New York Issues Fresh Cybersecurity Guidance on Third-Party Risks

Key Takeaways

• Guidance Clarifies Existing Rules: The New York State Department of Financial Services (DFS) released new cybersecurity guidance reinforcing that regulated entities remain accountable for risks tied to third-party service providers (TPSPs).
• No New Requirements: The guidance does not add new obligations but explains how firms should meet existing expectations under Part 500 of DFS’s cybersecurity regulation.
• Governance and Oversight: Boards and senior officers must play an active oversight role and possess enough cybersecurity literacy to challenge management decisions effectively.
• Lifecycle Risk Management: DFS urges a full lifecycle approach (covering vendor selection, contracting, monitoring, and termination) to manage third-party risks.
• Accountability Cannot Be Outsourced: DFS reiterated that regulated entities cannot delegate their cybersecurity compliance responsibilities to affiliates or vendors.

Deep Dive

As financial institutions continue to lean on an expanding universe of cloud, fintech, and AI providers, New York’s financial regulator is reminding them that outsourcing doesn’t mean offloading responsibility.

During Cybersecurity Awareness Month, Acting Superintendent Kaitlin Asrow of the New York State Department of Financial Services (DFS) issued new guidance urging regulated firms to tighten oversight of third-party service providers (TPSPs). The Department warned that reliance on external vendors has introduced new vulnerabilities that can quickly ripple across the financial system.

“While third-party service providers have driven innovation and enabled significant efficiencies in our financial system, regulated entities are still ultimately accountable for protecting consumers and managing risk,” Asrow said.

Accountability Stays In-House

The guidance doesn’t impose new requirements. Instead, it clarifies existing obligations under DFS’s landmark cybersecurity regulation, Part 500, and offers a practical roadmap for managing third-party risk from start to finish.

DFS examiners, the Department noted, have seen recurring weaknesses in how firms evaluate and monitor vendors. Some have even attempted to delegate core compliance responsibilities to outside providers, a move Asrow made clear is not allowed.

Under the state’s rules, boards and senior officers must play an active role in cybersecurity oversight, asking questions, challenging decisions, and ensuring vendor risk management aligns with the firm’s resilience strategy. “A credible challenge,” the guidance notes, requires leadership to understand enough about cybersecurity to hold management accountable.

From Selection to Separation

The guidance walks covered entities through a full lifecycle approach to third-party risk management. Among its key expectations:

• Start Smart: Conduct risk-based due diligence before onboarding vendors, assessing their security controls, access levels, data handling, and overall reputation.
• Contract with Clarity: Include cybersecurity clauses covering access controls, data encryption, breach notifications, subcontractor disclosures, and data-location transparency.
• Stay Vigilant: Continuously monitor vendor practices through audits, attestations, patch management, and incident reporting.
• Plan the Exit: When the relationship ends, revoke access, ensure secure data deletion or transfer, and conduct a final risk review.

DFS also urges firms to account for concentration risks and legacy dependencies, issues that make switching vendors difficult and amplify exposure if a key provider suffers a cyber incident.

A Broader Pattern of Scrutiny

The move adds to a growing body of guidance from regulators on both sides of the Atlantic focused on operational resilience and supply-chain cybersecurity. Similar warnings have come from the Federal Reserve, the OCC, and European authorities concerned about the fragility of critical third-party ecosystems.

For financial institutions operating in New York, the message is that technology partnerships can drive efficiency and innovation but when things go wrong, DFS won’t accept “the vendor did it” as an excuse.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.