Templates Compliance Regulatory Vendor Due Diligence Questionnaire - New York
New York Compliance Regulatory
Blank Document PRO
From Template
Upload Document Word (.docx) & Markdown files
PRO

Vendor Due Diligence Questionnaire - New York

Ready to Edit

VENDOR DUE DILIGENCE QUESTIONNAIRE — NEW YORK

Issuing Organization: [________________________________]
Date Issued: [__/__/____]
Due Date for Completion: [__/__/____]
Vendor Risk Tier: ☐ Critical | ☐ High | ☐ Medium | ☐ Low

TABLE OF CONTENTS

  1. Instructions and Scope
  2. Vendor Profile and Ownership
  3. Sanctions, PEP, and Adverse Media Screening
  4. Services, Data, and Locations
  5. Information Security Controls
  6. Privacy and Data Subject Rights
  7. Subprocessors and Fourth Parties
  8. Incident Response and Breach History
  9. Business Continuity and Disaster Recovery
  10. Certifications, Audits, and Testing
  11. Insurance Coverage
  12. Legal and Regulatory Matters
  13. Financial Viability
  14. ESG, Ethics, and Anti-Corruption
  15. New York-Specific Compliance Requirements
  16. Required Artifacts Checklist
  17. Attestation and Signoff

1. INSTRUCTIONS AND SCOPE

1.1 Purpose

This VDQ evaluates vendor risk with specific attention to New York's data security and privacy framework: the NY SHIELD Act (N.Y. Gen. Bus. Law § 899-aa, § 899-bb), which requires reasonable safeguards for the private information of New York residents, and the NYDFS Cybersecurity Regulation (23 NYCRR Part 500), which imposes specific third-party service provider requirements on covered financial institutions under 23 NYCRR § 500.11.

1.2 Completion Instructions

  • Complete all sections; enter "N/A" where not applicable.
  • Attach all requested evidence. Critical/High-tier vendors must provide independent evidence.
  • If the issuing organization is subject to NYDFS 23 NYCRR Part 500, the vendor must complete Section 15.2 in full.

2. VENDOR PROFILE AND OWNERSHIP

2.1 Corporate Information

Field Response
Legal Entity Name [________________________________]
DBA [________________________________]
Date of Incorporation [__/__/____]
Jurisdiction of Incorporation [________________________________]
Principal Business Address [________________________________]
New York Office (if any) [________________________________]
Website [________________________________]
EIN [________________________________]
NY DOS Entity Filing No. [________________________________]
Entity Type ☐ Corporation ☐ LLC ☐ Partnership ☐ Sole Proprietorship ☐ Other: [____]

2.2 Ownership Structure

| Ultimate Parent Company | [________________________________] |
| Publicly traded? | ☐ Yes ☐ No |

Beneficial Owners (10%+):

Name Title Ownership % Residence
[________________________________] [________________] [____]% [________________]
[________________________________] [________________] [____]% [________________]

2.3 Key Contacts

Role Name Email Phone
Primary Business Contact [________________] [________________] [________________]
Information Security Lead / CISO [________________] [________________] [________________]
Privacy Officer [________________] [________________] [________________]
Incident Response Contact [________________] [________________] [________________]

3. SANCTIONS, PEP, AND ADVERSE MEDIA SCREENING

List Screened Match
OFAC SDN ☐ Yes ☐ No ☐ Yes ☐ No
OFAC Consolidated ☐ Yes ☐ No ☐ Yes ☐ No
UN Consolidated ☐ Yes ☐ No ☐ Yes ☐ No
EU Consolidated ☐ Yes ☐ No ☐ Yes ☐ No
UK HM Treasury ☐ Yes ☐ No ☐ Yes ☐ No

PEP among owners/officers? ☐ Yes ☐ No — Details: [________________________________]

Adverse media in past 5 years? ☐ Yes ☐ No — Details: [________________________________]

4. SERVICES, DATA, AND LOCATIONS

4.1 Services

Field Response
Services description [________________________________]
Criticality ☐ Critical ☐ High ☐ Medium ☐ Low
Customer interaction ☐ Yes ☐ No
System access ☐ Yes ☐ No
Access type ☐ Read-only ☐ Read/Write ☐ Administrative ☐ N/A

