NYDFS Part 500 does not regulate software vendors directly, but it imposes strict obligations on covered financial institutions that flow down to all third‑party service providers, including both on‑premise software vendors and SaaS/cloud providers. The regulation treats vendors as part of the covered entity’s extended attack surface, and the 2023 Second Amendment significantly strengthened these requirements.
The result is a framework where financial institutions must assess, contractually bind, monitor, and enforce cybersecurity controls on their vendors—regardless of whether the vendor delivers software installed on‑premise or operates a SaaS platform.
How NYDFS Part 500 regulates vendors
The core rule: § 500.11 (Third‑Party Service Provider Security Policy)
Covered entities must implement a written third‑party security policy that ensures vendors maintain appropriate cybersecurity practices. This policy must address:
- Risk assessment of each vendor
- Minimum cybersecurity practices required of vendors
- Due diligence before onboarding
- Contractual controls to ensure compliance
- Periodic reassessment of vendor risk
- Multi‑factor authentication and encryption requirements
- Notification obligations for cybersecurity events
This applies equally to SaaS providers, cloud platforms, managed service providers, and on‑premise software vendors.
Requirements that apply to all vendors (SaaS and on‑premise)
- Security controls aligned with the covered entity’s program
Vendors must maintain controls consistent with the financial institution’s cybersecurity program, including:
- Secure development practices
- Access controls and least‑privilege enforcement
- Logging and monitoring
- Vulnerability management
- Encryption of nonpublic information
- Contractual obligations
Vendor contracts must include:
- Representations and warranties about cybersecurity practices
- Breach notification duties (aligned with the 72‑hour NYDFS reporting window)
- Right to audit or obtain independent assessments
- Requirements for subcontractor oversight
- Data retention and secure destruction requirements
- Incident reporting
Vendors must notify the covered entity immediately upon discovering a cybersecurity event.
If the event materially affects the covered entity, the entity must report it to NYDFS within 72 hours.
- Access restrictions
Vendors with access to systems or data must use:
- Multi‑factor authentication
- Strong authentication for privileged accounts
- Network segmentation where appropriate
- Ongoing monitoring
Covered entities must periodically reassess vendor risk, which may include:
- SOC 2 reports
- Penetration testing results
- Security questionnaires
- On‑site or virtual audits
Additional obligations for SaaS and cloud vendors
SaaS providers typically fall under heightened scrutiny because they:
- Store or process nonpublic information
- Control the infrastructure and security stack
- Introduce concentration and systemic risk
As a result, covered entities must ensure SaaS vendors provide:
- Documented data‑handling practices
- Encryption at rest and in transit
- Tenant isolation controls
- Business continuity and disaster recovery capabilities
- Clear data‑return and deletion procedures
SaaS vendors must also support the covered entity’s ability to:
- Conduct risk assessments
- Access logs
- Investigate incidents
- Meet regulatory reporting timelines
Additional obligations for on‑premise software vendors
On‑premise vendors introduce different risks, so NYDFS expects controls around:
- Secure installation and configuration
- Patch and update delivery
- Vulnerability disclosure and remediation timelines
- Hardening guides and secure configuration baselines
- No backdoors or unsupported components
Covered entities must ensure they can:
- Apply patches promptly
- Monitor the software with their own tools
- Control privileged access used by vendor technicians
How the Second Amendment raises the bar
The 2023 update strengthens vendor‑related expectations by requiring:
- More prescriptive MFA requirements for vendor access
- Stronger logging and monitoring to detect vendor‑originated incidents
- More detailed incident response plans that include third‑party scenarios
- Asset inventory requirements that include vendor‑managed systems
- Expanded reporting obligations for third‑party breaches
For Class A Companies, the amendment also requires:
- Privileged access management (PAM) for vendor accounts
- Endpoint detection and response (EDR) on systems vendors can access
Practical implications for financial institutions and vendors
- Vendors must meet bank‑grade cybersecurity standards, even if they are not directly regulated.
- SaaS providers face heavier contractual and operational scrutiny.
- On‑premise vendors must support rapid patching and secure configuration.
- Covered entities must maintain continuous oversight, not one‑time due diligence.
- Vendor breaches can trigger NYDFS enforcement, even if the vendor is at fault.