On October 21, 2025, the New York Department of Financial Services (“NYDFS”) published an Industry Letter (the “Letter”) outlining guidance on managing risks related to third-party service providers (“TPSPs”). NYDFS recognizes that as covered entities become more reliant on TPSPs, managing TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program.” The Letter outlines the actions and advice Covered Entities should take while progressing through the lifecycle of a TPSP relationship: (1) Identification, Due Diligence, and Selection; (2) Contracting; (3) Ongoing Monitoring and Oversight; and (4) Termination. While the Letter expressly states it does not impose new requirements or obligations on Covered Entities, but rather, intended to clarify Part 500 (specifically 500.11) and recommend best practices, the prescriptive guidance may in practice be considered the operative benchmark for certain (or many) Covered Entities.
Identification, Due Diligence, and Selection
Due to the increased risks associated with TPSP relationships, Covered Entities may wish to exercise caution and diligence before entering into any arrangement with a TPSP. Accordingly, the Letter outlines a non-exhaustive list of considerations for conducting due diligence on TPSPs. A few of those considerations include:
- The type and extent of the TPSPs access to information systems and nonpublic information (“NPI”);
- The TPSPs reputation within the industry, including its cybersecurity history and financial stability;
- The controls the TPSP has implemented for its own systems and data, particularly if the Covered Entity’s systems are not fully segregated;
- Whether the TPSP undergoes external audits and independent assessments;
- The TPSPs practices for selecting, monitoring, and contracting with downstream service providers; and
- Whether the TPSP, its affiliates, or vendors operate in or from jurisdictions considered high-risk due to geopolitical, legal, socio-economic, operational, or regulatory factors.
In addition to the above considerations, the Letter emphasizes that Covered Entities should consider how to best obtain, review, and validate information provided by prospective TPSPs. Although standardized questionnaires may facilitate the process of gathering the required information from the TPSPs, Covered Entities must ensure that those questionnaires are interpreted by qualified personnel to allow for proper risk-informed decisions to be made. In other words, vendor due diligence questionnaires are not a “check-the-box” requirement; the completed questionnaires must be carefully evaluated by qualified personnel and actioned appropriately. Additionally, if there are limited vendor options, Covered Entities should make risk-informed decisions, document the relevant risks, and take steps to implement compensating controls.
Contracting
Covered Entities that utilize TPSPs are required to develop and implement written policies and procedures that address due diligence and contractual protections. In the Letter, NYDFS provides a few examples of “baseline contract[al] provisions” that Covered Entities should consider incorporating into agreements with a TPSP. Some of the provisions include:
- Develop and implement policies and procedures addressing access controls;
- Develop and implement policies and procedures addressing encryption in transit and at rest;
- Provide immediate or timely notice to the Covered Entity upon occurrence of a Cybersecurity Event directly impacting the Covered Entity’s information;
- Require TPSPs to disclose where data may be stored, processed, or accessed; and
- Require TPSPs to disclose the use of subcontractors and allow the Covered Entity to reject the use of certain subcontractors, which essentially allows Covered Entities the ability to control the use of Fourth Parties, somewhat akin to GDPR.
In addition to the above provisions, the Letter reinforces similar guidance that NYDFS provided in 2024, which we previously covered, in regard to inserting provisions in TPSP agreements that relate to the acceptable use of Artificial Intelligence (“AI”) products.
NYDFS clarified that the list provided in the Letter is neither exhaustive nor appropriate in all situations, but Covered Entities should continue to seek “reasonable protections, such as breach notification clauses, data use, and assurances regarding access controls and data handling.” Further, Covered entities should develop medium- to- long-term strategies to reduce its overall dependency on TPSPs.
Ongoing Monitoring and Oversight
A Covered Entity that utilizes a TPSP must have policies in place addressing the periodic assessment of TPSPs based on the risk that each “TPSP presents and the continued adequacy of [the TPSPs] cybersecurity practices.” The assessments conducted by Covered Entities may include obtaining security attestations from the TPSPs (e.g., SOC2, ISO 27001) and requiring penetration testing summaries, policy updates, evidence of security awareness training and proof of compliance audits.
In addition to the periodic assessments, Covered Entities should request updates on a TPSPs vulnerability management, assess patching practices, and confirm remediation of previously identified deficiencies. Although it may be an extensive exercise for Covered Entities, the Letter indicates that Covered Entities should document material or unresolved risks identified and escalate the risks as appropriate.
Termination
When a Covered Entity terminates its relationship with a TPSP, there are actions the Covered Entity should take to mitigate any potential risks from arising. Some of the actions the Letter outlines are prescriptive, including:
- Revoking identity federation tools, API integrations, and external storage access;
- Requiring certification of destruction of NPI, secure return of data, or migration of data to another TPSP or internal environment;
- Confirming that any remaining snapshots, backups, or cached datasets are deleted and access to any shared resources is revoked;
- Giving special attention to residual or unmonitored access points that fall outside routine access provisioning systems; and
- Engaging keys take holders, including IT, legal, compliance, procurement, and business units to identify strategies to mitigate potential risks when planning to terminate.
Notably, in addition to the above actions a Covered Entity should take during the termination period, Covered Entities should ensure the offboarding process is properly documented and all relevant audit logs are retained to support accountability and future verifications.
NYDFS made it clear that it will continue to “consider the absence of appropriate TPSP risk management practices by Covered Entities in its examinations, investigations, and enforcement actions.” As such, although the Letter does not formally impose any new requirements for Covered Entities, Covered Entities are strongly encouraged to review the Letter and implement the practices identified by NYDFS to strengthen their cybersecurity posture.
