NYDFS and Third-Party Risk Management: How It Impacts You

Melissa: Hello and welcome everyone. It’s great to see you all start joining. I will give you a minute while we wait for people to get situated and connected. Um in the meantime, I’m going to launch our first poll. You’ll see it pop up right on your screen here. Um I’m just curious what’s bringing you to today’s webinar. Um you know, are you in those beginning stages of your TPR and program? Maybe a a current prevalent customer. Is it educational? Maybe you just love it. attending webinars, it’s your hobby, let me know. And let’s begin real quick by getting some intro started. My name is Melissa. I work here in business development. And today we are joined by two special guests. Prevalent senior vice president of global products and services, Alistister Parr, and solutions expert and content manager Thomas Humphre. Hello guys.

Alistair: Hello. Thank you for having us. Melissa: Yeah, of course. And we also have our very own Scott Lang, uh, VP of product marketing here. Hi, Scott. Scott: Hey Melissa, how are you? Melissa: Good. And today, you know what, Thomas and Alistair are going to discuss NYDFS and third party risk management and how it impacts you. So, as a little bit of housekeeping, um, this webinar is being recorded, so you will get this along with the slideshow shortly after this webinar. And you are all muted. So, use the chat if you need to communicate something that’s not a question for the Q&A box. And without further ado, I will let Thomas and Alistair jump into it. Go ahead, guys.

Alistair: Thank you very much. And just to rein Of course, if you have questions that you’d like us to answer and try and weave into our conversation, please feel free to do so. Uh would reinforce the Q&A as opposed to the chat that uh that has a much better chance of of getting to us and we’ll try and weave it in as we go through it. So, thank you very much for joining us today. Just to reiterate for those who haven’t heard from us before, I am Alistister Parr. I’m the SVP of products and services over here at Prevalent. And why am I personally qualified to talk to you about this? I’ve had the joy of auditing for the best part of a decade uh in the past particularly around third party risk management programs I’ve been exposed to hundreds of third party life cycle programs and I’m joined today by the uh the illustrious Thomas Humphre Thomas why are you qualified to talk to us today about my DFS

Thomas: um yes hello Alistister hello everyone um so yes I’m the content manager at prevalent so I help to design and uh implement assessments uh sit across a variety of of standards and frameworks, not least in information, cyber security and privacy. So the likes of ISO, NIST, uh GDPR and of course NYDFS. Um prior to this, I’ve been an ISO auditor for just under 10 years. Um so um yes, many assessments across many different standards and frameworks. Alistair: Thank you very much, Thomas. Now we are all going to enjoy probing Thomas today and getting some insights specifically around NYDFS. But the things we’re going to cover off in a bit more detail, we’re going to introduce NYDFS in the sense of um NYCR uh 500, what it means. We’ll cover off how to identify and classify third party service providers specific to the framework. We’ll look into applying due diligence when assessing third parties and then move into continuity. So, how do we maintain it over time? How do we focus on resilience and recovery and specifically on incident reporting requirements? So, Thomas to begin with, please feel free to give us a bit of insight.

Thomas: Yes, absolutely. Um, and yes, welcome everyone to today’s webinar. So, for those of you who are not aware of uh NYDFS uh cyber security framework, I’ll get into some of the details a bit later, but I think it’s worth just touching on and perhaps taking a step back at looking at what’s happening not just in New York, but around the financial sector overall. Um, and if you take Look back over the last two to three years, there’s been a continual increase of many different threats um predominantly cyberbased threats. Um and these are growing. We’ve seen many organizations such as the IMF um highlight their their concerns um where there needs to be stronger focus in applying security best practices. It’s been reported that there’s now close to 20 just over 20% of fishing cases. Looking across the top or largest industries globally, more than 20% of those cases in 2021 were focused in the financial sector. There’s been year-on-year increase in ransomware threats. And certainly if you look back between the beginning of 2020 all the way up to 22 and even um into the beginning of this year, the volume of highprofile and notable attacks um such as Solar Winds uh log 4J and other targeted uh targeted uh threats have caused a rippling effect and a rippling damage across supply chains. Um and not least this has impacted the financial sector. There’s been increase in web- based attacks, SQL injections, cross-sight scripting, any uh targeted attacks on on corporate websites um and and web systems um and anything to implant malicious code um as a at a targeted level. And of course, we have the growing trend in the volume of supply chain and the increase in the supply chain and the reliance on suppliers. So, what’s causing this increase in cyber threats? Well, there’s a there’s quite a few different uh areas that we can discuss. Well, perhaps the more pertinent one to highlight is this concept of digital transformation. Not a new subject, not least. It’s been in place for probably close to 10 years now, if not a bit longer. But as we’re seeing financial organizations spend more time and more money investing in new technologies, new assess new uh applications and systems and solutions, it’s increased the reliance on all of these different technologies and with it that greater reliance um on the use of multiple third parties. And so we’re seeing this effect of of um uh exposure and greater exposure to the likes of these fishing and ransomware threats and and and other attacks. And it’s very much cyclical in nature because it now increases the visibility across the wider supply chain as well. And looking back towards how are we securing our journey through digital transformation and and increase investment um and application of technologies um and technological services as well. So it’s many threats uh increasing significantly and certainly enough to warrant a lot of large scale um and and important regulators and and organizations not least my DFS um to step up their game and to to to bring cyber security to the for.

