Executive Summary

On October 21, 2025, the New York State Department of Financial Services (DFS), one of the most influential financial regulators in the United States, issued formal guidance to all its regulated entities, including banks and insurance companies. The guidance reinforces the principle that financial firms are ultimately responsible for managing cybersecurity risks, even when those risks originate from third-party service providers (TPSPs). Citing the growing reliance on external vendors for critical technologies like cloud, AI, and fintech, the DFS warned that risk exposure is increasing. The regulator has placed the onus squarely on the senior leadership and boards of directors of these institutions, mandating their active engagement and sufficient expertise in overseeing third-party cyber risk. This move signals a heightened regulatory focus on supply chain security within the financial sector.

Regulatory Details

The guidance serves as a clarification and reinforcement of the existing NYDFS Cybersecurity Regulation (23 NYCRR 500), specifically focusing on Section 500.11, which pertains to Third-Party Service Provider Security Policy. The key tenets of the new guidance are:

• Accountability Cannot Be Outsourced: The central message from the DFS is that while functions can be outsourced, the risk and accountability remain with the regulated entity. Firms cannot use a TPSP as a shield against regulatory action or liability in the event of a breach.
• Board and Senior Officer Oversight: The guidance explicitly calls for the 'senior governing body' (e.g., board of directors) and senior officers to be actively involved in TPSP risk management. They are expected to have a level of cybersecurity understanding that allows them to effectively challenge the executive management's decisions and strategies regarding vendor risk.
• Proactive and Adaptive Governance: The DFS expects firms to move beyond static, point-in-time assessments of their vendors. They must establish and maintain a continuous, adaptive governance framework that can manage the complex and evolving risks associated with modern TPSPs, especially those providing cloud and AI services.
• Protection of Nonpublic Information (NPI): A primary focus is the protection of consumer data. The guidance reiterates that firms must ensure their TPSPs have appropriate controls to safeguard any NPI they handle, in line with the firm's own security standards.

Affected Organizations

This guidance applies to all entities regulated by the NYDFS, which includes a vast array of organizations operating in or serving New York State. This scope covers:

• Banks and trust companies
• Insurance companies, agents, and brokers
• Mortgage lenders and servicers
• Virtual currency businesses (cryptocurrency exchanges)
• Other licensed financial services organizations

Essentially, any financial institution under the jurisdiction of the NYDFS must review and likely enhance its third-party risk management program in light of this guidance.

Compliance Requirements

To comply, affected organizations must ensure their Third-Party Risk Management (TPRM) program includes, at a minimum:

1. Due Diligence and Vetting: A formal process for assessing the security posture of potential TPSPs before engaging them. This includes reviewing their security policies, procedures, and independent audit reports (e.g., SOC 2).
2. Contractual Obligations: Ensuring contracts with TPSPs include strong cybersecurity provisions, such as requirements to maintain specific security controls, notify the firm of any security incidents, and grant the firm the right to audit their security.
3. Continuous Monitoring: Implementing a program to continuously monitor the security of critical TPSPs. This can include periodic reassessments, reviewing security ratings, and monitoring for publicly disclosed breaches involving the vendor.
4. Risk-Based Approach: Classifying vendors based on the level of risk they pose (e.g., the sensitivity of data they access). High-risk vendors should be subject to more stringent due diligence and ongoing monitoring.
5. Board-Level Reporting: Establishing clear reporting lines to ensure that senior management and the board are regularly informed about the state of third-party cyber risk.

Impact Assessment

The issuance of this guidance will have significant operational and strategic impacts on financial institutions:

• Increased Scrutiny: Firms can expect DFS examiners to pay much closer attention to their TPRM programs during audits.
• Higher Compliance Costs: Organizations may need to invest in new tools (e.g., security rating platforms, GRC software) and personnel to meet the heightened expectations for vendor oversight.
• Pressure on Vendors: The guidance will have a trickle-down effect, as financial firms will impose stricter security requirements on their entire supply chain. Vendors who cannot meet these standards may lose business.
• Elevated Board Responsibility: Board members can no longer be passive recipients of cybersecurity reports. They are now on the hook to be active participants in risk governance, which may require them to seek additional training or expertise.

Compliance Guidance

Firms should take the following tactical steps:

1. Conduct a Gap Analysis: Immediately review your current TPRM program against the new guidance and the underlying 23 NYCRR 500 regulation to identify any deficiencies.
2. Brief the Board: Present this guidance to your board of directors and senior leadership, explaining the explicit expectation of their involvement and accountability.
3. Review Critical Vendor Contracts: Prioritize a review of contracts with your most critical TPSPs (e.g., cloud providers, core banking software vendors) to ensure they contain adequate security clauses.
4. Automate Monitoring: Where possible, move away from manual, questionnaire-based annual assessments and towards automated, continuous monitoring of your vendors' security posture.
5. Update Incident Response Plans: Ensure your IR plans include specific playbooks for incidents originating from a third party, including communication protocols and contractual notification requirements.