Privacy & Information Security Law Blog

On October 21, 2025, the New York Department of Financial Services (“NYDFS”) issued an industry letter providing guidance to its regulated entities on managing cybersecurity and operational risks associated with third-party service providers (“TPSPs”). The NYDFS states that the guidance does not impose new requirements, but clarifies regulatory expectations and highlights recommended practices for evaluating, contracting with, overseeing and offboarding TPSPs throughout the relationship lifecycle.

Covered Entities
The letter addresses the use of TPSPs by Covered Entities, defined under New York law as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.”

Governance and Oversight
The NYDFS suggests that senior management and governing bodies maintain effective oversight of risks arising from TPSPs. The letter emphasizes that outsourcing functions does not shift responsibility for safeguarding nonpublic information or maintaining compliance with the NYDFS’ cybersecurity requirements to another party.

Pre-Engagement Due Diligence
The letter highlights the importance of assessing TPSPs before engagement. The NYDFS notes that due diligence should consider the nature of the TPSP’s access to information systems, the sensitivity of the information involved, the TPSP’s security controls, its incident-response capabilities, and any reliance on subcontractors.

Due Diligence and Contractual Protections
The NYDFS identifies specific contractual elements that Covered Entities may want to ensure are addressed in agreements with TPSPs. These include provisions related to:

• strong access controls such as multi-factor authentication;
• encryption of data in transit and at rest, including nonpublic information;
• cybersecurity incident notification obligations;
• representations and warranties regarding the TPSP’s cybersecurity policies and procedures;
• disclosure of data storage location;
• written approval for cross-border transfers;
• restrictions or approvals for subcontracting;
• data retention, return, and deletion processes; and
• established remedies should a TPSP breach any cybersecurity-related material terms.

Ongoing Monitoring
The NYDFS suggests that oversight of TPSPs extends beyond engagement, including periodically evaluating the TPSP’s cybersecurity posture, reviewing independent assessments or certifications, monitoring for material changes, and confirming continued compliance with contractual and regulatory obligations.

Termination and Offboarding
The letter states that Covered Entities must revoke all TPSP access—including system accounts, identity-federation tools, APIs, and external storage—and suggests confirmation of deletion or return of all nonpublic information, backups, and residual datasets following termination of relevant services. The NYDFS notes that redundant or unmonitored access points should be addressed throughout the relationship. Further, the NYDFS suggests that a transition plan with defined responsibilities guide termination, informed by contractual offboarding obligations and any legal or regulatory data-retention requirements. After termination, the NYDFS suggests that entities conduct a final review, document the process, retain audit logs, and incorporate lessons learned into future TPSP risk management.

Observations From Examinations
The NYDFS reports that recent examinations and investigations have identified instances in which Covered Entities relied heavily on TPSPs without maintaining adequate oversight. The letter reiterates that responsibility for cybersecurity risk management remains with the Covered Entity, regardless of outsourcing.