On October 21, 2025, the New York State Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks related to Covered Entities’ use of Third-Party Service Providers (“TPSPs”) and providing strategies to address these risks. The Guidance is addressed to all Covered Entities subject to NYDFS’s cybersecurity regulation codified at 23 NYCRR Part 500 (“Cybersecurity Regulation”), which requires Covered Entities to implement a comprehensive cybersecurity program that includes written policies addressing TPSP risks as well as due diligence, contractual requirements, and periodic assessments for TPSPs. While the Guidance is explicit that it “does not impose any new requirements” beyond those already included in the Cybersecurity Regulation, it provides significant additional detail to clarify how to comply with existing requirements and offers industry best practices to mitigate TPSP-related cyber risks. As the Guidance suggests that NYDFS will continue to focus on TPSP-related cyber risks, Covered Entities should consider reviewing their TPSP oversight and management against the specific recommendations from the Guidance and adjusting their practices where appropriate. Alongside a review of TPSP oversight and management, Covered Entities may also consider reviewing their implementation of the provisions of the Cybersecurity Regulation requiring multifactor authentication, asset management, and data retention, which take effect on November 1, 2025.
TPSP-Related Risks: In the Guidance, NYDFS notes that its examinations and investigations have identified a trend of Covered Entities’ increased reliance on TPSPs, and a corresponding rise in certain cybersecurity risks related to Covered Entities’ TPSP programs. The Guidance also noted an overreliance on TPSPs, and in particular, risks associated with outsourcing critical components of cyber risk management without sufficient oversight. The Guidance highlights that managing these TPSP-related risks is particularly important at a time where entities are increasingly relying on TPSP technologies such as cloud computing, file transfer systems, artificial intelligence, and financial technology solutions.
- Risks From Covered Entities’ TPSP Programs – The Guidance identifies four “areas where Covered Entities should strengthen their TPSP programs, including how they monitor, assess, and manage TPSP cybersecurity risk.” These areas span the entire vendor lifecycle: due diligence, contractual provisions, monitoring and oversight, and risk management policies and procedures. The Guidance notes that Section 500.4 of the Cybersecurity Regulation requires Covered Entities’ Senior Governing Bodies and Senior Officers to “engage actively in cybersecurity risk management,” which includes understanding and overseeing TPSP-related risks.
- Overreliance on TPSPs – The Guidance also identifies an increasing trend of Covered Entities outsourcing “critical cybersecurity compliance obligations” to TPSPs without appropriate oversight by the Covered Entities. The Guidance emphasizes that compliance with the Cybersecurity Regulation cannot be outsourced, and that Senior Officers and/or Senior Governing Bodies must oversee any cybersecurity responsibilities that are outsourced to TPSPs per Section 500.4 of the Cybersecurity Regulation.
Risk Management Best Practices: The Guidance sets out steps that Covered Entities “should consider taking to assess and address cybersecurity risks throughout the lifecycle of a TPSP relationship,” in order to “promote compliance with relevant sections” of the Cybersecurity Regulation.
- Identification, Due Diligence & Selection – While Section 500.11 of the Cybersecurity Regulation sets forth requirements for Covered Entities to implement policies governing the identification, selection, and due diligence for TPSPs, the Guidance provides additional suggestions for how these steps should be implemented in practice. Before engaging a TPSP, Covered Entities should assess the vendor’s level of access to systems and Nonpublic Information and consider risk factors including the TPSP’s cybersecurity reputation and maturity, its cybersecurity program and how regularly that program is tested and audited, access controls and account auditing, oversight of subcontractors, and whether TPSPs are located in or operate from high-risk jurisdictions. The Guidance further notes that Covered Entities should consider how best to obtain, review, and validate due diligence information from TPSPs, and how to make risk-informed decisions if facing vendor selection constraints.
- Contracting –Covered Entities should embed cybersecurity expectations aligned with the Cybersecurity Regulation into contracts with TPSPs, based on the services provided, and the sensitivity of systems and data accessed by the TPSP. While the topic of contractual requirements for TPSPs is also addressed in Section 500.11 of the Cybersecurity Regulation, the Guidance further recommends that at a baseline, Covered Entities should incorporate provisions in TPSP contracts addressing access controls, data encryption, cybersecurity event notification, representations of compliance with applicable laws and regulations, data location and transfer restrictions, subcontractor requirements, and data use and exit obligations. The Guidance also recommends, where relevant, the inclusion of TPSP contract clauses that address artificial intelligence usage and training limitations, as well as remedies if a TPSP breaches any material terms related to cybersecurity. This approach aligns with prior NYDFS guidance which clarified that Covered Entities should assess and manage artificial intelligence-related risks as part of their cybersecurity programs.
- Ongoing Monitoring and Oversight – The Guidance recommends that Covered Entities conduct regular risk-based reviews of the security practices of TPSPs, proactively request updates from TPSPs on risks such as vulnerability management, integrate third-party risk into incident response and continuity plans, and ensure that material or unresolved TPSP risks are documented and escalated as appropriate. The Guidance suggests that Covered Entities’ TPSP policies and procedures (required pursuant to Section 500.11 of the Cybersecurity Regulation) should be tailored to individual TPSPs’ risk factors. For instance, the Guidance recommends that policies should be informed by “whether the TPSP has experienced a Cybersecurity Event,” and if a Covered Entity identifies deficiencies with a TPSP’s cybersecurity practices, the Covered Entity should confirm that the deficiencies have been remediated.
- Termination & Offboarding – When the TPSP relationship ends, Covered Entities should revoke the TPSP’s access to information systems, require certification of destruction of Nonpublic Information, ensure that data is securely deleted or migrated, and complete a final risk review. The Guidance also encourages the creation and maintenance of a structured transition plan to ensure business continuity and compliance with all recordkeeping requirements in the Cybersecurity Regulation.
Overall, the Guidance emphasizes that managing TPSP-related risks is a key facet of compliance with the Cybersecurity Regulation. In the Guidance, NYDFS suggests that it will continue to focus on third-party risk management activities when assessing and evaluating Covered Entities going forwards (for example, noting that “DFS has and will continue to consider the absence of appropriate TPSP risk management practices by Covered Entities in its examinations, investigations, and enforcement actions”). The Guidance concludes by encouraging Covered Entities to adopt proactive oversight of TPSPs in order to ensure and maintain long-term compliance with the Cybersecurity Regulation.