4.2 Data Categories

☐ Private information (as defined in N.Y. Gen. Bus. Law § 899-aa(1)(b))
☐ Social Security Numbers
☐ Financial account numbers with access codes
☐ Driver's license numbers
☐ Biometric data (fingerprints, retina, voice, facial geometry)
☐ Credit/debit card numbers with access codes
☐ Username/email with password or security Q&A
☐ Nonpublic Information (as defined in 23 NYCRR § 500.1, if applicable)
☐ PHI
☐ PCI data
☐ Other: [________________________________]

Estimated volume: ☐ <1,000 ☐ 1,000–10,000 ☐ 10,000–100,000 ☐ 100,000–1M ☐ >1M

4.3 Data Locations

Location Activity Data Types
[________________________________] ☐ Processing ☐ Storage ☐ Both [________________]
[________________________________] ☐ Processing ☐ Storage ☐ Both [________________]

5. INFORMATION SECURITY CONTROLS

5.1 Access Controls

# Control Response Details
5.1.1 MFA for remote access? ☐ Yes ☐ No [________________]
5.1.2 MFA for access to our data? ☐ Yes ☐ No [________________]
5.1.3 RBAC implemented? ☐ Yes ☐ No [________________]
5.1.4 Least privilege enforced? ☐ Yes ☐ No ☐ Partial [________________]
5.1.5 Access reviews? ☐ Yes ☐ No Frequency: [____]
5.1.6 Timely access termination? ☐ Yes ☐ No SLA: [____]
5.1.7 Privileged access managed separately? ☐ Yes ☐ No [________________]

5.2 Encryption

# Control Response Details
5.2.1 Encrypted at rest? ☐ Yes ☐ No Algorithm: [____]
5.2.2 Encrypted in transit? ☐ Yes ☐ No Protocol: [____]
5.2.3 Separate key management? ☐ Yes ☐ No [________________]

5.3 Network Security

# Control Response Details
5.3.1 Firewalls? ☐ Yes ☐ No [________________]
5.3.2 IDS/IPS? ☐ Yes ☐ No [________________]
5.3.3 Network segmentation? ☐ Yes ☐ No [________________]
5.3.4 Patch management? ☐ Yes ☐ No SLA: [____]
5.3.5 Vulnerability scanning? ☐ Yes ☐ No Frequency: [____]

5.4 Endpoint, Physical, and Logging

# Control Response Details
5.4.1 EDR deployed? ☐ Yes ☐ No [________________]
5.4.2 Endpoints encrypted? ☐ Yes ☐ No [________________]
5.4.3 Physical security at data centers? ☐ Yes ☐ No [________________]
5.4.4 Centralized logging/SIEM? ☐ Yes ☐ No [________________]
5.4.5 Log retention ≥12 months? ☐ Yes ☐ No Period: [____]

6. PRIVACY AND DATA SUBJECT RIGHTS

# Control Response
6.1 Designated privacy officer? ☐ Yes ☐ No
6.2 Written privacy policy? ☐ Yes ☐ No
6.3 PIAs conducted? ☐ Yes ☐ No
6.4 Data retention schedules documented? ☐ Yes ☐ No
6.5 Secure deletion procedures? ☐ Yes ☐ No
6.6 Deletion certification on termination? ☐ Yes ☐ No

7. SUBPROCESSORS AND FOURTH PARTIES

Uses subprocessors? ☐ Yes ☐ No

Subprocessor Services Location Data Types
[________________________________] [________________] [________________] [________________]
# Control Response
7.1 Subprocessor due diligence? ☐ Yes ☐ No
7.2 Equivalent contractual terms? ☐ Yes ☐ No
7.3 Notification of changes? ☐ Yes ☐ No

8. INCIDENT RESPONSE AND BREACH HISTORY

# Control Response Details
8.1 Documented IRP? ☐ Yes ☐ No [________________]
8.2 24/7 response? ☐ Yes ☐ No [________________]
8.3 Customer notification SLA [____] hours
8.4 IRP tested annually? ☐ Yes ☐ No Last: [__/__/____]

Breaches in past 3 years? ☐ Yes ☐ No

Date Nature Data Impacted Remediation
[__/__/____] [________________] [________________] [________________]

9. BUSINESS CONTINUITY AND DISASTER RECOVERY

# Control Response Details
9.1 BCP documented? ☐ Yes ☐ No
9.2 DRP documented? ☐ Yes ☐ No
9.3 RTO [____] hours
9.4 RPO [____] hours
9.5 DRP tested annually? ☐ Yes ☐ No Last: [__/__/____]

10. CERTIFICATIONS, AUDITS, AND TESTING

Certification Maintained Covers Services Expiration
SOC 2 Type II ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]
ISO 27001 ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]
PCI DSS ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]

