The two-year transition period for New York Department of Financial Services' 23 NYCRR 500 is quickly coming to an end. By March 1, 2019, Covered Entities must be able to demonstrate a defensible third-party right management program.
Are you ready to file your annual certification confirming compliance?
Covered entities are responsible for understanding the data protection practices of all third-party service providers that have access to Nonpublic Information (NPI). Section 500.11 specifically requires that covered entities implement policies and procedures to protect NPI that address the following:
500.11(a)(1) | Identify and assess third-party service providers that have access to non-public information.
500.11(a)(2) | Ensure third-party service providers meet minimum cybersecurity practices.
500.11(a)(3) | Establish a due diligence process to evaluate adequacy.
500.11(a)(4) | Conduct periodic assessments of service providers.
See how the legal department at one of the largest mortgage companies leveraged the ACC Vendor Risk Service to identify which of their third parties are applicable to 23 NYCRR 500.11 and comply in a timely manner. See Case Study.
“With the ACC Vendor Risk Service platform, I feel confident in Plaza’s compliance, ability to monitor, and safeguard itself from the risks associated with third parties.” Scott Laughlin, Corporate Counsel and Chief Information Security Officer, Plaza Home Mortgage
A shocking 79.5% of third-party vendors assessed by Jordan Lawrence's Vendor Risk Profiling service are identified as regulated or high-risk. Over half of respondents to a recent Ponemon Institute survey said they don't know if their vendors' safeguards are sufficient to prevent a data breach (see section 500.11(a)(2) above).
With mounting obligations related to data privacy regulations and seemingly endless data breaches traced back to third parties, your company can't afford to utilize indefensible processes. Contact us to learn how the ACC Vendor Risk Service can help you prepare to certify compliance.