Alistair: I suppose it’s worth noting uh Thomas before you start weaving into a bit more detail specifically on on the regulation I appreciate it’s very cyber centric uh but for everybody’s edification on the line but we are seeing a lot of interesting trends where we’re seeing additional focus. So cyber of course is a core component as you expect but the increased focus as you may have seen from some of our our other webinar sessions on things like ESG for example being relatively topical uh broader supply chain resilience uh and of course privacy in in many areas. This is just one segment of a broader digital transformation we’re seeing in the space where people are starting to consider the events geopolitical events for example or the environmental events that are occurring or impacting the supplyain in a bit more detail. So, it’s um it’s certainly interesting, but um for the focus of today at NYDFS, Thomas, would you be able to give us a bit of insight into the regulation itself and what it’s trying to achieve?

Thomas: Absolutely. And um let’s start with a basic introduction. Um so, I use the term NYDFS. You’ll see a new term up here. Um we love our acronyms um for those of us who’ve been to a prevalent webinar before. And we’re looking at the 23 NYC RR500 regulation. So NYDFS is the actual department in New York State responsible for managing and and and distributing and and and um ensuring that regulations are carried out um appropriately and and and correctly. But the actual NYCRR is the New York codes rules and regulations and it’s this part of the framework um that deals in cyber security. So this is a reg ation that’s been enforced by NYDFS and the purpose is is to provide quite a prescriptive um but structured approach for organizations to apply cyber security best practices. Um as you’ll see um in in in slides coming up um there there’s quite a lot of different controls um across a lot of different areas some of them which will maybe be very similar to the organizations because as we’ll see um through the likes of them IDFS. Um when when um regulators such as sorry NYDFS develop these frameworks, they are always focusing on where the best practices lie, best practices across not only their industry but the wider industries and cyber security um space as well. And so there’s a lot of commonality between the control sets and the expectations of uh the NYCR 500 regulation and the likes of ISO and NIST. and other non-regulatory um but best practice standards. So, it’s featuring both governance and operational controls and we’ll break down those controls um in a short while. Um but very much the focus is that validation of saying these are the best practice uh requirements that we we require uh businesses to apply. Um and and if they’re applied correctly, it should be a good demonstration of your overall security posture. Uh Of course, I talk about in the singular view in terms of an organization’s application of the regulation. Um, but as we’ll see through today, there’s also a very strong link and expectation of how you apply this framework to your third parties and to the wider supply chain as well. Alistair: Interesting. So, Thomas, are you seeing any particular drivers as to why you’re seeing this increased focus across various political specific regulations and frameworks? Uh, towards the supply chain. He obviously touched on the fact that um previously there’s an increase of cyber attacks but uh any real drivers that you’ve been seeing my DFS taking to focus on third party resilience and supply chain risk.

Thomas: Interesting question. So yes um as as you as you mentioned obviously one of the drivers will always be um where there are new and emerging threats and where there’s a heavy increase in threat such as the fishing and the volume of ransomware. But it’s also So we typically find where and perhaps this is where the digital transformation piece comes in quite n quite neatly because outside of um if you take um cyber security out of the equation just focusing on the supply chain um where there is is need for a lot of lot more interoperability between financial organizations for example um and the need to have a more open uh environment and more more open society something which of course we’ve seen um quite rapidly. If you look at the last two years and and and one of the offsets of the pandemic um uh in 2020 that caused a huge drive for a lot more um uh capability for financial organizations and their customers to be able to interact with their customers in a in a better way, in a more seamless way. And of course this has always led to and it’s always will lead to an opening up of the supply chain and and and and grabbing and and interacting with more vendors. Um but as you indicated Alistair, of course, one of the other offshoots to this um outside of of cyber security of course is looking at those other areas that are becoming far more topical such as ESG um and the and the provenence of product and service that third party that financial organizations are using.

Alistair: Thanks Thomas. So tell me more what is the regulation? Thomas: So Yes. Um I mentioned at the start that that this is focused obviously on New York and New York State and financial organizations um uh that are that are based and operate within the state. However, it’s important to notice that um even from the outset uh NY DFS set out certain exemptions uh and the purpose of these exemptions is to not to say you don’t need to comply with any aspect of the regulation but given the type of organization you you are there may be a reduction of the type of controls and the volume of controls. So if we see on the left hand side uh organizations that have fewer than 10 employees less than $5 million in gross revenue and less than 10 million near-end assets and at the bottom those organizations that don’t have any control or access of information systems non-public information looking at the right hand side do not need to to comply with those controls. So if you see at the top level, they don’t need a formal CESO. Um there’s aspects around application security, audit trailing, uh training and monitoring that are not formally applicable. What do I mean by this? They can still implement them as best practice framework and as an overall best practice uh methodology and approach. But it means from a regulatory perspective and when validating back to the regulator themselves. They don’t need to provide that evidence to say um we have a CESO and the requirements that come with having an overarching um uh role to manage cyber security in the business. Um so yes, so NIDFS have have established a set of exemptions um which are carrying through even now when we’re looking at the proposed rules, something I’ll go into in a short while um because there have been recent um um uh proposed updates to the framework which we’re expecting to go live later this year.

Melissa: Hey Thomas, real quick um a quick question came in. Can you confirm if these exceptions are for the entity and not our third party vendors? Thomas: So these are for what NYDFS lists as a covered entity. That is that is correct. Yes. So I I should have mentioned that. Apologies. So um like all good uh regulation and frameworks. Um NYDFS sets out um some clearly defined uh terminologies. Um and one of which is what it calls a um a covered entity. Um and it’s these organizations that would uh have these these exemptions in place. Um

Thomas: uh yes, Melissa: that’s it. Thank you. Alistair: Thanks, Thomas. And just to expand on that, appreciate that there’s some proposed changes specifically around things like expanded reporting obligations etc. We will touch on that a bit in a bit more detail further on as well. So thank you. Please do keep the questions coming. So Thomas, could you explain the variances there between the governance controls versus the operational controls? Thomas: Absolutely. So this is now where we get into a lot more detail around um how NYDFS is structured um um as a framework. So as you can see on the screen there are 17 uh different bullet points. Each of these bullet points represents a different set of controls. So from cyber security programs and policies through to uh controls covering asset management uh instant and business continuity an area that we’ll be covering um um later today uh as well as uh operational or technical controls, if you will, around vulnerability management and penetration testing, the use of applications, managing access to systems, um, encryption and and many more. And it’s important to note that I’ve specifically captured them in this way because um, given that there’s there’s a strong emphasis from NYDFS to to create a structured um, approach or structured management system, if you will, um when developing um or or or or implementing NYDF NYDFS requirements taking the approach of the overarching governance approach. So senior management response developing policy and process establishing risk management assessments and then looking at technical and operational controls that can complement those governance controls I think is a sensible way to to approach it. You may have noticed that there are four particular areas that are are uh in bold and this represents and this is where the the um the proposals comes into the four these are four areas where the the wording of the subject of the control areas have actually changed. So for example um under 500.04 in the current instance we’re looking at chief information security officer. Um this has now changed to cyber security governance and again underline some of the proposed changes uh that are coming in that are that are explaining that yes chief information security officers are important and the overall oversight and reporting line uh that they provide to an organization but there’s more emphasis on the use of senior management and board level management if that’s appropriate to the organization. So there’s a lot more emphasis that we’re finding in in the expansion of many of these controls. And in a similar vein to the incident response and business continuity. Um so it’s not that these topics weren’t there in the current version, it’s just that they’ve been expanded. Um and al if you wouldn’t mind clicking one more time, I believe there is a little animation that should come up. Yes. And it’s also worth to note this piece as well. So I talked in the previous slide at how There are some exemptions based on the type of organization you are. If you’re not holding non-public information, for example, or uh information systems, well, there’s another rule uh around the concept of so-called class A companies and as you can see, it’s it’s almost taking it to the other extreme. So, organizations who have revenue in excess of 20 million US dollars, who have more than 2,000 employees, and there are additional rules and additional controls uh that are impressed upon those organizations. Um so to give you an example, the requirement of having an independent audit come into the business on a yearly basis to conduct an assessment of their application of NYDFS. Um so again, it’s interesting to see where they’re maintaining um um those exceptions to say we understand companies of five employees or less who have very minimal um or of or or or very minimal interaction with sensitive information systems. Some of this may be too much for them. Um and so we need a more consolidated set of controls. And the other extreme for those high um uh those larger organizations, they’re additional controls that we need to impress upon them. So lots of change, lots of similarity with the structure and the purpose of the NYDFS, but there’s some exciting times in terms of the type of controls that they’re they’re bringing out and they’re expanding upon.

Alistair: Now, one of the things I’ve found particularly interesting, Thomas, is when people have been raising some of these proposed changes, uh specifically around some of the uh the expanded reporting obligations, there’s been some concern on how are people going to be able to effectively report, for example, say let’s say there’s an obligation for 72 hours is being proposed uh in the event of a a privileged account or unauthorized user getting access to a privileged account or events that have resulted in in ransomware uh or even In some cases where there’s been extortion and payments, people are concerned about how they’re going to meet those obligations. The thing I found quite interesting is there’s a bit of bit of resonance there with what we’ve seen in privacy across the board where we’ve seen enforced reporting requirements for things such as GDPR. There was some initial controversy and concern about how that would apply and then pretty quickly we saw the industry and the mechanisms react accordingly to make sure that people were able to a identify such incidents and events in a timely manner. Then b start we and baking that into the respective downstream vendor contracts so that if say a third party had an instance an incident and a covered entity had to react accordingly that the mechanisms are in place contractually as much as technologically in order to be able to support that. So there’s but certainly been some interesting conversations tied to the uh the proposed amendments. I’m sure you’ve seen the same.

Thomas: Absolutely. And it’s it’s yes it’s always one of the one of the key areas that we we get faced with. I know not not just for um this but for others you mentioned um you know if you look at privacy overall in the likes of GDPR and even the the the more recent CPA in California with the new privacy rights act and and and it’s important obviously for the regulators themselves and and I think largely they do they do um take that on board in terms of um you know notifications to respond to respond to the regulator particularly suffering when when you’re looking at data breaches um and and the diversity of the type of organization that they’re dealing with as well. Um so a lot of this is is taken into account and it’s important to note that. Um so yes,

Alistair: fantastic. Thomas: Looking ahead then um so I’ve mentioned there’s been a few changes. I will briefly touch on perhaps some of the more uh pertinent areas. I sort of identified based on sort of three key changes. One that I’ve labeled as policy and process development, enhanced operational control and then incident and business continuity. All of them with an overarching aim to improve and enhance on those concepts of security best practice. So we start with the first piece around policy and process development. So there’s always been a need to have uh security policy within NYDFS and they’ve they’ve uh often listed um a range of policies ies ranging from access control to asset management for example, incident policy and so on and so forth. And we’ve seen again an increase or looking like an increase through the proposed amendment um not in the volume of policies and procedures or procedural um documentation but enhancements to those documents. So uh to give you an example um uh instant management and business continuity um uh remained in the current uh existed in the current regulation. Um that’s been expanded out to have its own set of prescriptive controls and how a continuity plan is actually developed um and the key aspects that should be covered. Um likewise for asset management for example an enhancement to the policy and the need for the policy to include end of life products for example what happens to an end of life asset and how is it disposed of um in an appropriate manner. So there’s been an increase in in in in in the governance from the concept of policy and process um before looking at the technical controls the enhanced operational controls and I’ve mentioned three key aspects there authentication assets and threat monitoring so again these are areas that already existed in the in in already do exist in in the current framework but have been expanded and there’s been um adjustments to some of them in some cases quite significantly So to take authentication for example um it was noted by NYDFS over the past 2 to three years that a control they noticed was not sufficient to what was not being sufficiently implemented by many businesses was around multiffactor authentication. There’s now a separate control just focused around MFA and again this aspect is included and expanded within the access control components of NYDFS. So seen a need to enhance the requirement of how how MFA is developed or at what points in the process or in the system the MFA is being used. Um in similar vein threat monitoring and the frequency with which vulnerability assessments penetration tests are carried out. And then finally as we’ll we’ll we’ll see in a in a in a in a few moments an expansion and quite significant expansion has to be said around uh incident response incident management um and and the full end to end life cycle of business continuity and disaster recovery um uh planning process and testing and what’s interesting across these three is each aspect of them to a degree has enhanced from a third party perspective. So for example the way third party policy is is um is is required and what’s required within that third party policy the relationship between your third parties and some of the technical controls as well as the level of response that a third party should provide to you if it suffers an incident or or or or an event that would cause it to enact um uh a continuity plan for example. So there’s a strong link with third party management across each three of these uh changes.

Alistair: So appreciate there’s a fair few more significant changes really that’s going to impact how people respond. Thomas based on what you’ve seen with MIDFS in the past. I appreciate it’s been going for the consult ation process looking for feedback into January. Do you have any not that we’re going to hold you accountable here, but do you have any gut feeling as to when uh that people expect it to be enforced? Thomas: Yes. So, typically when they go through these processes, they offer one a they give a guidance of um they always do it in days. I I think it’s 180 days or 6 months um from the date of amendment. Uh and the date of amendment was around October 2022. So I think we’re looking at between the current expectation because the consultancy piece has now closed in end of January and so if that timeline’s correct we’re looking at an April time period between April and May this year. So not too not too far off two months or so. Um but yes the consultancy piece has now closed um as of end of January. Um which which also means that we shouldn’t expect any significant changes other than what’s already out there in in the proposal.

Alistair: So would your general guidance be on that Thomas then to start making sure that we have the relevant control mechanisms in place to be able to accommodate uh the current draft as it stands in some shape or form? Thomas: Absolutely. Yes. I mean once it gets to this stage there’s there’s as say once once there’s been um uh the amendment the the the uh the process to review has now closed it’s It’s given that we know we’re looking at two three months away, it’s a very appropriate time to start looking at those changes, looking at how significant they are, looking at that gap assessment between what do you have now and and and what’s required to change um and looking at perhaps the more significant um areas that have changed such as the business continuity piece. Um so yes, it’s I think it’s an appropriate time to start making those adjustments or at least conducting those reviews to understand how significant those gaps are based on what you’re doing currently.

