70 Charles Lindbergh Blvd, Suite 4. Uniondale, New York 11553 | 1 (516) 522-0311

Contact Support
Schedule a Consultation

Guidance on Managing Third-Party Service Provider Risks (NYSDFS)

Nicholas Manginello Network & Systems Engineer | vCISO

Guidance on Managing Third-Party Service Provider Risks (NYSDFS)

On October 21st, 2025 NYDFS issued guidance to help Covered Entities understand how to systematically assess, contract with, monitor and eventually terminate TPSP (third party service providers) relationships in a manner consistent with the Cybersecurity Regulation (23 NYCRR Part 500) and industry best practices.

The guidance outlined here reflects both regulatory mandates (under 23 NYCRR Part 500) and industry best practices in TPSP governance. A robust cybersecurity program will protect your organization’s systems and information, safeguard data, and mitigate operational risk.

As third-party services continue to evolve (cloud-native providers, fintech ecosystems, AI-enablement, global supply chains), so too will TPSP related cybersecurity risks. Recent examinations by NYDFS have revealed deficiencies in how Covered Entities manage TPSP risk: weak due diligence, insufficient contractual protections, inadequate monitoring and even over-reliance on TPSPs for regulatory obligations. Respondents that outsourced critical compliance obligations without ensuring oversight have been subject to scrutiny and enforcement.

TPSP risk is now an integral part of the Covered Entity’s cybersecurity risk.

In recent years, financial services organizations have grown increasingly reliant on Third-Party Service Providers (TPSPs) that handle or access their information systems and nonpublic information (NPI). While such reliance brings operational advantages, it also introduces heightened cybersecurity risk: a cybersecurity incident at a TPSP can ripple back and impact the Covered Entity’s operations, data, reputation, and regulatory standing. 

Because of this, senior governing bodies and senior officers at Covered Entities must engage proactively in governance, oversight, and continuous adaptation of third-party risk management as part of their broader cybersecurity program. The new NYSDFS guidance touched on defining the acceptable use of AI and the data it is trained on: “Where relevant, Covered Entities should consider including a clause related to the acceptable use of Artificial Intelligence (“AI”), and whether the Covered Entity’s data may be used to train AI models or be otherwise disclosed to additional parties.”. 

The guidance also touched on the requirements for TPSPs to be included in the DRP process, incident response plans, and business continuity plans. “Where relevant, Covered Entities should request updates on vulnerability management, assess patching practices, and confirm remediation of previously identified deficiencies.  Material or unresolved risk should be documented in the Covered Entity’s risk assessment and escalated through appropriate internal risk governance channels.  As part of a broader resiliency strategy, Covered Entities should incorporate third-party risk into their incident response and business continuity planning.”.

Conducting due diligence, monitoring, and contracting.

NYSDFS guidance reiterated the lifecycle of a third party service provider, which starts with conducting due diligence before awarding the contract, during the time the TPSPS has access your IT systems, and ends after terminating and verifying access has been revoked. The guidance included the following examples:

  1. Once a TPSP relationship is active, oversight must be continuous and aligned to risk. NYSDFS is recommending that TPSPs disclose the use of subcontractors that have access to NPI.
  2. The TPSP upon termination should have obligations to delete, migrate, or destroy data and provide evidence or certification of completing the destruction or migration.
  3. TPSPs are obligated to warranties regarding compliance with applicable laws and regulations. 
  4. NYSDFS is recommending TPSPs disclose where it will store data, who can access it, if it is secured, and how it is processed.
  5. Immediate notification of a cybersecurity event that impacts NPI being held by the provider.
  6. Multifactor authentication, authentication, and security requirements for access controls must be implemented by TPSPs. 

