Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

NYDFS updates cybersecurity FAQs to address use of utilization review agents

Privacy/Cyber Risk & Data Security NYDFS 23 NYCRR Part 500 State Issues

Privacy, Cyber Risk & Data Security

On October 25, NYDFS provided a new update to its answers to FAQs relating to 23 NYCRR Part 500, which took effect March 1, 2017, and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. The original promulgation of the FAQs was covered in Infobytes, as were the last updates in February, March, and August.

The new update states that when a covered entity uses an independent “Utilization Review” agent (UR agent) who receives nonpublic information, the covered entity should treat the UR agent as a third-party service provider in order to properly assess and address any potential risks to their data and systems. NYDFS emphasizes that covered entities bear the responsibility for these protections.

Share page with AddThis