Alistair: Makes sense. So with that in mind, how do we actually start identifying classifying third party service providers? And one question we’ve had a couple of times actually is how do we consider uh larger SAS companies in this who typically are less reluctant to be able to actually share and allow things such as pentesting on site. Thomas: Yes, that’s always that’s always a conundrum. It’s always scenario that causes a bit of constonation when dealing with those those very large organizations. Um um and and cloud providers are always a good good example of that. I’ll I’ll come to that in a short while. So yes, if you think about from the outset of of if you’re starting off in the process, obviously we need to understand our third parties. We need to be able to identify who our third parties are, what they’re doing, um where they are, geographically, the size of them, the complexity, how involved they are. Um, so obviously from a from an MIDFS perspective, perhaps we’re looking at do they have um access to any non-public information or information systems? Um how uh what type of uh service offering are they providing that that may be deemed mission critical to our end goal as a business. So really identifying each individual third party and start to build a profile of them. Um, understanding volumes of data they’re processing, where they are geographically, how large of an organization they are. Um, are they single source suppliers? This is often quite a critical area just to underline and and to be aware of. And all of this information helps build up that picture of um where your third parties are and and and starts to which starts to piece together um how we approach assessing them or how we’re going to approach assessing them or engaging with them in terms of understanding uh what controls uh we need to uh enforce upon them or assess them against with regards to the uh NYDFS framework. One of the key aspects of this of course is the relationships and starting thinking about the supply chain and starting to bridge out the inter relationships between all these different suppliers and starting to see how complex the supply chain is. Um um and and using some of the profile based information obviously to do that. Um and once obviously we’re getting to the stage where we know who our vendors are, we know how large they are, the volume of vendors, we know where they are um and and the type of products and service they’re supplying to us, we can then hopefully start to look at how do we tier these organizations. So those organizations who are holding very sensitive information or data for example um they’re holding perhaps large volumes of financial records that are helping to process them for us. Perhaps we want to naturally capture these as tier one priority one um critical third parties versus other organizations that are providing consultancy work for us maybe on site within our premises. Um but perhaps based on the complexity of the business would be further down the chain of of of tiered suppliers. So tiers threes, fours, fives if necessary. Alistair: Sorry. Sorry. Quick question. So I appreciate that um pragmatic and proportionate uh risk management b based on profiling and tearing is pretty much the industry norm on that perspective. How much leeway and flexibility does NYDFS give in relation to understanding how compensating controls uh can address other requirements. So for example, they may meet most of the the core requirements, but let’s say there’s one or two gaps that might not be applicable based on profiling and taring. Uh can compensated controls support that?

Thomas: Uh they can to a degree. It depends on the type of control. Um NYDFS do make it clear um in in many instances when it could deem a control uh compensating control to be an adequate coverage for something that would been more ideal. Um there is still a requirement for formal uh acknowledgement and sign off um from a governance perspective. Ive um in in the in before the proposal the focus very much was on the the CEO and making sure that they had done proper due diligence and oversight into making sure those controls are sufficient and they’ve been applied correctly. Um and yes, I don’t see that changing in the proposal as well.

Alistair: Interesting. Thank you. So when it comes to actually establishing proportionate remediation based on controlled efficiency, is on the basis we have a set of of mandatory from that perspective and appreciate we need to actually start tracking uh any commentary or observations that we make how do you tend to see due diligence being applied so and this Thomas: yes so I guess there there’s a couple of key points here and this is where the NYDFS regulation and and certain controls in regulation become very pertinent and and and and critical So when you’re thinking at the top level applying journal and assessing per third party where do we start and should always start with understanding what your third party risk is. Now we’ve gone through the concept of of building a picture of our third parties um and and again sort of emphasizing uh the need to develop a clear risk management framework um that NYDFS suggests um It provides that clear structure in terms of third party risks need to be managed, need to be identified, need to be recorded and continually reviewed. Um, and that’s really the first step in in identifying what do we need to be focusing on when we’re looking at our third parties because once we’ve identified those risks, once we’ve set a a program in place in in in um in capturing those risks, we can then start to look at what are the most appropriate controls um not only from a governance perspective but also from a a a monitoring perspective that we need to impress upon our third parties. Now when I say impress upon our third parties that’s both from a contractual standpoint and saying these are expectations that we need you to implement based on what you’re providing to us but also that ongoing um uh due diligence that ongoing review um audit um and and and performance monitoring to making sure that those controls that are required by NYDFS and that are necessary in helping to address those risks um obviously are being implemented appropriately. And of course this ongoing cyclical nature of this process um obviously helps build um opportunities for improvement and obviously acknowledging um potential weaknesses um whether it’s wider for a party program weaknesses from an organizational perspective ive or improving the security posture of those third parties

