NYDFS Part 500 makes your vendors' security your written policy. Coverbase helps you back it up.
New York's cybersecurity regulation, amended in 2023, requires covered financial-services companies to maintain a third-party service provider security policy, and to report incidents, including ones at a vendor, within 72 hours. The §500.11 third-party requirements take full effect November 1, 2025.
Who Part 500 applies to
23 NYCRR Part 500, issued by the New York State Department of Financial Services, applies to 'covered entities,' meaning institutions licensed or authorized under New York banking, insurance, and financial-services law, with heightened obligations for larger 'Class A' companies. The 2023 Second Amendment phased in new requirements through November 2025.
What Part 500 asks of you
A third-party security policy (§500.11)
Maintain written policies for the due diligence, minimum controls, and contractual terms required of vendors with access to nonpublic information.
Vendor due diligence and reassessment
Assess third-party providers based on the risk they present, and reassess them periodically.
Contractual security terms
Require access controls including MFA, encryption, and breach-notification obligations in vendor contracts.
72-hour incident notice
Notify DFS within 72 hours of a qualifying cybersecurity incident, including one at a third-party provider, with a 24-hour notice for extortion payments.
Stand up your §500.11 program with evidence behind it
A policy on paper isn't enough. Part 500 wants diligence, reassessment, and contract terms to match. Coverbase keeps all three current.
Vendor diligence, automated
Assess and reassess third-party providers on a schedule, not ad hoc.
Required contract terms tracked
Flag whether vendor contracts carry the MFA, encryption, and notification clauses §500.11 expects.
Incident-ready records
Keep vendor facts on hand for the 72-hour DFS clock.
Audit-ready documentation
Hold the evidence behind your annual certification of material compliance.
One platform for third-party risk and security
Speed with control
Automate intake, assessment, and monitoring with built-in guardrails that preserve policy integrity.
Explain with confidence
AI provides traceable reasoning for every recommendation, so you can defend every risk rating and finding.
Automate with assurance
Adapt controls and meet regulatory changes in minutes, not months, without breaking your program.
Building Trust, Together
Some of the world's most innovative and security conscious enterprises trust us to safeguard their data. We see security and privacy not as checkboxes, but as an ongoing promise to our customers. For questions about our security program or to report a vulnerability, please contact us at security@coverbase.ai