Banks and Insurance Companies With Business in New York Must Ensure Third Parties Comply With Cybersecurity Requirements

The New York State Department of Financial Services (DFS) 23 NYCRR 500 regulations took effect March 1, 2017 and require regulated institutions in New York state to annually prepare and submit a certification of compliance to these cybersecurity regulations. As a result, regulated institutions must:

  • Implement a cybersecurity program to protect the confidentiality, integrity and availability of its information systems
  • Employ a CISO and dedicated personnel to oversee and implement the cybersecurity program and enforce its policy
  • Conduct a periodic risk assessment to inform the design of its cyber security policies
  • Establish an incident response plan, including notification of regulatory agencies
  • Monitor and periodically test internal systems through penetration testing – at least annually – and vulnerability assessments – at least biannually
  • Conduct third-party security assessments – at least annually – and ensure the systems and information they access are secure
  • Limit and review access privileges; implement risk-based policies, procedures and controls to monitor the activity of users and access to non-public information
  • Maintain systems that can be audited and have the ability to reconstruct material transactions
  • Secure development practices for applications developed in-house and establish procedures for evaluating, assessing and testing the security of externally developed applications
  • Ensure the secure disposal of any nonpublic information no longer needed for operations
  • Use effective controls, including Multi-Factor Authentication or Risk-Based Authentication and encryption of non-public information
  • Provide regular cybersecurity awareness training for all personnel


These New York State DFS regulations emphasize the importance of mitigating and protecting against third-party risks given the increasing role third parties play in customer data management, their access to non-public information, and the risks they pose to information security.  In its Update on Cyber Security in the Banking Sector, the New York State DFS found:

  • 54% of those surveyed do not require a pre-contract onsite assessment of third-party vendors
  • 65% do not require periodic on-site assessments of at least high-risk third party vendors
  • 30% do not require their third-party vendors to notify them in the event of a breach
  • Only 36% ensure information security requirements are extended to subcontractors of the third-party vendors.


As a result of these findings, the DFS has instructed financial organizations to implement written policies and procedures to ensure the security of systems and nonpublic information accessible to, or held by, third party service providers.  The policies must address:

  • third party identification and risk assessment;
  • minimum cybersecurity practices required to establish a business relationship;
  • due diligence processes used to evaluate the adequacy of third party cybersecurity practices; and
  • periodic third party assessments based on the risk they present and the adequacy of their cybersecurity practices.


Compliance Made Easy

Hiperos 3PM Information Security makes complying with New York State DFS 23 NYCRR 500 regulations and managing and responding to third-party information security risks faster and easier than ever before. Leveraging Hiperos 3PM, customers can automatically perform controls-based assessments of third-party information security risks, scope the appropriate controls for each relationship based on their control framework and maintain a continuously updated risk register on every in-scope relationship. All third-party information is centrally stored as reportable, actionable data across the enterprise. Learn more

See other regulations addressed by Hiperos 3PM