Thomas: on specifically. Thomas: Yes. So um outside of that, so once we’ve gone through the process of going through the risk assessment and and and we know the type of controls that we need to um touch on with the third party, there’s more questions that we should be asking ourselves. And and again where as you can see I’ve highlighted uh the five uh individual control areas. These five control areas represent um notices with third parties. That is to say where there are requirements that involve interaction with the third party in some capacity. So it’s always important to look to say well what are we looking for and what do we need to ask of the third party before we engage with them and when we’re starting to formalize those cont. contracts and agreements. So firstly obly how involved are the third parties going to be in our product and service? Are we outsourcing a significant component or function to a third party? Are we handing over um uh data sets and other information uh for that for that organization to manage? Is there reliance on the third party for cyber security practices? Um the concept of outsourcing is is is not new in NYDFS. And particularly for smaller organizations, we see it as a very common approach um to engage in cyber security professionals, professional organizations and consultancies even down to the level of um outsourcing the CIO role um for businesses. Um something that was quite um uh uh relevant and pertinent within within the current uh framework. And of course this brings out a whole new set of questions to make sure that and Again, something that MIDFS stresses quite clearly that where there is a level of outsourcing or reliance on particularly security best practices or consultancy from a third party vendor or a third party sorry um that they still adhere to the requirements of my DFS. It’s not so much to say we’re handing all this information up to them or we’re letting a third party um uh manage this for us so we don’t have to do anything. So there’s a strong emphasis um um uh from the standard to say if there is a lot of outsourcing and reliance from third parties that you’re still doing your due diligence on them and making sure that they adhere to the MIDFS. And then finally, obviously, does the third party interact with critical systems and information. So there’s a few critical questions to ask when you’re starting out on the journey, but also regularly when you’re engaging with the third party to make sure are the best practices that are being prescribed by NYDFS um are they being adhered to um uh sufficiently and correctly? And you may have seen from from the last slide, there was a particular control 500.11 um focused around a third party information security policy. And this is where the framework then really breaks down uh the individual components in setting up third party due diligence. Um so if we can go to the next slide and it touches on four key areas. Identification and risk assessment for each third party. Cyber security practices or minimum best practices. Due diligence to evaluate adequacy of those cyber security practices and periodical assessments that need to be carried out for each third party. Excuse me.

Alistair: Oh, Thomas, Thomas: as you can see, there are um so yes, these are four key areas of the of the security policy that um have been um they exist currently in the in in the in the in the current version of my DFS. expanded very much across the um proposed version as well but it’s really underlining that whole step process I’ve identified in terms of understandable risks of the organization um um working out when you’re looking at the NYDFS from uh each control clause which are the most pertinent security practices that need to be implemented across a third party and then types of due diligence so whether it’s um audits whe Whether it’s proactive assessments, whether it’s performance reviews and all of this then underlines the wider third party risk management programs.

Alistair: So one question there Thomas which is Thomas: yes Alistair: so tied to these tied to the security policy I appreciate that’s more of a prescriptive document that outlines what we’re going to do from a high level and that’s tend to be supplemented by the process and then the demonstration that the process is being followed. So if we were looking to self audit from this perspective What sort of evidence do you feel is acceptable to demonstrate compliance to the overarching policy statements? Thomas: Yes. So, um, if referring to just the third party security policy, um, there’s a few key takeaways from here. So, as you said, yes, it it seems very much focused around do you have one policy that sets out all of these practices, but beyond this, we’also be looking at um agreements and contractual statements. Um how do you incorporate those practices into into the agreements um of of of a third party in terms of performance review meetings um and and understanding the step process of how you do that due diligence and the fallout from that is also critical. So if you’re thinking about the concept of we audit our third parties on a regular basis um what evidence can we show you? to say that we’ve done that due diligence and and they are performing. If they’re not performing, here’s where. Just looking at establishing a framework or process or a function that enables us to capture um uh risks and issues that come out from that due diligence and ongoing processes to to correct those issues and corrective actions. Um if you’re looking at policies from a wider sense, um again, it’s important to note that um Um uh I haven’t done the count on this. I I think you’re looking at between uh 12 to 13 times policies are mentioned in the framework. Um uh in some organizations if you think of those class A or businesses, it might be that if you have class class A third party, they’ll have 13 separate policies and underline those policies individual procedural documents and and and other evidence. that they could show. But if you’re another organization that has five or five personnel, how do you apply that? You can’t develop so many complex parts, policies and documents. But there is importance. So there’s a lot of flexibility to say um as long as it’s appropriate to fit the organization. So there’s a few best practices we can apply in terms of sourcing for evidence or asking for evidence, whether it’s documentation, whether it’s um um meetings, meeting minutes, whether it’s um records of how risks are being managed. Um but it’s it should all be uh taken into account based on the type of business, the type of third party or the complexity, sorry, of the third party.

Alistair: Yeah, there’s a good point. I think it’s certainly reassuring to know there’s a degree of pragmatism in it from a sense of proportionate allocation of resource. Uh so I appreciate some businesses are going to have the advantage of having whole audit and compliance teams to work with infosc to steer this while others, as you said, certainly won’t have that uh that opportunity. So, pragmatism sounds like is very key there. Thomas: Yes, very much so. Alistair: Brilliant. So, I’d love to know a little bit more if I can about the the incident response process. So, from a continuity, recovery, incident reporting perspective. So, yeah, would you mind illuminating a bit more there please Thomas?

