Third-Party Risk Management SOP - New York
THIRD-PARTY RISK MANAGEMENT SOP — NEW YORK SUPPLEMENT
Organization: [________________________________]
SOP Number: TPRM-NY-[____]
Version: [____]
Effective Date: [__/__/____]
Approved By: [________________________________]
TABLE OF CONTENTS
- Purpose and Scope
- New York Regulatory Framework
- Definitions
- Risk Tiering — New York Enhancements
- Third-Party Lifecycle — New York Requirements
- NYDFS 23 NYCRR Part 500 Third-Party Service Provider Requirements
- Roles and Responsibilities
- Documentation and Systems of Record
- Metrics, KRIs, and Reporting
- Exceptions and Compensating Controls
- Review Cadence
- Annexes
1. PURPOSE AND SCOPE
1.1 Purpose
This SOP supplements the Universal TPRM SOP with New York-specific requirements under the NY SHIELD Act (N.Y. Gen. Bus. Law § 899-aa, § 899-bb) and the NYDFS Cybersecurity Regulation (23 NYCRR Part 500). The SHIELD Act requires reasonable safeguards for private information of New York residents. For NYDFS-regulated entities, 23 NYCRR § 500.11 mandates a written third-party service provider security policy, and the November 2023 amendments strengthened requirements for MFA, governance, and incident notification.
1.2 Scope
Applies to all third-party relationships involving:
☐ Private information of New York residents (SHIELD Act)
☐ Nonpublic information of NYDFS-covered entities (23 NYCRR Part 500)
☐ Services delivered to New York-based operations
☐ Vendors subject to New York regulatory oversight (NYDFS, NY AG, NYSE, etc.)
2. NEW YORK REGULATORY FRAMEWORK
| Statute/Regulation | Key Vendor Requirements |
|---|---|
| SHIELD Act, § 899-bb | Reasonable administrative, technical, and physical safeguards; designate employee(s) to coordinate security; assess risks in data handling; train employees; select and manage service providers capable of maintaining safeguards |
| SHIELD Act, § 899-aa(8) | Breach notification to NY AG, DOS Consumer Protection, and State Police |
| 23 NYCRR § 500.11 | Written third-party service provider security policy; due diligence to evaluate adequacy of cybersecurity practices; minimum cybersecurity practices required; periodic assessment based on risk |
| 23 NYCRR § 500.11 (Nov. 2023 amendments) | Written policies and procedures for third-party service providers based on risk assessment; due diligence processes; contractual protections including MFA requirements |
| 23 NYCRR § 500.12 (amended) | MFA required for remote access and third-party access to information systems |
| 23 NYCRR § 500.17 (amended) | 72-hour notification to Superintendent for cybersecurity events; annual certification |
3. DEFINITIONS
| Term | Definition |
|---|---|
| Private Information (SHIELD Act) | Personal information (SSN, DL#, financial account numbers, biometric data, email + password) plus username/email in combination with security Q&A (§ 899-aa(1)(b)) |
| Nonpublic Information (NYDFS) | Business-related or individual-related information maintained by a covered entity that can be used to identify an individual, or health/insurance information (23 NYCRR § 500.1(g)) |
| Covered Entity (NYDFS) | Any person operating under or required to operate under a DFS license, charter, or similar authorization (23 NYCRR § 500.1(d)) |
| Third-Party Service Provider (NYDFS) | A person that is not an affiliate, that provides services to a covered entity, and maintains or processes nonpublic information (23 NYCRR § 500.1(n)) |
4. RISK TIERING — NEW YORK ENHANCEMENTS
| Factor | Elevated Risk Indicators |
|---|---|
| SHIELD Act Data | Vendor processes private information of NY residents (SSN, DL#, financial data, biometric data, email + password combinations) |
| NYDFS-Regulated Services | Vendor provides services involving nonpublic information of a NYDFS-covered entity |
| Privileged Access | Vendor has access to NYDFS-covered entity's information systems (triggering MFA under § 500.12) |
| Volume | Vendor processes data of >10,000 NY residents |
| Biometric Data | Vendor processes biometric data (fingerprint, retina, voice, facial geometry) |
Vendors processing SHIELD Act private information or NYDFS nonpublic information shall be classified no lower than Medium tier. Vendors with access to NYDFS-covered entity information systems shall be classified no lower than High tier.
