” and “critical,” but they’re not always clearly defined. Each organization must define for itself what is considered critical to its operations. 
  
  These three questions can help make that determination about a vendor’s criticality:
  
  
  • Would your organization be significantly disrupted if you suddenly lost this vendor?
  • Would your customers be significantly impacted by the sudden loss of this vendor?
  • Would your organization or customers be negatively impacted if the vendor was unable to function for more than 24 hours?
  
  To enhance your cybersecurity, start by identifying your critical third-party entities. This helps you allocate resources and time efficiently where they are most needed.
• Review data breach notification procedures – Third-party cyber incidents like breaches or ransomware attacks can have significant impacts to your organization and customers, especially if they aren’t reported in a timely manner. Review your current notification procedures to ensure your third parties understand the expectations for notifying your organization after an incident. You may also want to consider adding data breach notification requirements to your third-party contracts when possible.
• Implement TPRM into cybersecurity policies – Maybe your organization already has a robust cybersecurity policy in place that includes elements like regular security testing, annual reviews, and periodic updates to address new threats. However, does your policy also address third-party cybersecurity risks? It’s crucial to create a comprehensive policy that clearly outlines the requirements to safeguard your organization and customers against various cybersecurity risks.
• Stay updated with training and education – The NYDFS said cyber incidents have become easier to execute and more expensive to resolve, but organizations can still protect against most threats they face. Training resources like the Cybersecurity Regulation Training Presentation and other educational tools can help give organizations the best practices they need to protect against third-party cyber risks.  

The recent regulatory changes set forth by the NYDFS emphasize the importance of third-party risk management. Even the most established organizations can be vulnerable to cybersecurity threats if their third-party vendors aren’t properly managed. By implementing a strong TPRM program, your organization will be well-prepared to identify and address these risks, which can otherwise lead to serious consequences.