Thomas: Absolutely. So, I mentioned at the start that this is an area that that has gone quite a bit of an upheaval and um in terms of expanding the control and expanding the description of the control Uh it’s interesting that they do bundle it all together. Um instant continuity recovery or instant business continuity disaster recovery. Quite a mouthful. Uh but it’s all bundled under one control. And what they’ve done is they’ve expanded or they’re going to be expanding um this concept of developing an instant plan, an instant policy and developing a set of BCDR policies. I’ve got a quote at the top of this page um which the new Nydfs will require and they state that that when they’re developing response plans, companies should look to address cyber security events, including disruptive events such as ransomware incidents. And it’s interesting that that is a specific quote coming straight from the framework. And I think it just helps to underline where the framework or where the regulator is recognizing some of these uh threats are becoming um uh ever more relevant, ever, you know, ever increasing. And so they’re asking companies, you should be paying attention um to how you approach these type of disruptive events. So it’s graphically expanding um um the requirement of how instant management should be defined. Um the need for setting processes for instant response uh instant um uh containing instance, responding to instance um and escalating in terms of communication paths. Um the actual reporting on the cyber security event and related response activities has also undergone um a change and an expansion. Of course, this is where the third party aspect can also come into it quite neatly. So of course you’re looking at our own methods of how we respond to an incident, a cyber security event. When it comes to a third party, the importance to underline from a contractual perspective if you yourself who are looking after these uh systems, financial data for example, if you suffer a breach or an event, we require you to notify us through an appropriate communication channel. So there’s extra emphasis on that concept of roles and responsibilities, decision- making in the business in terms of what actions we need to take and at what point we need to escalate whether it’s from the third party back to to theelves as an organization and the other way as well. So from yourselves as organization, then back out to your customers and um uh to the regulators themselves. So from an instant management standpoint, yes, there’s been quite an expansion in terms of um uh how response plan is developed and and and the roles, responsibilities um and and objectives that sit around that. And again, this mirrors quite nicely when you look at the uh the text, when you look at the requirement um what other frameworks have been saying actually for many years already sort of the likes of the ISOs and the NISTs of the world. Um so it’s I think it’s quite uh encouraging that NYDFS have have taken a lot of this best practice um um under their wing as well.

Alistair: Yeah, I think it’s quite telling as well in the recent changes. So your your comment there and your quote disruptive events as a ransomware the fact that they specifically called out in some of the proposed changes about notifying of I think it’s 24 house for an extortion payment. Thomas: Yes. Alistair: With subsequent notification on why that was necessary. I I personally quite like the emphasis on the fact that people need to justify why they didn’t have the proportionate measures in place to react to it through resilience and being able to recover in in the sense of a you know a ransomware event. So it’s um it’s quite telling and shows the intent and direction I think uh of the uh of the documentation in question.

Thomas: Absolutely. I think a lot more accountability and a lot more openness I think they’re getting from these businesses. Um yes, I’d um it would be it’s going to be interesting to see some of those justifications Alistair: if if and if if and when they if and when they occur. Thomas: Hopefully there’s not too many people making payments and generally they have a robust and resilient way of recovering uh compromised data. Thomas: And of course that brings us on to the next topic um which is again around BCDR. So I mentioned that the from the outset that BCDR is not a new term in NYDFS. The interesting thing, however, was when you’re looking at the old versions, it was very light touch. Um, which can be fine if if you’re familiar with the subject area. Um, the difficulty of making subjects such as BCDR, light touch, is it it can be quite a complex topic in itself and in its own right. So, again, I think it’s it’s It’s encouraging to see that they’ve taken this this idea of what’s expected in developing a continuity in the DR plan or set of plans with um a lot of best practice guidance and expectation again um many of which mirrors um other standards and best practice frameworks that that that are that are out there already. So what are some of the key areas that this covers? So firstly this expectation that you should be identifying all of your assets, all of your infrastructure, your critical infrastructure that’s essential to a continued operation. It’s always the starting point we look at when when we’re discussing sort of continuity plans and and and sort of scene setting, you know, from from business impact assessments and identifying based on what we’re doing as an organization, what assets are critical to us? Should we suffer an event? Um what would we need to recover at the earliest opportunity? Secondly, the communication piece. So the use of business continuity coordinators, communicating internally if a plan has to be activated but communicating with all essential persons and the this is some text that again is is pulled from the framework uh from the regulation. Um so all essential persons in the event of an emergency. So who do we mean by an essential person? So we’re looking at both internal and external. From external we looking at key stakeholders um interested party from customers to obviously the regulator themselves. Um but also the other way in terms of third parties, businesses that that you may be relying on to help support a particular uh critical piece of asset or infrastructure or process. So there’s an expansion in having clear communication channels when you’re developing a continuity and recovery plan. Um whether it’s as part of testing those plans or putting them into action. should an event occur and identifying third parties that are necessary to the continued operation. It’s following off the back of the communicating with essential persons, not just notifying them should an event occur um should a disaster that would force you to remove your operation to a backup site for example or to into different environments. But making sure that if we’re reliant on a critical third party that’s necessary to our top level assets and infrastructure areas that if they fell over, if they stopped operating, we could be in serious trouble with our organiz with our with our customers, our key stakeholders. We need to involve them within our continuity process. Do we need to involve them from a testing perspective? And if we have a recovery plan, it involves recovering to backup sites or to backup locations. Do we need to involve those third parties as well to make sure that they can also supply high in the time frames that we’re setting ourselves. So there’s a lot of expectation and a lot of expansion. Um I I personally think quite rightly in terms of making sure you’ve got a complete coverage of recovering any asset and infrastructure or or systems um uh that are necessary and important for the business.

