NYDFS Issues Cybersecurity Guidance On Third-Party Service Provider Risk

On October 21, the NYDFS issued new cybersecurity guidance addressing the growing risks associated with regulated entities' reliance on third-party service providers (TPSPs). The guidance clarifies compliance obligations under the New York Cybersecurity Regulation and outlines best practices for managing cybersecurity risk across the third-party relationship lifecycle.

NYDFS cautioned that outsourcing to TPSPs, such as cloud vendors, fintech platforms, and data processors, can expose institutions to cybersecurity incidents that compromise nonpublic information and disrupt operations. Acting Superintendent Katlin Asrow emphasized that while service providers have enabled innovation and efficiency, regulated entities remain fully responsible for protecting consumer data and maintaining adequate risk management controls. The Department highlighted several areas where entities should strengthen their programs, including due diligence, contracting, oversight, and termination procedures.

Specifically, the guidance outlines four stages of third-party risk management:

• Identification, Due Diligence, and Selection. Entities should classify providers by risk, based on the provider's level of system access and the sensitivity of data involved. Each provider's cybersecurity history, access controls, data handling practices, and alignment with recognized standards such as the National Institute of Standards and Technology Cybersecurity Framework should also be evaluated.
• Contracting. Agreements should include access controls with multi-factor authentication, encryption in transit and at rest, prompt incident notifications, data location and transfer restrictions, subcontractor disclosures, data return or deletion obligations, and clear limits on artificial intelligence use, including whether the provider may use the entity's data to train models.
• Ongoing Monitoring and Oversight. The guidance advises that third-party oversight should be continuous and risk-based. Recommended measures include periodic reassessments of provider security programs, review of audit attestations and test results, documentation of remediation efforts, and integration of third-party risks into incident response and business continuity planning. Unresolved or material risks should be escalated through established governance channels.
• Termination and Offboarding. At the conclusion of a third-party relationship, access credentials and system connections should be revoked, and all nonpublic information securely migrated or deleted. The guidance stresses the need to confirm data destruction, retain audit logs, and apply lessons learned to improve future vendor risk management.

Putting It Into Practice: The guidance signals increased expectations for how financial institutions manage vendor relationships and document cybersecurity oversight. Covered entities should anticipate heightened supervisory attention to how vendor relationships are assessed, documented, and governed under the New York Cybersecurity Regulation, particularly where service providers have system-level access or handle nonpublic information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.