5. THIRD-PARTY LIFECYCLE — NEW YORK REQUIREMENTS
5.1 Due Diligence Enhancements
| # | Requirement | Tier | Evidence |
|---|---|---|---|
| 5.1.1 | Verify reasonable administrative safeguards (SHIELD Act § 899-bb(2)(b)(i)): designated coordinator, risk assessments, employee training, service provider management | All w/ NY data | ☐ Security policy ☐ Training records |
| 5.1.2 | Verify reasonable technical safeguards (§ 899-bb(2)(b)(ii)): risk assessment of network/software, threat identification, safeguard sufficiency testing | All w/ NY data | ☐ Risk assessment ☐ Pen test ☐ SOC 2 |
| 5.1.3 | Verify reasonable physical safeguards (§ 899-bb(2)(b)(iii)): risk assessment of physical storage, intrusion detection, physical access management, disposal | All w/ NY data | ☐ Physical security policy ☐ Data center audit |
| 5.1.4 | For NYDFS vendors: evaluate cybersecurity program per § 500.11 | Critical/High (NYDFS) | ☐ Cybersecurity program docs ☐ CISO designation |
| 5.1.5 | Verify MFA for third-party access (§ 500.12) | All NYDFS vendors w/ system access | ☐ MFA implementation evidence |
| 5.1.6 | Evaluate encryption of nonpublic information in transit and at rest (§ 500.15) | All NYDFS vendors | ☐ Encryption documentation |
| 5.1.7 | Assess audit trail systems (§ 500.6) | Critical/High (NYDFS) | ☐ Logging documentation |
| 5.1.8 | Verify annual penetration testing and bi-annual vulnerability assessments (§ 500.5) | Critical/High (NYDFS) | ☐ Pen test summary ☐ Vuln scan reports |
5.2 Contract Requirements — New York Additions
| Clause | Requirement | Citation |
|---|---|---|
| SHIELD Act Safeguards | Vendor represents maintaining reasonable administrative, technical, and physical safeguards | § 899-bb |
| Breach Notification | Vendor must notify within [____] hours to support NY AG/DOS/Police notification | § 899-aa(8) |
| NYDFS Cybersecurity Program | Vendor represents maintaining a cybersecurity program per 23 NYCRR Part 500 (if applicable) | § 500.11 |
| MFA | Vendor must implement MFA for all access to covered entity's information systems | § 500.12 |
| Encryption | Nonpublic information must be encrypted in transit and at rest | § 500.15 |
| 72-Hour Incident Notification | Vendor must notify within timeframe supporting 72-hour notification to NYDFS Superintendent | § 500.17 |
| Annual Certification Support | Vendor will provide representations supporting covered entity's annual certification | § 500.17(b) |
| Audit Trail | Vendor maintains audit trail for detection of material cybersecurity events (5-year retention for financial transactions, 3 years otherwise) | § 500.6 |
| Data Disposal | Vendor must periodically dispose of nonpublic information no longer necessary, with certification | § 500.13 |
| Pen Testing / Vuln Assessment | Vendor conducts annual pen testing and bi-annual vulnerability assessments | § 500.5 |
5.3 Ongoing Monitoring — New York Additions
| Activity | Frequency | Responsible |
|---|---|---|
| SHIELD Act safeguards verification | Annual | Security / Compliance |
| NYDFS cybersecurity program assessment (§ 500.11) | Annual | Security |
| MFA compliance verification (§ 500.12) | Semi-Annual | Security |
| Pen test and vulnerability assessment review | Annual (pen test) / Semi-Annual (vuln scan) | Security |
| Breach notification readiness (tabletop) | Annual | Security / Compliance |
| Encryption compliance validation | Annual | Security |
| Annual certification preparation (§ 500.17(b)) | Annual | Compliance |
5.4 Offboarding — New York Additions
☐ Confirm deletion of all NY private information and nonpublic information
☐ Obtain written certification of destruction per § 500.13
☐ Verify subprocessors have deleted NY data
☐ Revoke all system access; confirm MFA credentials deactivated
☐ Close audit trail records
6. NYDFS 23 NYCRR PART 500 — THIRD-PARTY SERVICE PROVIDER REQUIREMENTS
6.1 Written Policy (§ 500.11)
NYDFS-covered entities must maintain a written third-party service provider security policy addressing:
☐ Identification and risk assessment of third-party service providers
☐ Minimum cybersecurity practices required of third-party service providers
☐ Due diligence processes used to evaluate third-party service providers
☐ Periodic assessment of third-party service providers based on risk and continued adequacy
6.2 Minimum Cybersecurity Practices (§ 500.11)
The November 2023 amendments require covered entities to include in their third-party policy:
| # | Minimum Practice | Verification Method |