Alistair: One of the things I really take away from this is interesting is that contractual clauses for communication an interaction with the supply chain is so key to being able to actually effectively apply any any meaningful resolutions to this. So certainly interesting. So Thomas, if I was in an elevator with you for 30 seconds, how would you summarize what we’d actually do in order to be able to address the regulation? Thomas: Yes. So firstly, um, identify third parties. That’s always a key starting point. Getting to know who your third party is. um what type of data they’re handling, what type of assets um what are they doing for us for our critical operations and that should wrap around or what should wrap around that is the wider TPRM program of how we manage those third parties and identify the type of controls that we need to impress upon them to review against them assess them against um not least the areas we’ve just discussed around incident and and continuity and obviously once we’ve identif those third parties start understanding and developing those risk assessments regularly and that’s the important thing. These are never um uh one time only and forget it lock it away in a drawer. This is a regular process of reviewing uh risks across your landscape. Um such as those around fishing and ransomware that we discussed at the start of the the start of the day. Uh reviewing that regulation, making sure you know the controls, you know the controls that third parties should be adhering to. Um, if they’re accessing sensitive systems, are access controls appropriate? Have you considered multiffactor authentication? Um, if they’re handling sensitive data, do you have that communication tree around how they respond to an incident or to a continuity event? And then thirdly, using that 500.11 control to help build a third party policy, a riskmanagement program. Um, and start to again have that continual review cycle of are our third parties um uh how do they have good security posture and more importantly is it aligned to what NYDFS is expecting.

Melissa: Lovely. Thank you very much Thomas. So I’m going to hand over to our lovely Scott Lang to talk about specifically how prevalent can support uh complying against some of these regulations. But while we do we will be uh launching one last poll. So over to you Scott. Scott: Thanks very much Alistister. I just want to make sure you guys can hear me. Okay, Melissa: indeed. Hi, Scott. Scott: Awesome. Terrific. Okay, great. Uh, just real quick, guys, uh, one one or two slides of, you know, how prevalent can help you simplify the process of meeting your compliance requirements like NYDFS. Look, at the end of the day, I think you want to achieve three things with your thirdparty risk management program, regardless of whether you’re trying to aim for uh an an NYDFS type compliance regime or just better practice or just to defend against potential, you know, cyber threats or other compliance problems that might come down the line. And that’s number one, get the data you need to make good decisions. Increase your team’s efficiency and knock down silos between the groups that kind of uh argue a little bit over third party risk. And then finally, give your uh program the opportunity to scale and evolve over time and to meet um kind of changing requirements. Look, if you’re using spreadsheets to do this, I think you know, and I know that you know that’s not the right approach. You need to have some level of automation in there to collect the right controls information from your your thirdparty outsourcers, uh, vendors and suppliers. Get that into a place where you can manipulate that data, score it, understand who presents the the highest level of risk to you, and then recommend remediations to get them down to an acceptable level of residual risk over time. You can’t do without data data, and you can’t do it if everybody’s hands are on the plow. Look, at the end of the day, what our approach to addressing the the problem of thirdparty risk management is is to simplify and speed up on vendor onboarding. Give you a single source of the truth and a single process to manage vendors throughout the life cycle. Uh streamline that process and close gaps and risk coverage and then unify all the different internal teams that might be involved in thirdparty risk from the point you source and select a new vendor to the point where you offboard and terminate you know that relationship. And we do that through a combination of our experts uh our uh data unprecedented level of data that we bring into the platform to help you make good cyber security uh risk based decisions and then a platform to automate ad workflow and reporting uh to close the loop on any number of risks that you see uh right in front of you. Now again our goal is to help make you and your organization smarter to unify your processes and give you a much more perspective approach to closing the loop on thirdparty risk. Um what I have prepared for you guys is a compliance checklist specifically written for NYDFS uh 23 NYCRR 500 you know da da whatever um uh it’s you know 13 pages uh goes chapter and verse through the regulation and then maps best practice capabilities and then ultimately how Premley can help to each one of those uh control group areas that Thomas reviewed uh on this al on the uh on the webinar today. So this will come to you as a part of the followup uh with the recording and more. Uh and with that I’ll stop talking and put you back over to you for for questions. Sorry.

Melissa: You know we are at the top of the hour so you know I’m going to say my thank yous to Alice and Thomas and of course you Scott. Um thanks for you know asking all these questions everyone. We tried to weave as many as we could but feel free to email info at prevalent.net if you still have a pressing question and we can um route that to the correct person for you. And uh lastly I’m I’m so glad you guys could all join us today and I hope to see many of you in your inboxes and at a future webinar. Take care everybody. Thank you.

Alistair: Thank you.