NYDFS 23 NYCRR 500 Regulation

The State of New York is the first state to introduce a groundbreaking cybersecurity regulation to protect the financial services critical infrastructure. The NY Department of Financial Services (NYDFS) introduced the new NYDFS Cybersecurity Regulation (23 NYCRR 500) that imposes new cybersecurity requirements on all covered financial institutions.

Section 500.11 requires all financial services (covered entities) to comply with the Third Party Service Provider Security Policy regulation.

Accelerate your compliance with Tehama

Section 500.11 Third Party Service Provider Security Policy.

Section 500.11 (a) Third Party Service Provider Policy. Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable:

(1) the identification and risk assessment of Third Party Service Providers;

(2) minimum cybersecurity practices required to be met by such Third Party Service Providers in order for them to do business with the Covered Entity;

(3) due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third Party Service Providers; and

(4) periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.”

In Tehama, financial services organization can set cybersecurity policies such as treatment of data, access to sensitive data, privileged credential management and obfuscation, nationality and secret clearance access, and additional compliance regulations for third party service providers. Tehama can track how third parties, such as service providers are adhering to their policies and prevent them from delivering or accessing critical systems if they fail to comply with the policies.  Via deep audit, activity logging and session recordings, the financial services institution can track every single person within the service provider entity or sub-contractor’s activity while delivering services on mission critical and data sensitive assets. Tehama calls this continuous compliance and governance.

Section 500.11 (b) Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers including to the extent applicable guidelines addressing:

(1) the Third Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication as required by section 500.12 of this Part, to limit access to relevant Information Systems and Nonpublic Information;

(2) the Third Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;

(3) notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity’s Information Systems or the Covered Entity’s Nonpublic Information being held by the Third Party Service Provider; and

(4) representations and warranties addressing the Third Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.”

Tehama applies several layers of protection to adhere to section 500.11B. First, Tehama requires all third party providers to use multi-factor authentication to access the critical systems. Second, Tehama also restricts access to only the systems the third party has been granted access to. Third, all work done within the Tehama platform is encrypted and all communications between the third party worker and Tehama is encrypted as is all of the communication between the Tehama platform and the financial services infrastructure. Fourth, Tehama, via the unique architecture prevents endpoint device infections from penetrating into the the Tehama platform. Tehama has a continuous detection intrusion service that observes all files and activity for additional protection. Furthermore, the Tehama platform is certified SOC 2 Type 2 compliant and undergoes rigorous penetration testing every quarter.

Section 500.11 (c) Limited Exception. An agent, employee, representative or designee of a Covered Entity who is itself a Covered Entity need not develop its own Third Party Information Security Policy pursuant to this section if the agent, employee, representative or designee follows the policy of the Covered Entity that is required to comply with this Part.”

Tehama supports multi-party collaboration between third-parties and covered entities such that several contractor can collaborate on the same project or access the same critical infrastructure. All policies and procedures defined in the Tehama platform for one financial institution extend to all collaborators in the services ecosystem when extended to all parties.