As of March 1, 2019, the New York State Department of Financial Services’ (NYDFS) cybersecurity regulation, 23 NYCRR Part 500, requires financial services institutions regulated by NYDFS to implement policies and procedures to address the cybersecurity risks posed by third-party service providers to the institutions’ nonpublic information (NPI).
While reaching the March 1 deadline has been a monumental task for many covered entities, it is only the first step in maintaining a compliant vendor management program in this new world of cybersecurity regulation. To manage the risks and potential liability that come with this “first of its kind” cyber regulation, covered entities must implement an ongoing program that in most cases will reflect a sea change from their prior practices. In particular, the required oversight and management of third-party service providers, or TPSPs, will expand well beyond traditional vendor management functions and deep into contracting, diligence and stakeholder review.
