Overview
On October 21, 2025, the New York State Department of Financial Services (NYDFS) released comprehensive guidance for registrants regarding management of cybersecurity risks associated with third-party service providers (TPSPs) including cloud computing, file transfer system, AI and fintech solutions.[1] As reliance on external vendors for critical technology services grows, so too do the cyber threats to operations and sensitive customer data. The guidance clarifies regulatory expectations, highlights best practices, and underscores the importance of robust third-party risk management throughout the entire vendor relationship lifecycle. In summary, companies can outsource functions but will still retain responsibility for cybersecurity oversight.
Practical Implications for Regulated Entities
- Board and Senior Management Engagement:
Leaders “must have a sufficient understanding of cybersecurity-related matters to exercise appropriate oversight, which includes the ability to provide a credible challenge to management’s cybersecurity-related decisions to ensure that those decisions align with the entity’s overall risk posture and resiliency objectives.” - Tailored Risk Management:
Policies and procedures should reflect assessments of cyber risks each TPSP poses based on the nature of services, system access, and sensitivity of data involved. Much of the guidance is principles-based, which offers registrants flexibility in designing and applying controls. However, that flexibility can also create uncertainty as registrants strive to put concepts into action in a manner that would satisfy a NYDFS exam or other review. - Contractual Leverage and Documentation:
Entities should seek to negotiate reasonable protections in vendor contracts, even where bargaining power is limited, and document risk mitigation strategies and compensating controls. Consider invoking NYDFS regulations and guidance in vendor negotiations; the guidance directs that registrants must “obtain, review and validate information provided by prospective TPSPs.” - Continuous Improvement:
The TPSP management process should be iterative, with regular reviews and updates to reflect evolving threats, regulatory changes, and lessons learned from prior engagements.
Key Themes for Business Leaders
1. Regulatory Compliance and Enforcement
The guidance reiterates that NYDFS will continue to review third-party risk management practices during examinations and may take enforcement action where deficiencies are identified. Registrants should also remember that NYDFS could also enforce in the wake of an incident. The guidance does not impose new obligations but clarifies existing requirements under Part 500, particularly Section 500.11, and encourages adoption of industry best practices.
2. Heightened Scrutiny of Third-Party Risks
NYDFS emphasizes that while TPSPs offer operational benefits, they also introduce significant cybersecurity risks, including the potential for data breaches and operational disruptions. The Department has observed that some regulated entities are outsourcing critical compliance obligations without sufficient oversight, a practice that is not permitted under the Cybersecurity Regulation (Part 500). Senior management and governing bodies are expected to be actively engaged in overseeing third-party risks and must not delegate ultimate responsibility for compliance.
3. Lifecycle Approach to Third-Party Risk Management
The guidance outlines a risk-based, adaptive approach to managing TPSP relationships, structured around four key phases:
- Identification, Due Diligence, and Selection:
Covered Entities must assess the cybersecurity posture of prospective TPSPs, considering factors such as system access, data sensitivity, provider reputation, cybersecurity program sophistication, criticality of the services, external audits or independent assessments, and the use of downstream vendors. Due diligence should be tailored to the risk profile of each TPSP, with particular attention to those with privileged access or handling sensitive nonpublic information (NPI). - Contracting:
Covered Entities must have written policies and procedures to ensure appropriate due diligence is conducted and contractual provisions are in place with TPSPs. Written agreements with TPSPs should include robust cybersecurity provisions. Recommended contract terms include requirements for access controls (e.g., multi-factor authentication), data encryption, prompt notification of cybersecurity events, compliance representations, data location disclosures, subcontractor oversight, and clear data use and exit obligations. Covered Entities should also consider, where appropriate, contractual protections related to the acceptable use of Artificial Intelligence (“AI”), and whether the Covered Entity’s data may be used to train AI models or be otherwise disclosed to additional parties. Covered Entities are encouraged to negotiate remedies for breaches of cybersecurity terms, such as remediation or early termination rights. - Ongoing Monitoring and Oversight:
Continuous oversight is required to ensure TPSPs maintain adequate cybersecurity controls. Covered Entities should develop and implement policies and procedures for the ongoing monitoring and oversight of TPSPs. The policies should be informed by a variety of factors, including the evolving threat and regulatory landscape, changes to products and services, and whether the TPSP has experienced a Cybersecurity Event. Appropriate oversight and monitoring includes periodic risk assessments, review of security attestations (e.g., SOC2, ISO 27001), monitoring of vulnerability management, and escalation of unresolved risks. Third-party risk should be integrated into incident response and business continuity planning, with regular testing of contingency measures. - Termination:
At the end of a TPSP relationship, entities must ensure the secure revocation of all access, deletion or migration of data, and certification of data destruction. Transition plans should be developed for critical services, and offboarding procedures must be documented and aligned with regulatory requirements. Covered Entity’s lessons learned processes should inform future third-party risk management practices.
Conclusion
NYDFS’s latest guidance signals a continued focus on third-party cybersecurity risk as a core element of regulatory compliance. Regulated entities should review and, where necessary, enhance their third-party risk management frameworks to ensure alignment with regulatory expectations and industry best practices. Proactive engagement by senior leadership, robust due diligence, strong contractual protections, and ongoing oversight are essential to mitigating the growing risks posed by third-party service providers in today’s complex digital landscape. State and federal regulators continue to focus on cybersecurity, resilience, and customer and investor harm. For questions about these issues, contact the authors or your McGuireWoods contact.
[1] https://www.dfs.ny.gov/industry-guidance/industry-letters/il20251021-guidance-managing-risks-third-party