Are you ready to file your annual certification

confirming compliance?  

We can help. 



NYDFS Section 500.11

Third-Party Service Providers

Under NYDFS 23 NYCRR 500, covered entities are
responsible for understanding the data protection practices of all third-party service providers that have
access to Nonpublic Information (NPI). Section 500.11 specifically requires that covered entities implement policies and procedures to protect NPI that address the following:

  • 500.11 (a)(1) | Identify and assess third-party service providers that have access to non-public information.

  • 500.11(a)(2) | Ensure third-party service providers meet minimum cybersecurity practices.

  • 500.11(a)(3) | Establish a due diligence process to evaluate adequacy.

  • 500.11(a)(4) | Conduct periodic assessments of service providers.

A shocking 79.5% of third-party vendors assessed by Jordan Lawrence's Vendor Risk Profiling Service are identified as regulated or high-risk. Over half of respondents to a recent Ponemon Institute survey said they don't know if their vendors' safeguards are sufficient to prevent a data breach (see section 500.11 (a)(2) above). 

With mounting obligations related to data privacy regulations and seemingly endless data breaches traced back to third parties, your company can't afford to utilize indefensible processes. 

New York State DFS

23 NYCRR 500

The intent of the DFS Cybersecurity Regulation is to protect all nonpublic information. Your company is responsible for protecting your NPI and the NPI of customers, employees, and shareholders. This applies equally to data processed internally, manually, electronically, and by third parties.


The first step of compliance is understanding your NPI. Second, the regulation mandates that companies have a records retention program that eliminates NPI when eligible. Third, NYDFS recognizes that third-parties access, process and store a good deal of NPI and it mandates companies have a process for assessing the competency of their third-parties that do so. 

We can help. 

Further Reading. 

From city-specific provisions to proposals for nation-wide data protection requirements, many companies find themselves lost in the sea of regulations, and more are coming in 2019. 

With many bills introduced, and many more being drafted, data privacy legislation will only continue to rise in importance in 2019. Is your company prepared to comply with expanding requirements and contend with the litigation that will follow?


We recently published our 2018 Regulatory Recap and our 2019 Regulatory Forecast. These white papers cover key data privacy & cybersecurity regulations that went into effect this year, or are expected to be significant regulations in 2019. Download now to learn more about these regulations and practical steps you can towards sustainable compliance to help insulate your company.