Third-Party Risk Management and NY DFS 23 NYCRR 500: How Vendorpedia Helps


With Vendorpedia, organizations subject to the NY DFS 23 NYCRR 500 can successfully comply with the regulation’s vendor and third-party service provider requirements. Vendorpedia software empowers covered entities to automate the management of third-party risks in accordance with the law.

Third-Party Risk and the NY DFS 23 NYCRR 500

The NY DFS developed 23 NYCRR 500 to address cybersecurity threats and to promote both the protection of customer information and regulated entities’ information technology systems. Section 500.11 applies specifically to third-party risk management. Vendorpedia enables financial entities like yours to execute the third-party risk requirements of the law and maintain records for compliance.

Implement Third-Party Risk Policies, Automate Procedures

Compliance with NY DFS 23 NYCRR 500 requires robust third-party service provider security policies and procedures. Vendorpedia operationalizes your third-party risk management program, enabling your organization to implement third-party risk policies consistently across teams and to automate procedures in the process. Configure workflows to standardize operations across stakeholders, all while streamlining communication and maintaining an exportable audit trail for compliance.

Identify Service Providers, Perform Risk Assessments

Knowing the third-party service providers in use and the risk they pose is critical to compliance, especially for financial organizations. With Vendorpedia, organize all your service providers in a central inventory, and then conduct risk assessments on them as required by 23 NYCRR 500.

Conduct Due Diligence to Evaluate Cybersecurity Practices

Your third-party service providers should meet the same cybersecurity standards that you implement internally. Vendorpedia Assessments and Due Diligence, combined with the Global Risk Exchange, offer automated methods to assess third parties for compliance under 23 NYCRR 500. For instance, vet third-party service providers’ policies and procedures for access controls, including their use of multi-factor authentication, for encryption. Execute the assessment, review, and reporting all through a simple user interface.

Automate Reassessments and Monitor Third-Party Risks

NY DFS 23 NYCRR 500 requires periodic assessments of your third-party service providers. Reduce manual processes with Vendorpedia by configuring automation rules and triggers to automate reassessments. Additionally, link your third-party service provider to its profile within the Global Risk Exchange, and Vendorpedia will automatically monitor third-party risks over time.

Is your organization a covered entity under NYDFS 23 NYCRR 500?

See How Vendorpedia Can Help

Managing Third-Party Risks Under NY DFS 23 NYCRR 500 with Vendorpedia

Contract Management

Track key contractual protections relating to third-party service providers to ensure that they meet minimum cybersecurity practices

Risk Assessment

Evaluate the adequacy of cybersecurity practices and assess the risks posed by third-party service providers

Incident Response

Develop an incident response plan and hold service providers accountable to their contractual notification requirements