Example questions for conducting due diligence with a TPSP:

Access controls (linked to § 500.7 & § 500.12)
  • What level of access to our information systems or NPI does this TPSP require?
  • Are we enforcing least-privilege access for the TPSP (only what’s necessary for them to do their job)?
  • Does the TPSP use unique, auditable accounts for each individual, including subcontractors?
  • Does the TPSP enforce multi-factor authentication for access to our systems or NPI (by reference to § 500.12)?
  • How are access rights reviewed, modified or revoked when no longer required (termination, role change)?
  • Are logs maintained of TPSP access, and do we receive reports or have audit rights?
  • Does the TPSP encrypt NPI in transit (over external networks) and at rest, consistent with industry standards?
  • If encryption at rest is infeasible, what compensating controls does the TPSP use, and are they approved (in our oversight) and appropriate?
  • How are encryption keys managed? Who has access? Are keys segregated?
  • Does the contract reference the encryption requirement, require evidence/certification of encryption, and require notice if encryption controls are weakened?
  • How often do we review and test the encryption and compensating controls?
  • Does the contract require the TPSP to provide immediate or timely notice of any cybersecurity event that impacts our systems or NPI?
  • What is the defined notification timeframe? What reporting format and content is required?
  • Does the TPSP have an incident response plan (and do we review/test it) that includes escalation to us, and cooperation with our incident response and business continuity plans?
  • Do we monitor for incidents at the TPSP or include them in our incident-response exercises?

Key take-aways for Covered Entities regarding TPSPs

The policies required under § 500.11 must reference specific controls drawn from other sections of Part 500 Notably § 500.7 (access privilege management), § 500.12 (MFA), § 500.15 (encryption). 

  1. Your TPSP policy must cover the entire lifecycle of the TPSP relationship: from selection (due diligence) through contract, oversight, termination and remediation.
  2. The policy must tie to risk: you must classify TPSPs by risk, adopt minimum practices for higher-risk providers, and reassess periodically.
  3. Contracts with TPSPs should reference the policy and include explicit terms for access, encryption, incident notification, representations and other controls.
  4. The regulator may inspect how you execute your policy: how you evaluate TPSPs, monitor them, and respond to TPSP events.
  5. Even though § 500.11 doesn’t list every possible contractual term (such as data location, subcontractors, exit obligations), you should include them as part of a robust due diligence/contracting/oversight framework, because they support the intent of § 500.11 and will help show compliance.

Terminating a third party service provider best practices:

When the relationship with a TPSP ends, risk does not end there. Proper off-boarding is crucial to avoid residual access or data exposure. Best practices outlined by the latest guidance included:

  1. Revoking federation such as OAuth Tokens, SSO, APIs
  2. A transition plan should be developed with timelines, new roles and responsibilities, offboarding obligations, and data destruction or return processes. 
  3. A risk review should be conducted following the termination of a TPSP that is documented, contains audit logs, and lessons learned.
  4. Unmonitored access points should be reviewed and revoked (VPN access, Partner Agreements, MFA accounts)
  5. Timely deactivation of service accounts and shared resources.
  6. Backups or snapshots retained by TPSP’s should be destroyed from TPSP’s systems.

Technical Information

TLDR; Due to an increased reliance on TPSP's, additional monitoring and a heightened level of due diligence must be conducted when selecting, utilizing, and eventually terminating a TPSP.

Additional Information

Regulatory Location

New York, USA

NYSDFS CRR Part 500

23 CRR-NY 500.11
23 CRR-NY 500.12
23 CRR-NY 500.7
23 CRR-NY 500.15

Glossary

Covered Entities

"§ 500.1(e) as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.”

Third Party Service Provider (TPSP)

"§ 500.1(s) as “a person that: (1) is not an affiliate of the covered entity; (2) is not a governmental entity; (3) provides services to the covered entity; and (4) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the covered entity.”

Frameworks

NIST Framework

CFR 208 D-2

As your reliance on TPSPs grows, the importance of rigorous vendor-risk governance, first-class contracting, continuous monitoring and disciplined off-boarding cannot be overstated.