Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2022
State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Takeaways from the NYDFS Proposed Cybersecurity Regulation Amendments

4 min read
Featured Image

On July 29, 2022, the New York Department of Financial Services (NYDFS) released a series of amendments to its cybersecurity regulations, which, when approved, will affect financial institutions that fall under its governance. These new guidelines include setting standards for notification periods following suspicious activity on privileged accounts, updates to risk assessments, and using multifactor authentication processes for private accounts.

What do these proposed amendments mean for your third-party risk management program? What risks might your vendors pose regarding these new regulations. And, what does your team need to do to ensure vendor compliance?

Understanding the Proposed NYDFS Cybersecurity Amendments

As we've seen over the past several months, regulators are looking for the best ways to implement protections and defend against cybercriminals. Considering this trend, the new proposed amendments to the NYDFS' Part 500 Cybersecurity Regulations attempt to bolster cybersecurity practices, reporting methods, and risk assessments. These improvements will aid in safeguarding financial institutions from cyberattacks, preserve privacy, and protect sensitive information.

Several of the key takeaways from these proposed amendments include:

  1. Updating cybersecurity processes and risk assessments
    All institutions that fall under NYDFS' governance need to have a cybersecurity program which must follow several best practices including using multifactor authentication for privileged accounts, restricting access to sensitive information, eliminating unnecessary accounts and access, monitoring passwords to ensure strength, and creating a comprehensive asset inventory.

    At a minimum, risk assessments must also be completed annually and include information such as the entity's size, location, products or services, subcontractors/fourth parties, and governance.
  2. Imposing new notification periods and incident response plans
    It’s proposed that the notification window be shortened following a cyberattack to ensure that the appropriate officials receive notice of a cyberattack. The proposed amendments would require institutions to notify NYDFS within 72 hours following unauthorized access to privileged accounts or other incidents that would necessitate intervention from a supervisory body or impede normal business operations.

    In addition, covered entities will be required to have business continuity and disaster recovery plans in place. These plans must differentiate based on the type of incident and must contain specific information, including communication channels for essential stakeholders, plans for backing up infrastructure and data, and identifying essential personnel and materials needed to maintain operations.
  3. Implementing new obligations for board members and governing entities
    The amendments require a strict focus on expert knowledge or enlisting subject matter experts to advise on cybersecurity measures. All institutions will be required to have a chief information security officer (CISO), or equivalent, to manage cybersecurity risks and review the security controls. The CISO will be charged with reporting their findings to the board and offering solutions to present risks.

cybersecurity regulations

Third Parties and Their Compliance

With third-party data breaches and cyberattacks becoming a more serious threat across all industries, your vendors must follow the proper guidelines and regulations. Financial institutions must comply with these updated amendments. Therefore, an organization's third-party risk management team will need to consider its vendors' ability to meet these expectations.

Your organization is responsible for complying with these proposed amendments and your vendors may play a larger role in your cybersecurity strategy than you initially think. Consider whether your vendors will notify you with enough time following an incident so that you can notify the proper supervisors. How often do your vendors audit and update their policies? Do the vendors utilize multifactor authentication tools and limit access to privileged accounts and sensitive information only to include the necessary stakeholders? What happens if there is a data breach? Or, a malicious actor gains access to sensitive information?

Updating your organization's policies and procedures is only the first step. You must work with your vendors to ensure they take the necessary actions to comply with the amended regulations. You must ensure that your vendors follow the appropriate guidelines, or you may face significant legal and regulatory consequences.

Questions to Consider When Assessing Your Vendors’ Compliance

No matter what industry you operate in or what regulatory requirements your vendors must meet, your organization will be held liable if they don’t. Ensure that your vendors can comply with your policies and procedures to avoid legal action, fines, and other damages.

When assessing your vendors and their compliance, consider the following questions:
  • How does the vendor access and use your data?
  • What processes are in place to protect your customers and their sensitive information?
  • What is the vendor's notification policy following a data breach or other security threat?
  • Are your vendor's operations consistent with the industry's regulations and laws?
  • How often do they risk assess and reassess their vendors?
  • How often does your vendor assess its cybersecurity measures?
  • What controls does the vendor have in place to meet the updated rules?
  • Does your vendor stay updated on the latest regulations and legislation?

After assessing your vendor, you must verify if the vendor can meet the new requirements. Suppose the vendor's controls do not meet the requirements. In that case, it may be time to consider offboarding and replacing the vendor before any security events occur.

As regulators update their requirements, your organization must make the necessary adjustments to ensure compliance and ensure that its vendors have the appropriate controls to meet the new requirements. Failure to meet the new regulatory requirements puts your organization at great risk and increases your likelihood of regulatory fines and legal action.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo