NYDFS 23 NYCRR 500

NY Department of Financial Services Cybersecurity Regulation

With Tehama you can leverage a SOC 2 Type II end-user compute environment and achieve and maintain regulatory compliance requirements for heavily regulated industries such as banking, financial services, health care, energy and utilities, insurance and government enterprises. The Tehama solution has 107 SOC 2 Type II controls built into the platform, saving you time and resources on your internal SOC 2 Type II audits.

NYDFS 23 NYCRR 500 badge

NYDFS 23 NYCRR 500 Regulation

The State of New York is the first state to introduce a cybersecurity regulation designed to protect the financial services’ critical infrastructure. The NY Department of Financial Services (NYDFS) introduced the NYDFS Cybersecurity Regulation (23 NYCRR 500) that imposes new cybersecurity requirements on all covered financial institutions.

The 23 NYCRR 500 Regulation applies to all businesses operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities. 

This includes:

Accelerate your compliance with Tehama

Section 500.11 requires all financial services (covered entities) to comply with the Third Party Service Provider Security Policy regulation.

“Section 500.11 Third Party Service Provider Security Policy.

Section 500.11 (a) Third Party Service Provider Policy. Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable:

In Tehama, financial services organizations can set cybersecurity policies such as treatment of data, access to sensitive data, privileged credential management and obfuscation, nationality and secret clearance access, geo-fencing access with partner IAM solutions, and additional compliance regulations for third-party service providers. Tehama can track how third parties, such as service providers are adhering to their policies and prevent them from delivering or accessing critical systems if they fail to comply with the policies. 

Via deep audit, activity logging and session recordings, the financial services institution can track every single person within the service provider entity or sub-contractor’s activity while delivering services on mission critical and data sensitive assets. Tehama calls this continuous compliance and governance.

Tehama applies several layers of protection to adhere to section 500.11B.

Furthermore, the Tehama platform is certified SOC 2 Type II compliant and undergoes rigorous penetration testing as part of the SOC 2 Type II audit.

“Section 500.11 (c) Limited Exception. An agent, employee, representative or designee of a Covered Entity who is itself a Covered Entity need not develop its own Third Party Information Security Policy pursuant to this section if the agent, employee, representative or designee follows the policy of the Covered Entity that is required to comply with this Part.”

Tehama supports multi-party collaboration between third-parties and covered entities such that several contractors can collaborate on the same project or access the same critical infrastructure. All policies and procedures defined in the Tehama platform for one financial institution extend to all collaborators in the services ecosystem when extended to all parties.

Tehama supports multi-party collaboration between third-parties.