Pen test: Frequency [____] | Last: [__/__/____] | Critical findings remediated? ☐ Yes ☐ No ☐ In Progress

11. INSURANCE COVERAGE

Coverage Carrier Limit Expiration
Cyber/Tech E&O [________________] $[________________] [__/__/____]
General Liability [________________] $[________________] [__/__/____]
Professional Liability [________________] $[________________] [__/__/____]

12. LEGAL AND REGULATORY MATTERS

# Question Response
12.1 All required licenses held? ☐ Yes ☐ No
12.2 Regulatory exams in past 3 years? ☐ Yes ☐ No
12.3 Enforcement actions or settlements? ☐ Yes ☐ No
12.4 Pending litigation? ☐ Yes ☐ No
12.5 Subject to NYDFS regulation? ☐ Yes ☐ No

13. FINANCIAL VIABILITY

# Question Response
13.1 Willing to provide financials? ☐ Yes ☐ No
13.2 Material adverse changes? ☐ Yes ☐ No
13.3 Revenue concentration >25%? ☐ Yes ☐ No

14. ESG, ETHICS, AND ANTI-CORRUPTION

# Control Response
14.1 Code of conduct? ☐ Yes ☐ No
14.2 Anti-corruption program? ☐ Yes ☐ No
14.3 Whistleblower channel? ☐ Yes ☐ No

15. NEW YORK-SPECIFIC COMPLIANCE REQUIREMENTS

15.1 NY SHIELD Act (N.Y. Gen. Bus. Law § 899-aa, § 899-bb)

The SHIELD Act, effective March 21, 2020, broadened the definition of "private information" and requires any person or business owning or licensing computerized data that includes the private information of New York residents to implement and maintain "reasonable safeguards" -- including administrative, technical, and physical safeguards. Breach notification must be made to affected individuals "in the most expedient time possible and without unreasonable delay," and to the New York Attorney General, the Department of State Division of Consumer Protection, and the New York State Police if the breach affects New York residents (N.Y. Gen. Bus. Law § 899-aa(8)).

# Requirement Response Details
15.1.1 Does the vendor maintain reasonable administrative safeguards for private information per the SHIELD Act (§ 899-bb(2)(b)(i))? ☐ Yes ☐ No [________________]
15.1.2 Does the vendor maintain reasonable technical safeguards (§ 899-bb(2)(b)(ii))? ☐ Yes ☐ No [________________]
15.1.3 Does the vendor maintain reasonable physical safeguards (§ 899-bb(2)(b)(iii))? ☐ Yes ☐ No [________________]
15.1.4 Can the vendor notify us promptly of a breach involving NY private information? ☐ Yes ☐ No SLA: [____] hours
15.1.5 Can the vendor support notifications to the NY AG, DOS, and State Police when required? ☐ Yes ☐ No [________________]
15.1.6 Does the vendor process biometric data of NY residents (fingerprint, voice, retina, facial geometry)? ☐ Yes ☐ No [________________]
15.1.7 Does the vendor designate an employee or employees to coordinate the data security program? ☐ Yes ☐ No [________________]

15.2 NYDFS Cybersecurity Regulation (23 NYCRR Part 500)

If the issuing organization is a Covered Entity under NYDFS, 23 NYCRR § 500.11 requires a written third-party service provider security policy. This section addresses those requirements. The November 2023 amendments to Part 500 strengthened third-party oversight obligations, including requiring MFA for third-party access and enhanced incident notification (within 72 hours).

