top of page

NYS DFS - Third Party Vendor Management Requirements

Starting today, March 1, 2019, banks, insurance companies, and financial services firms operating in the state of New York must have written policies and procedures in place ensuring they adequately vet their vendors’ information security systems. The vendor security requirement is the last phase of the NYDFS Cybersecurity Requirements that went into effect two years ago on March 1, 2017. The vendor security requirement can found in 23 NYCRR 500 Section 500.11 (p7).

The Third Party Service Provider Security Policy requires firms implement policies and procedures, due diligence, and contractual protections to evaluate and control the cybersecurity practices of their third-party service providers. These policies and procedures must be based on the firm’s own internal risk assessment and must address specific topics, such as the firm’s risk assessment procedure, its minimum security requirements for vendors, its due diligence efforts, and more.

This regulation has compounding impact as the rules will therefore be applied to all vendors that service the financial institutions operating in NY. Vendor management has a trickle down effect to ensure data is protected throughout the value chain.

Privva allows security professionals across industries to manage an efficient vendor risk management program, including automated assessments and ongoing remediation of risks. The platform allows clients the flexibility to bring an existing security assessment or utilize industry standard frameworks, such as the Share Assessments SIG or NIST-based questionnaires.

Privva have developed a six-step process and solution to vendor security, which includes:

  1. Develop Policies and Procedures: Draft or revise policies and procedures to ensure the protection of customer information and compliance with applicable regulations.

  2. Create an Assessment: Leverage industry standardized assessments provided by Privva or develop tailored assessments in line with your firms’ policies.

  3. Inventory Vendor Profiles: Maintain comprehensive profiles and vendor specific documents on a centralized platform. Classify and categorize vendors by business criticality and data access. Make year over year surveys, assessments and spot audits more efficient.

  4. Distribute Vendor Assessments: Distribute an unlimited number of assessments to vendors simultaneously. Privva enables streamlined communication between stakeholders and provides a real time view of the overall project status. Privva’s architecture allows institutions to categorize vendors of similar categories based on assessment type (e.g. data access, risk tier, or business unit).

  5. Analyze Results: Review vendor responses & supporting artifacts developing a proprietary risk score for each vendor.

  6. Remediate Identified Risks: Develop and communicate a remediation plan to vendors. Threaded communication provides real-time auditable tracking of remediation progress.

Please contact Privva at to learn how Privva can help achieve compliance.

About Privva

Privva is an award-winning, cloud-based vendor risk assessment platform delivering value for a diverse customer base across industries including legal, financial services (banks, hedge funds, private equity), technology, healthcare, education, and media. Privva’s solution streamlines the assessment process from authoring to automatic recurring delivery. The platform’s scalable approach to vendor risk management has resulted in users reporting more than 60%-time savings as well as experience improvements in consistency of assessment scoring and analysis. Privva’s adaptable features enable a tailored approach to assessing risk with an intuitive user interface that drives a responsive experience throughout the process. For more information, please visit

Featured Posts
Recent Posts
Search By Tags
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Social Icon
bottom of page