Cyber_1200x600_GettyImages-1987307560

Key point: All businesses struggle with cybersecurity risks presented by their service providers. New guidance from the NY DFS applies to all DFS regulated entities, but the guidance would assist any business in any industry in addressing these risks.

On October 21, 2025, the New York Department of Financial Services (the “DFS”) issued important guidance for covered entities (including all DFS licensees) for managing their cybersecurity risk related to third-party service providers (“TPSPs”). Industry Letter – October 21, 2025: Guidance on Managing Risks Related to Third-Party Service Providers | Department of Financial Services specifically includes the covered entity’s use of cloud, file transfer, AI and fintech providers (“Guidance”). According to the DFS, the “Guidance does not impose new requirements or obligations . . ..” Rather, “it is intended to clarify regulatory requirements, recommend industry best practices . . ., and promote compliance . . ..” The Guidance highlights that managing the cybersecurity risk presented by TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program,” and notes that it applies to all covered entities, regardless of size.

1. Risk-Based Approach

The Guidance promotes a risk-based approach to TPSP cybersecurity risk, recognizing that not all TPSPs present the same level of risk. In order to manage cybersecurity risk, covered entities must, as part of their risk assessment, consider the nature, volume and sensitivity of information, and the extent and criticality of systems, that will be accessed by the covered entity. We often advise covered entities to “tier” (the Guidance uses the term “classify”) their TPSPs, using the factors referenced by the Guidance for assessing risk. DFS provides a non-exhaustive list of considerations for such risk assessments. TPSPs are expected to subject TPSPs that present a higher level of risk to increased scrutiny in due diligence, more robust contracting, and increased oversight.

2. Intake

The covered entity’s policies and procedures must address the identification of suitable third-party solutions, due diligence, selection and contracting, using the risk-based approach described above. Notably, DFS makes clear that a TSPS security questionnaire alone is not sufficient – regulated entities must take steps to validate the information provided by TPSPs.

The Guidance recognizes that for certain solutions there may not be many options to explore, and the covered entity may be limited in its ability to conduct due diligence, select from among viable options, and insist on appropriate contractual provisions. Nevertheless, even in these circumstances, the covered entity must document its risk assessment and decision-making in order to support decisions that may be questioned in an examination or enforcement action.

The Guidance provides a non-exhaustive list of contractual provisions to be considered, including access controls, encryption, data breach notification, data location and transfer restrictions, subcontractors, and termination rights. Notably, the Guidance specifically advises a clause related to the use of artificial intelligence (“AI”) by the TPSP.

3. Monitoring and Oversight

Recognizing that managing risk is an on-going process, the Guidance also takes a risk-based approach to the covered entity’s monitoring and oversight of risk throughout the lifecycle of the relationship. Among other measures, the Guidance suggests regulated entities implement third-party assessments, request attestations such as SOC2 and ISO 27001, review penetration testing summaries, conduct compliance audits and implement other measures to keep the covered entity apprised of the TPSP’s risk profile. Notably, the Guidance requires corrective action by the regulated entity to address material or unresolved risks identified by a TPSP, which should be documented in the covered entity’s risk assessment and escalated through appropriate internal risk governance channels.

4. Termination

Guidance is also provided for the termination of a TPSP relationship, including the revocation of systems and information access, and the destruction, migration or return of information, and certification by the TPSP of the same. Offboarding should be documented and logged to establish compliance with required procedures. The Guidance also expects regulated entities to take intermediate steps in advance of the end of a TPSP relationship, such as eliminating TPSP access points that become redundant or unnecessary during the course of the TPSP relationship, rather than being left in place until the end of the relationship.

Furthermore, DFS anticipates that each TPSP relationship should inform other TPSP relationships, such that any lessons learned following termination of a TPSP should be incorporated into future third-party risk assessments and contracting practices to refine and improve TPSP lifecycle management.

*****

Particularly given the prominence of TPSPs in recent cybersecurity incidents, the Guidance should be considered carefully in every covered entity’s evergreen effort to mitigate cybersecurity risk. Because this challenge is not limited to financial services, every business would be well advised to review and consider following the best practices set forth in the Guidance.