• CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY

NYDFS Compliance Checklist for Insurance Companies

Published by Sabrina Pagnotta on November 2, 2021
Categories
  • Blog
Tags
  • TPRM Best Practices
nydfs compliance vendor risk management

NYDFS compliance remains a challenge for some organizations in the financial industry, with strict requirements for cybersecurity, vendor risk management, breach reporting, and limited data retention.  

Among its core requirements for financial institutions are appointing a CISO, doing periodic risk assessments, maintaining a cybersecurity program that aligns with the NIST Cybersecurity Framework, and implementing third-party risk (TPRM) and fourth-party risk management programs.

What is the NYDFS Cybersecurity Regulation? 

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the New York State Department of Financial Services (NYDFS) that places cybersecurity requirements on all financial institutions and financial services companies, deemed Covered Entities.

Its 23 sections outline requirements for developing and implementing an effective cybersecurity program, in order to assess risk and develop a plan to proactively address it.

What types of organizations are Covered Entities?

The NYDFS Cybersecurity Regulation impacts all entities operating or required to operate under DFS licensure, registration, charter or who are otherwise DFS-regulated, as well as their third-party vendors and service providers.

Examples of covered entities include:

  • Credit unions
  • Mortgage brokers
  • Insurance providers
  • Commercial banks
  • Private bankers
  • Licensed lenders
  • Foreign banks licensed to operate in New York

However, organizations who employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets, are exempt. 

NYDFS Cybersecurity Regulation and Third Party Risk Management

The regulation covers many aspects of a cybersecurity program, including data breach notifications within 72 hours, best practices from ISO 27001 standards covering access controls and identity management, business continuity and disaster recovery planning, systems and network security, periodic risk assessments, and more.

In addition, CISOs need to annually report on the organization’s cybersecurity policies and procedures, risks, and performance of current security measures.

More importantly, Covered Entities have to implement vendor management policies regarding third-party vendors who are given permissions to access systems and files covered by the regulation.

Read More: Third-Party Risk Management for Financial Services Organizations

Compliant vendor risk management written policies need to cover: 

  • A vendor risk assessment questionnaire template and due diligence process to evaluate the effectiveness of a third-party’s security posture
  • Minimum security requirements for third-party vendors, i.e, SOC 2 assurance
  • Penetration testing
  • Periodic assessment of third-party policies and controls
  • Qualified cybersecurity professionals to manage risk and provide mandatory, ongoing cybersecurity training
  • Use of the principle of least privilege to reduce the risk of privilege escalation attacks
  • Use of multi-factor authentication for all inbound connections to an organization’s network
  • Notification of any cybersecurity event that could cause material harm, i.e. a data breach

NYDFS Compliance Checklist

The 23 NYCRR 500 regulatory standards are split in 23 sections with detailed requirements. Below are some of the main provisions.

1. Cyber Security Program (Section 500.02)

2. Chief Information Security Officer (Section 500.04)

3. Penetration Testing and Vulnerability Management (Section 500.05)

4. Audit Trail (Section 500.06)

5. Risk Assessments (Section 500.09)

6. Cybersecurity Personnel and Intelligence (Section 500.10)

7. Multi-Factor Authentication (Section 500.12)

8. Training and Monitoring (Section 500.14)

9. Encryption of Nonpublic Information (500.15)

10. Annual Compliance Certification (section 500.16)

For more information, you can read the NYDFS Cybersecurity Regulation FAQs.

How ThirdPartyTrust Can Improve Security and Compliance Across Your Supply Chain

Companies like Take-Two Interactive, Netskope, Vertafore, Spiff, and Charles River Laboratories use ThirdPartyTrust to assess the security of their vendors, monitor and reduce third party risk, share their security posture, prevent data breaches, and monitor for vulnerabilities.

The ThirdPartyTrust third party risk management platform can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors’ security posture over time, while benchmarking them against security standards.

Read More: How To Make Vendor Risk Management Easier and More Efficient

Each vendor is rated on risk, impact, and trust, among other key indicators, to provide you with a holistic view of the health of your vendor ecosystem, and help you focus on the highest risks. 

Through more than 10 integrations with data providers, such as BitSight, SpyCloud, Osano, and more, ThirdPartyTrust provides additional intelligence on security and privacy ratings, breach history, and financial health. By automating your custom vendor risk management framework, you’ll be alerted if any score drops.

Book a demo of the ThirdPartyTrust TPRM platform today.

iPad Ransomware Financial

Ransomware in the Financial Sector

Ransomware is an epidemic. It is expected to cost organizations more than $256 billion over the next decade. How can security professionals in the Financial Services sector reduce the risk of becoming a victim?

This research report from BitSight and ThirdPartyTrust analyzed hundreds of ransomware attacks over the last three years to provide key findings that will help your organization avoid future incidents.

Get the Guide
Sabrina Pagnotta
Sabrina Pagnotta
Sr. Content Strategist
    • Phone
      |+1-617-245-0469
    • Address
      |
      111 Huntington Ave, Suite 2010, Boston, MA 02199
    • Sales
      |sales@bitsighttech.com
    • Contact Us
    Laika_SOC2_TypeI_PurpleIris        CSA_Trusted_Cloud_Provider

    ©2022 ThirdPartyTrust, LLC and its Affiliates. All Rights Reserved. | 111 Huntington Ave. Suite 2010 Boston, MA 02199
    • PARTNERS LOGIN
    • CONTACT US
    • PRIVACY POLICY
    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
    Do not sell my personal information.
    Reject AllAccept
    Cookie Settings
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
    CookieDurationDescription
    cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
    cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
    cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
    cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
    cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
    viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
    Functional
    Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
    Performance
    Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
    Analytics
    Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
    Advertisement
    Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
    Others
    Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
    SAVE & ACCEPT