# Requirement Response Details
15.2.1 Does the vendor maintain a cybersecurity program meeting the minimum standards of 23 NYCRR Part 500? ☐ Yes ☐ No ☐ N/A [________________]
15.2.2 Has the vendor designated a CISO or qualified designee (§ 500.4)? ☐ Yes ☐ No ☐ N/A Name: [________________]
15.2.3 Does the vendor maintain a written cybersecurity policy (§ 500.3)? ☐ Yes ☐ No ☐ N/A [________________]
15.2.4 Does the vendor conduct annual penetration testing and bi-annual vulnerability assessments (§ 500.5)? ☐ Yes ☐ No ☐ N/A [________________]
15.2.5 Does the vendor maintain audit trail systems (§ 500.6)? ☐ Yes ☐ No ☐ N/A [________________]
15.2.6 Does the vendor implement MFA for third-party access to information systems (§ 500.12, as amended Nov. 2023)? ☐ Yes ☐ No ☐ N/A [________________]
15.2.7 Does the vendor use encryption for nonpublic information in transit and at rest (§ 500.15)? ☐ Yes ☐ No ☐ N/A [________________]
15.2.8 Can the vendor notify within 72 hours of a cybersecurity event (§ 500.17, as amended)? ☐ Yes ☐ No ☐ N/A [________________]
15.2.9 Does the vendor maintain an incident response plan (§ 500.16)? ☐ Yes ☐ No ☐ N/A [________________]
15.2.10 Will the vendor provide representations regarding its cybersecurity practices to support our annual certification to NYDFS (§ 500.17(b))? ☐ Yes ☐ No ☐ N/A [________________]
15.2.11 Does the vendor conduct annual risk assessments (§ 500.9)? ☐ Yes ☐ No ☐ N/A [________________]
15.2.12 Does the vendor provide regular cybersecurity awareness training (§ 500.14)? ☐ Yes ☐ No ☐ N/A [________________]
15.2.13 Does the vendor's data retention and disposal meet § 500.13 standards? ☐ Yes ☐ No ☐ N/A [________________]

15.3 Data Retention and Disposal

# Requirement Response Details
15.3.1 Data retention schedule for NY resident data? ☐ Yes ☐ No Period: [________________]
15.3.2 Secure disposal procedures? ☐ Yes ☐ No Method: [________________]
15.3.3 Written destruction certification? ☐ Yes ☐ No [________________]

16. REQUIRED ARTIFACTS CHECKLIST

# Document Provided N/A
16.1 Information Security Policy
16.2 Privacy Policy
16.3 Incident Response Plan
16.4 BC/DR Plan
16.5 SOC 2 Report
16.6 Pen Test Summary
16.7 Subprocessor List
16.8 Insurance Certificate(s)
16.9 NYDFS Cybersecurity Program Documentation
16.10 CISO Designation / Qualifications
16.11 Sample DPA

17. ATTESTATION AND SIGNOFF

I certify that the information provided is true, complete, and accurate. I commit to notifying the issuing organization within ten (10) business days of material changes.

Field Information
Name [________________________________]
Title [________________________________]
Signature [________________________________]
Date [__/__/____]

SOURCES AND REFERENCES

  • NY SHIELD Act, N.Y. Gen. Bus. Law § 899-aa, § 899-bb (eff. Mar. 21, 2020)
  • NYDFS Cybersecurity Regulation, 23 NYCRR Part 500 (2017; amended Nov. 1, 2023)
  • 23 NYCRR § 500.11 (Third-Party Service Provider Security Policy)
  • 23 NYCRR § 500.12 (Multi-Factor Authentication, as amended)
  • 23 NYCRR § 500.17 (Notices to Superintendent, as amended)
  • OCC Bulletin 2023-17, "Third-Party Relationships: Risk Management Guidance"
  • FFIEC IT Examination Handbook

This template is provided for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before use.

Ezel AI
Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.
AI Legal Assistant
Ezel AI
Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.

Insert Image

Insert Table

Watch Ezel in action (sample case)

All changes saved
Save
Export
Export as DOCX
Export as PDF
Generating PDF...
vendor_due_diligence_questionnaire_ny.pdf
Ready to export as PDF or Word
AI is editing...
Chat
Review

Customize this document with Ezel

  • Deep Legal Knowledge
    Understands case law, statutes, and legal doctrine specific to New York.
  • Court-Ready Formatting
    Proper captions, certificates of service, and local rule compliance.
  • AI-Powered Editing on Your Timeline
    Edit as many times as you need. Tailor every section to your specific case.
  • Export as PDF & Word
    Download your finished document in professional PDF or DOCX format, ready to file or send.
Secure checkout via Stripe
Need to customize this document?

Related Legal Templates

Available in Other Jurisdictions

Vendor Due Diligence Questionnaire Universal Vendor Due Diligence Questionnaire - Alabama AL Vendor Due Diligence Questionnaire - California CA Vendor Due Diligence Questionnaire - Florida FL Vendor Due Diligence Questionnaire - Texas TX

More Compliance Regulatory Templates

AI Acceptable Use & Governance Policy - New York NY Code of Conduct - New York NY Compliance Program Charter - New York NY Compliance Risk Assessment Matrix - New York NY Corporate Compliance Manual - New York NY Data Processing Addendum (Short Form) — New York NY Browse all

About This Template

Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.

Important Notice

This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.

Last updated: April 2026