New York Codes, Rules and Regulations
Title 23 - FINANCIAL SERVICES
Chapter I - Regulations of the Superintendent of Financial Services
Part 500 - CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
Section 500.11 - Third-party service provider security policy
Universal Citation: 23 NY Comp Codes Rules and Regs ยง 500.11
Current through Register Vol. 46, No. 39, September 25, 2024
(a) Each covered entity shall implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers. Such policies and procedures shall be based on the risk assessment of the covered entity and shall address to the extent applicable:
(1) the identification and risk
assessment of third-party service providers;
(2) minimum cybersecurity practices required
to be met by such third-party service providers in order for them to do
business with the covered entity;
(3) due diligence processes used to evaluate
the adequacy of cybersecurity practices of such third-party service providers;
and
(4) periodic assessment of such
third-party service providers based on the risk they present and the continued
adequacy of their cybersecurity practices.
(b) Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to third-party service providers including to the extent applicable guidelines addressing:
(1) the third-party
service provider's policies and procedures for access controls, including its
use of multi-factor authentication as required by section
500.12 of this Part, to limit
access to relevant information systems and nonpublic information;
(2) the third-party service provider's
policies and procedures for use of encryption as required by section
500.15 of this Part to protect
nonpublic information in transit and at rest;
(3) notice to be provided to the covered
entity in the event of a cybersecurity event directly impacting the covered
entity's information systems or the covered entity's nonpublic information
being held by the third-party service provider; and
(4) representations and warranties addressing
the third-party service provider's cybersecurity policies and procedures that
relate to the security of the covered entity's information systems or nonpublic
information.
Disclaimer: These regulations may not be the most recent version. New York may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.