Covered Entities [1] should expect heightened supervisory focus on relationships where third party service providers (TPSPs) access systems or handle non-public information (NPI). On October 21, the New York State Department of Financial Services (NYDFS) issued additional guidance to Covered Entities addressing cybersecurity risks posed TPSPs. The guidance does not impose new legal requirements on Covered Entities but clarifies existing obligations under the New York Cybersecurity Regulation and sets out best practices for managing TPSP relationships from inception to expiration.  NYDFS will assess Covered Entities’ TPSP risk-management practices in examinations and enforcement matters. 

Covered Entities increasingly rely on TPSPs such as cloud and AI vendors, fintech platforms and data processors for services requiring third-party access to information systems and NPI. This reliance elevates cybersecurity risk, including the risk of a TPSP incident affecting a Covered Entity’s operations or NPI.

In reviewing Covered Entities’ information security policies and procedures, the NYDFS identified a need for stronger TPSP relationship management regarding Covered Entities’ processes related to TPSP due diligence, contractual provisions, oversight and evaluation of TPSP risk management policies and procedures. The NYDFS structured its guidance based on the following four stages:

Four Stages of Third-Party Service Provider Risk Management

1. Identification, Due Diligence, and Selection

The NYDFS recommends that Covered Entities take each of the following steps when identifying and selecting potential TPSPs:

• Conduct due diligence on perspective TPSPs, evaluating cybersecurity program strength, incident history, independent certifications and alignment with regulatory frameworks, among other factors;
• Classify each TPSP based on the level of risk the TPSP poses to Covered Entity information systems and NPI and specifically consider system access, NPI exposure, service criticality, and geography in doing so; 
• Consider how to best obtain, review and validate information provided by prospective TPSPs; and
• Implement policies and procedures which outline evaluation procedures and introduce practices and controls based on individual TPSP risk profiles.

2. Contracting

Covered Entities should ensure that agreements with TPSPs incorporate provisions that:

• Mandate the use of access controls including multi-factor authentication;
• Require data encryption in transit and at rest;
• Address methods and timeframes for cybersecurity event notification; 
• Contain compliance representations offered by the TPSP;
• Restrict and control data location and transfers;
• Require TPSP disclosure of subcontractor use and preserve the Covered Entity’s ability to reject the use of certain subcontractors; 
• Restrict the use and sharing of data; and
• Provide Covered Entities with remedies for TPSP breaches of material terms.
• Aside from the provided list of TPSP contract requirements, Covered Entities should always evaluate holistic terms of an agreement based on the nature of the engagement, market conditions, and the sensitivity of data involved in the engagement, among other factors.

3. Ongoing Monitoring and Oversight

Covered Entities must implement ongoing, risk-based oversight of TPSPs. Activities should include:

• Periodic reassessments of TPSP cybersecurity programs;
• Review of security attestations (e.g., SOC 2, ISO 27001), penetration-testing summaries, policy updates, and evidence of security awareness training;
• Vulnerability and patch-management tracking and remediation follow-up;
• Escalation of material and unresolved risks; and
• Integration of TPSP risk into Covered Entity incident-response and business-continuity plans.

4. Termination and Offboarding

At the end of a TPSP relationship, Covered Entities should:

• Revoke TPSP access to systems;
• Ensure secure migration or deletion of NPI and obtain certification of such destruction or migration;
• Remove residual and unmonitored access points and ensure logs are retained;
• Develop a transition plan for critical services; and
• Verify compliance with offboarding obligations and perform a post-termination review of outcomes.

Governance and Oversight Requirements and Enforcement Implications

Senior governing bodies and senior officers of Covered Entities must engage actively in TPSP cybersecurity risk oversight. Leaders must have adequate understanding to challenge management decisions and must review and approve cybersecurity programs annually.

Responsibility for compliance cannot be delegated to a TPSP or affiliate. The Covered Entity retains ultimate accountability for all NPI and information systems that are accessed and used by TPSPs.

Our team is available to assist with evaluating your current TPSP risk management practices, updating policies and contracts to align with NYDFS expectations, and recommending implementation strategies tailored to your organization’s risk profile. Please contact us to discuss how we can support your compliance efforts.

[1] A Covered Entity is defined in the New York Cybersecurity Regulation as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.” N.Y. Comp. Codes R. & Regs. tit. 23, § 500.1(e) (2025).