|---|---|---|
| 6.2.1 | MFA for any individual accessing the covered entity's information systems | ☐ Technical verification ☐ Contractual representation |
| 6.2.2 | Encryption of nonpublic information in transit over external networks and at rest | ☐ Technical verification ☐ Contractual representation |
| 6.2.3 | Notification to covered entity of cybersecurity events within 72 hours | ☐ Contractual SLA ☐ IRP review |
| 6.2.4 | Representations regarding the third party's cybersecurity program | ☐ Annual attestation ☐ SOC 2 report |
6.3 Due Diligence Evaluation Factors
Per § 500.11, due diligence must evaluate the adequacy of the third party's cybersecurity practices, considering:
☐ The sensitivity and volume of nonpublic information accessible
☐ The third party's cybersecurity policies and procedures
☐ The third party's cybersecurity risk assessments
☐ The third party's ability to protect nonpublic information
☐ Results of audits, certifications, and assessments
☐ The third party's cybersecurity governance and CISO designation
7. ROLES AND RESPONSIBILITIES
| Role | NY-Specific Responsibilities |
|---|---|
| CISO | Oversee NYDFS third-party cybersecurity compliance; report to Board per § 500.4 |
| Compliance | Monitor SHIELD Act / NYDFS regulatory updates; coordinate AG/Superintendent notifications |
| Security | Validate NYDFS minimum cybersecurity practices; verify MFA and encryption; conduct assessments |
| Legal | Ensure NYDFS contract clauses; advise on SHIELD Act safeguard requirements |
| Business Owner | Ensure vendor SLAs support 72-hour NYDFS notification |
8. DOCUMENTATION AND SYSTEMS OF RECORD
Additional TPRM platform fields for NY:
☐ SHIELD Act private information elements processed
☐ NYDFS applicability determination
☐ § 500.11 compliance assessment status
☐ MFA verification status (§ 500.12)
☐ Encryption verification status (§ 500.15)
☐ Annual certification support documentation (§ 500.17(b))
9. METRICS, KRIs, AND REPORTING
| Metric | Target | Frequency |
|---|---|---|
| NYDFS vendors with compliant cybersecurity programs | 100% | Quarterly |
| MFA compliance rate for NYDFS vendor access | 100% | Quarterly |
| Vendors with 72-hour notification SLAs | 100% of applicable | Quarterly |
| SHIELD Act safeguards verification completion | 100% | Annual |
| Annual certification support received | 100% of NYDFS vendors | Annual |
| Pen test / vuln assessment compliance | 100% of Critical/High NYDFS vendors | Annual |
Report to [Board/Committee] quarterly, with NYDFS-specific section.
10. EXCEPTIONS AND COMPENSATING CONTROLS
☐ Exceptions to NYDFS requirements must be approved by [CISO / CCO] and documented with reference to specific 23 NYCRR section
☐ SHIELD Act exceptions must include documented compensating controls
☐ Maximum exception duration: [____] days
11. REVIEW CADENCE
| Field | Information |
|---|---|
| SOP Owner | [________________________________] |
| Review Frequency | Annual, or upon NYDFS/SHIELD Act amendment |
| Next Review Date | [__/__/____] |
12. ANNEXES
Annex A: NYDFS § 500.11 Compliance Checklist
☐ Written third-party service provider security policy adopted
☐ Risk assessment of all third-party service providers completed
☐ Minimum cybersecurity practices defined and communicated
☐ Due diligence process documented
☐ Periodic reassessment schedule established
☐ MFA requirement for third-party access implemented
☐ Encryption requirements communicated and verified
☐ 72-hour notification clause in all applicable contracts
☐ Annual certification support process documented
Annex B: SHIELD Act Safeguards Verification Checklist
☐ Administrative: designated coordinator, risk assessments, training, service provider management
☐ Technical: risk assessment of network/software, threat identification, safeguard testing
☐ Physical: physical storage risk assessment, intrusion detection, access management, disposal
SOURCES AND REFERENCES
- NY SHIELD Act, N.Y. Gen. Bus. Law § 899-aa, § 899-bb (eff. Mar. 21, 2020)
- NYDFS Cybersecurity Regulation, 23 NYCRR Part 500 (2017; amended Nov. 1, 2023)
- 23 NYCRR § 500.11 (Third-Party Service Provider Security Policy)
- 23 NYCRR § 500.12 (MFA, as amended)
- 23 NYCRR § 500.17 (Notices to Superintendent)
- OCC Bulletin 2023-17
- DOJ Evaluation of Corporate Compliance Programs (2023)
This template is provided for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before use.
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: April 2026