Vendor Assessment Requirements for 23 NYCRR 500

By ProcessBolt | April 30, 2019

The vendor security requirements for 23 NYCRR 500 Section 500.11 went into effect two years ago. Beginning March 1, 2019, financial services companies, banks and insurance companies operating in the state of New York must have written policies and procedures to ensure that their vendors’ and third-party partners’ information security systems are properly vetted.

Some of the key requirements of this regulation are documented Policies and Procedures related to:

  • identification and risk assessment of Third-Party Service Providers;
  • minimum cybersecurity practices required to be met by such Third-Party Service Providers in order for them to do business with the Covered Entity;
  • due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third-Party Service Providers; and
  • periodic assessment of such Third-Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.

This regulation requires companies to implement policies and procedures, and contractual protections to assess the cybersecurity practices of their third-party vendors. The regulation applies to all vendors for financial institutions operating in New York.


Automate Your Vendor Security Requirements
ProcessBolt enables your organization to evaluate vendor risk based on any criteria, including access to critical information, policy requirements, security requirements and prospective operational impacts (business continuity, reputation, revenue, regulatory). Our state-of-the-art assessment designer allows you to formulate a world-class vendor assessment framework based on your needs and your organizational context. The platform gives you the flexibility to use your existing assessment framework or utilize an industry standard framework.

In addition, our highly experienced services team can help you develop an effective policy and procedure framework that assists in compliance with applicable regulations.

Our solutions can help you:

  1. Develop an effective policy and process framework.
  2. Build an efficient and context-aware vendor assessment program.
  3. Create a centralized repository of vendor profiles and their compliance results.
  4. Visualize quantitative and customizable risk scoring.
  5. Manage a remediation workflow, which helps you complete the vendor assessment lifecycle.

To learn more about how we can help you achieve compliance, contact us.


ProcessBolt Empowers Your Process

Whether you're an enterprise, vendor or service provider, ProcessBolt can not only simplify but accelerate your vendor risk management process. Schedule a demo today to see just how easy vendor risk assessment questionnaires can be.

Schedule A Demo