Ogletree Deakins Ogletree Deakins
Home > Insights & Resources > Blog Posts > New York Department of Financial Services’ Industry Letter: Foreshadowing Enforcement of Vendor Management?

New York Department of Financial Services’ Industry Letter: Foreshadowing Enforcement of Vendor Management?

By Jeffrey D. Coren and Evan J. Yahng
Download PDFPrintShare

On October 21, 2025, the New York State Department of Financial Services (NYDFS) issued an industry letter, titled, “Guidance on Managing Risks Related to Third-Party Service Providers,” which clarifies covered entities’ responsibilities when engaging third‑party service providers (TPSPs) that access information systems or nonpublic information (NPI). Although the guidance does not add new rules to the NYDFS Cybersecurity Regulations (23 NYCRR Part 500), it clarifies regulatory requirements with respect to TPSPs, provides suggestions for best practices, and may signal increased regulatory focus on third-party risk management.

State Flag of New York

Quick Hits

  • The NYDFS recently issued guidance that provides detailed best practices to mitigate risk throughout the TPSP life cycle: due diligence, contracting, ongoing monitoring, and termination.
  • The guidance indicates that NYDFS will scrutinize policies and procedures related to TPSPs, especially where covered entities outsource cybersecurity compliance.
  • Companies may want to revisit vendor management policies, contracts, and oversight procedures, including with respect to AI platforms.

NYDFS has identified covered entities’ increasing reliance on TPSPs to provide services—including cloud computing, file transfer systems, artificial intelligence (AI), and more—as introducing new cybersecurity risks, prompting NYDFS to clarify covered entities’ obligations under the NYDFS Cybersecurity Regulations. The guidance provides best practices for covered entities throughout the four phases of the TPSP life cycle: (1) Identification, Due Diligence, and Selection; (2) Contracting; (3) Ongoing Monitoring and Oversight; and (4) Termination.

Identification, Due Diligence, and Selection

At the identification, due diligence, and selection stage, NYDFS recommends classifying vendors according to risk profile. A TPSP’s risk profile is based on factors such as access to systems and NPI, data sensitivity, jurisdictional exposure, and how critical the service is to the covered entity’s operations. NYDFS also calls for tailored, risk-based assessments when selecting TPSPs. These assessments may include, among other criteria, a review of a TPSP’s:

  • “reputation within the industry, including its cybersecurity history and financial stability”;
  • external audits and certifications;
  • access controls for both the covered entity’s and its own information systems and NPI;
  • incident response and business continuity planning and testing;
  • downstream service provider management;
  • data handling, including segmentation and encryption; and
  • location.

NYDFS recognizes the need for qualified personnel to interpret a TPSP’s responses to questionnaires on a case-by-case basis to make informed decisions, ask follow-up questions as necessary, and determine appropriate mitigation strategies. Where constraints exist when selecting a TPSP due to limited availability, industry concentration, or legacy system dependencies, NYDFS advises making risk-informed decisions, documenting those risks, implementing compensating controls, and regularly monitoring and assessing the selected TPSP.

Contracting

When contracting with TPSPs, NYDFS expects risk-based provisions that are tailored to the service and sensitivity of the systems and data that the TPSP will access. Recommended baseline provisions include access controls (such as multifactor authentication), encryption in transit and at rest, prompt cybersecurity incident notification to the covered entity, warranties of the TPSP’s compliance with applicable law, data location and cross-border transfer restrictions, rights for subcontractors, and data use and exit obligations. Particularly given the rise in the use of AI by vendors, NYDFS also suggests including a clause related to acceptable uses of AI, and whether the covered entity’s data may be used to train AI models or may otherwise be disclosed.

Ongoing Monitoring and Oversight

The guidance clarifies that a covered entity’s TPSP policy should also be tailored to the risk each TPSP presents. Ongoing and periodic oversight processes and controls should include a layered, risk-based assessment that can confirm that a TPSP’s cybersecurity posture is aligned with the covered entity’s expectations. Periodic assessments may include security attestations such as SOC2 and ISO 27001, penetration testing summaries, vulnerability management updates, policy changes, security awareness training, and compliance audits. The guidance recommends that material or unresolved risk be documented in the covered entity’s risk assessment and escalated through appropriate internal risk governance channels.

Termination

Finally, when ending a TPSP relationship, NYDFS expects covered entities to “ensure secure and orderly” offboarding. The guidance stresses promptly disabling access (including deactivating accounts and revoking system access for TPSP personnel and subcontractors). Particularly for TPSPs providing cloud services, this may also necessitate revoking identity federation tools, API integrations, and external storage. NYDFS further emphasizes requiring certified return, destruction, or migration of backup, cached, and snapshots of NPI. Policies should include “a transition plan for critical services with clearly defined timelines, roles and responsibilities.” NYDFS also recommends that access points that become redundant or unnecessary during the TPSP relationship should be eliminated on an ongoing basis, not left for backend cleanup.

Key Takeaways

The guidance may be a bellwether for NYDFS’s increased regulatory scrutiny related to TPSPs. It also provides detailed best practices for all types of businesses to consider, even those companies that are not regulated by NYDFS. As a result, businesses may want to consider the following:

  • Closing gaps in vendor life-cycle controls. Closing gaps includes revisiting TPSP policies and procedures to incorporate the guidance’s classification scheme, enhanced due diligence measures, ongoing monitoring metrics, and termination protocols.
  • Updating TPSP contract templates. Updates include standardizing terms for MFA, encryption, breach notification timelines, compliance warranties, audit rights, data location/transfers, subcontractor disclosure and veto rights, AI use and training restrictions, data exit obligations, and cybersecurity-specific remedies/termination triggers.
  • Bolstering ongoing monitoring for TPSPs. Monitoring involves conducting periodic risk-based assessments based on risk classification, tracking vulnerability remediation, and incorporating third-party risk into incident response plans.

Conclusion

Direct insights from a regulator are informative and are always intended to be taken seriously. Companies may want to consider reviewing and revising their vendor management policies and procedures to ensure compliance with NYDFS Cybersecurity Regulations.

Ogletree Deakins’ New York offices and Cybersecurity and Privacy Practice Group will continue to monitor developments and provide updates on the Cybersecurity and Privacy and New York blogs as additional information becomes available.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Topics

Cybersecurity and Privacy , New York , State Developments

Browse More Insights

Podcasts Seminars Webinars
Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now