The New York State Department of Financial Services (DFS) has issued new guidance urging banks, insurers, and other regulated entities to strengthen oversight of third-party service providers that handle sensitive data or connect to their systems. The directive, released October 21, 2025, emphasizes that companies remain responsible for cybersecurity compliance even when relying on outside vendors.
The guidance comes as financial institutions increasingly depend on third-party providers for cloud computing, artificial intelligence tools, fintech services, and data management. DFS warned that this growing reliance heightens exposure to cybersecurity incidents and data breaches, and said senior leadership must play a more active role in monitoring these risks.
Under the Cybersecurity Regulation, known as Part 500, boards of directors and senior officers must review and approve cybersecurity policies annually. The new guidance reinforces those requirements and outlines best practices for identifying, contracting, monitoring, and offboarding vendors. It calls for comprehensive due diligence before hiring providers, with particular attention to data access, encryption, compliance history, and use of subcontractors.
DFS also urged companies to adopt strong contract provisions addressing incident notification, access controls, and data storage locations. It cautioned against outsourcing compliance responsibilities to vendors without proper oversight, stressing that accountability ultimately rests with the regulated entity.
The guidance highlights the need for continuous monitoring of vendors, periodic risk assessments, and detailed termination procedures to ensure data is securely deleted or returned. Regulators said companies must confirm that third-party systems and personnel no longer have access once contracts end.
DFS said the new document does not create new rules but clarifies expectations under existing cybersecurity regulations. The agency will continue reviewing third-party risk management practices during examinations and consider deficiencies in future enforcement actions.
Need Help?
If you’re concerned or have questions about how to navigate the global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight and ensure you’re informed and compliant.
