Oct 21, 2025
New York State Department of Financial Services Acting Superintendent, Kaitlin Asrow, issued new guidance to covered entities (entities regulated by the New York State Department of Financial Services) on managing the risks associated with the use of third-party service providers. In her letter, Asrow offered consideration for the risks currently faced by organizations utilizing third parties and how businesses can go about mitigating risk posed by partner organizations.
Here are five (5) key takeaways:
- As Reliance Grows, So Do the Threats
While NYDFS specifically calls out the use of third party “cloud computing, file transfer systems, artificial intelligence (“AI”), and fintech solutions”, the number and depth of integrations businesses have with any third-party service provider greatly increase the risk of experiencing a cyber incident. This increase in risk is due, in part, to increased access to Internal/Non-Public Information as well as additional threat vectors that expand the overall attack surface of a business.
As businesses become increasingly dependent on outside resources, it is important that they understand the many ways in which a third party may be connected and relied upon for the execution of critical functions. So, they can better understand the scope and severity of an incident should one occur.
- Ensure You Assess Before You Select
Prior to onboarding prospective third parties, covered entities are advised to evaluate if these potential partners meet baseline security requirements to ensure proper mitigation of risk. It is up to the business to understand the sensitivity of the information being shared, the number and nature of integrations the third party will have with their internal environment, and the criticality of services being provided to maintain business operations. This will help in determining the level of risk they pose to the business and assess if the third party meets their security criteria.
Covered entities are encouraged to not only conduct these assessments prior to third party onboarding but also validate that these assessments are conducted periodically and reviewed by qualified personnel, and that risks identified through these assessments are properly managed once the contract is signed.
- Utilize Risk Aware Contracts
On the topic of contracts—NYDFS encourages covered entities to incorporate third-party risk into their internal corporate policies as well as contractual agreements. Baseline third party risk policies should be written based on industry best practices to include concepts such as Access Control, Data Sharing, Encryption, Event Notification, etc. However, these policies should be tailored to meet not only the needs of the business but also account for the nature of the relationship between the covered entity and the third party. Contractual agreements should include verbiage that asserts third parties will meet the security needs of the business through explicitly defined acceptable use requirements.
Artificial intelligence (AI) is explicitly called out for its widespread utilization and risk of data exposure through model training and misconfigurations.
- Conduct Consistent Oversight
In addition to the development of risk policies and mitigation procedures, covered entities should conduct due diligence both at the start of the agreement and periodically thereafter. Just as organizations evolve over time, security requirements evolve to adapt to an ever-changing threat landscape. Regulatory and contractual requirements may require updating as product and service offerings change or as new threats and vulnerabilities are introduced to businesses.
The key to ensuring third parties effectively implement these requirements is through consistent and continuous assessment. This type of oversight includes annual security attestations, penetration testing, and compliance auditing—through physical evaluations, stakeholder interviews, and gap analyses to validate current risks posed to a covered entity through their relationship with a third party. Risks discovered through these assessments that are considered material or unresolved should be documented and tracked to allow for ongoing mitigation, remediation and awareness, especially when considered in wider business continuity / disaster recover (BC/DR) strategy. Continuous oversight for risks tied to individual third parties is the most important step to ensuring developing risks are captured and mitigated before they pose a significant threat.
- Risks Don’t Always End When the Contract Ends
When considering offboarding an existing third-party service provider, covered entities still need to consider the security implications surrounding the termination of this agreement. Removing access to internal data and connections with a covered entity’s environment is only one component to a secure termination process. Businesses need to consider the multitude of ways a third party may be integrated into their systems. This includes the potential for blind spots of “residual” or “unmonitored” access.
The key to securely terminating third party connections is focused on comprehensive, documented procedures. This will enable the covered entity to confirm processes are in place for access revocation, data destruction, and account deactivation. Businesses should conduct thorough reviews to evaluate any risks that may have appeared during the offboarding process and address them promptly.
In conclusion, the guidance offered by NYDFS relies upon institutions to “evaluate and mitigate cybersecurity risks relevant to their own business”. Third party risk management is an increasingly important element of a robust and comprehensive information security program and will continue to see increased efforts towards development and integration.
