Third-party service providers (“vendors”) with lax security controls can pose a significant threat to a financial institution’s security, and that same risk can even cascade to the institution from their vendor’s vendor. Understanding and controlling those risks is the final frontier of an effective cybersecurity program as outlined by the New York Department of Financial Services (NYDFS) Cybersecurity Requirements. Starting today, March 1, 2019, banks, insurance companies, and financial services firms operating in the state of New York must have written policies and procedures in place ensuring they adequately vet their vendors’ information security systems. The NYDFS Cybersecurity Requirements went into effect two years ago on March 1, 2017, and were rolled out in three phases over two years. The vendor security requirement, found in 23 NYCRR 500 Section 500.11, is the final phase to come into force.

Section 500.11 requires that firms implement policies and procedures, due diligence, and contractual protections to evaluate and control the cybersecurity practices of their third-party service providers. These policies and procedures must be based on the firm’s own internal risk assessment and must address specific topics, such as the firm’s risk assessment procedure, its minimum security requirements for vendors, its due diligence efforts, and more.

Keesal, Young & Logan (KYL) has developed a strategic partnership with Privva, a leader in third-party security assessments, to help financial institutions comply with Section 500.11 and ensure the protection of their customers’ most valued information. The Privva platform allows security professionals across industries to manage an efficient vendor risk management program, including automated assessments and ongoing remediation of risks. The platform allows clients the flexibility to bring an existing security assessment or utilize industry standard frameworks, such as the Share Assessments SIG or NIST-based questionnaires.

KYL and Privva have developed a six-step process and solution to vendor security, which includes:

  1. Develop Policies and Procedures: Draft or revise policies and procedures to ensure the protection of customer information and compliance with applicable regulations.
  2. Create an Assessment: Leverage industry standardized assessments provided by Privva or develop tailored assessments in line with your firms’ policies.
  3. Inventory Vendor Profiles: Maintain comprehensive profiles and vendor specific documents on a centralized platform. Classify and categorize vendors by business criticality and data access. Make year over year surveys, assessments and spot audits more efficient.
  4. Distribute Vendor Assessments: Distribute an unlimited number of assessments to vendors simultaneously. Privva enables streamlined communication between stakeholders and provides a real time view of the overall project status. Privva’s architecture allows institutions to categorize vendors of similar categories based on assessment type (e.g. data access, risk tier, or business unit).
  5. Analyze Results: Review vendor responses & supporting artifacts developing a proprietary risk score for each vendor.
  6. Remediate Identified Risks: Develop and communicate a remediation plan to vendors. Threaded communication provides real-time auditable tracking of remediation progress.

Please contact KYL at to learn more about 23 NYCRR 500 and how KYL and Privva can help protect your data.

Keesal, Young & Logan Cybersecurity and Privacy Group

About Keesal Young and Logan (KYL)

KYL opened its first office in Long Beach, California in 1970 with the goal of helping its business clients grow and prosper in the face of rapidly changing laws and challenges by competitors. The firm’s reputation has been forged through creative strategies, thorough preparation and planning, and strong advocacy in the courtroom.

In recent years, the firm has earned an international reputation in the areas of cybersecurity, privacy and innovation. Today, KYL’s professionals are embedded with forward-leaning legal departments from Silicon Valley to Wall Street, providing insights on compliance, operations and automation. For more information, please visit

About Privva

Privva is an award-winning, cloud-based vendor risk assessment platform delivering value for a diverse customer base across industries including legal, financial services (banks, hedge funds, private equity), technology, healthcare, education, and media. Privva’s solution streamlines the assessment process from authoring to automatic recurring delivery. The platform’s scalable approach to vendor risk management has resulted in users reporting more than 60%-time savings as well as experience improvements in consistency of assessment scoring and analysis. Privva’s adaptable features enable a tailored approach to assessing risk with an intuitive user interface that drives a responsive experience throughout the process. For more information, please visit

This information has been prepared by Keesal, Young & Logan for informational purposes only and is not legal advice. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship between you and Keesal, Young & Logan. You should not act upon this information without seeking professional counsel.