Back to Resources
ComplianceJanuary 3, 20249 min read

Third-Party Vendor Management Under NY DFS

Section 500.11 requires written policies for third-party service providers. Here's what you need to know.

Your organization's security is only as strong as your weakest vendor. Section 500.11 of NY DFS 23 NYCRR 500 requires covered entities to implement written policies and procedures for the security of information systems and nonpublic information accessible to or held by third-party service providers.

What Does Section 500.11 Require?

Your third-party service provider security policy must include:

  • Risk-based identification and assessment of third-party service providers
  • Minimum cybersecurity practices required of third-party service providers
  • Due diligence processes for evaluating third-party providers
  • Periodic assessment of providers based on continued adequacy

Who Is a Third-Party Service Provider?

A third-party service provider is any person or entity that:

  • Has access to your information systems
  • Stores or processes nonpublic information on your behalf
  • Provides services that are critical to your operations

Common Third-Party Service Providers

Technology

  • • Cloud service providers (AWS, Azure, Google)
  • • Software vendors (CRM, accounting, HR)
  • • IT managed service providers
  • • Data backup providers

Business Services

  • • Payment processors
  • • Document storage/shredding
  • • Marketing agencies with data access
  • • Outsourced customer service

Building Your Vendor Management Program

Step 1: Inventory Your Vendors

Create a comprehensive list of all third-party providers that access your systems or data. For each vendor, document:

  • What services they provide
  • What data they access or store
  • How they connect to your systems
  • Contract end date and renewal terms

Step 2: Categorize by Risk

Not all vendors pose the same risk. Categorize them based on:

High Risk

Direct access to NPI, critical systems, or large data volumes

Medium Risk

Limited access to sensitive data or systems

Low Risk

No access to NPI or critical systems

Step 3: Conduct Due Diligence

Before engaging a new vendor (and periodically for existing vendors), assess their security practices:

  • Security questionnaire: Request completion of a standardized security questionnaire
  • Certifications: Review SOC 2 reports, ISO 27001 certification, or other attestations
  • Policies: Request copies of relevant security policies
  • Insurance: Verify cyber liability insurance coverage

Step 4: Contractual Requirements

Ensure vendor contracts include appropriate security provisions:

  • Data protection and confidentiality requirements
  • Incident notification obligations (72-hour requirement)
  • Right to audit security practices
  • Data return/destruction upon termination
  • Use of encryption and MFA

Step 5: Ongoing Monitoring

Vendor management isn't a one-time activity. Implement ongoing monitoring:

  • Annual reassessment of high-risk vendors
  • Review of SOC 2 reports when issued
  • Monitoring for security incidents or breaches at vendors
  • Periodic review of vendor access and permissions

Vendor Incident Reporting

If a vendor experiences a security incident affecting your data, you may still be required to notify NY DFS within 72 hours. Ensure your vendor contracts require immediate notification of security incidents.

Buffalo Sentinel Vendor Management

Our platform includes vendor risk management tools with customizable security questionnaires, automated risk scoring, and a vendor inventory dashboard to track all your third-party relationships.

Simplify Vendor Risk Management

Track vendors, send questionnaires, and monitor risk scores all in one platform.

Start Free Trial