Update On Managing Risk Related To Third-Party Service Providers

You may find our commenting on actions of the New York State Department of Financial Services (NYSDFS) unusual since virtually none of our clients are subject to regulation by the NYSDFS. However, our clients should find useful the NYSDFS guidance on managing risks related to third-party service providers issued on October 21, 2025 (the Guidance). The Guidance does not impose new requirements or obligations on New York regulated institutions, but it does complement the existing regulations and guidance issued by federal banking regulators, clarifies regulatory requirements, and recommends industry best practices to mitigate common risks associated with third-party service providers (TPSPs), which institutions not regulated by the NYSDFS should find helpful. The NYSDFS issued the Guidance after identifying the need for more robust diligence, contractual provisions, monitoring and oversight, and TPSP risk management and procedures, especially when critical cybersecurity compliance obligations are outsourced to TPSPs. The NYSDFS notes that exposure to threats continues to grow as financial institutions increasingly rely on cloud computing, file transfer systems, artificial intelligence (AI), and fintech solutions.

The NYSDFS notes that financial institutions should classify TPSPs based on the TPSP's risk profile, considering factors such as system access, data sensitivity, location, and how critical the service provided to the financial institution is to its operations, since providers of critical services often have a high degree of system-level access and an ability to access sensitive, nonpublic, personal, and proprietary information.

To mitigate risks imposed by a potential TPSP partner, NYSDFS recommends the following considerations when performing due diligence on the TPSP:

• The type and extent of access to information systems and nonpublic personal information (NPI)
• The TPSP's reputation within the industry, including its cybersecurity history and financial stability
• Whether the TPSP has developed and implemented a strong cybersecurity program that addresses, at a minimum, the cybersecurity practices and controls required by the institution and its primary federal regulator
• The access controls implemented by the TPSP for its own systems and data as well as to access the institution's information systems and the proposed handling and storage of the institution's data, including whether appropriate controls, such as data segmentation and encryption, are applied based on the sensitivity of the data
• The criticality of the service(s) provided and the availability of alternative TPSPs
• Whether the TPSP uses unique, traceable accounts for personnel accessing the institution's systems and data and whether it maintains audit trails
• Whether the TPSP, its affiliates, or its vendors are located in, or operate from, a country, territory, or jurisdiction that is considered high risk based on geopolitical, legal, socioeconomic, operational, or other regulatory risks
• Whether the TPSP maintains and regularly tests its incident response and business continuity plans
• The TPSP's practices for selecting, monitoring, and contracting with downstream service providers (fourth parties)
• Whether the TPSP undergoes external audits or independent assessments (e.g., ISO/IEC 27000 series, HITRUST) or can otherwise demonstrate, in writing, compliance with industry frameworks such as the National Institute of Standards and Technology's Cybersecurity Framework

It is up to the institution to determine how best to obtain, review, and validate this information provided by the prospective TPSP.

The contract with the TPSP should incorporate the following NYSDFS-recommended baseline contract provisions:

• Access Controls — Requirements for TPSPs to develop and implement policies and procedures addressing access controls, including multifactor authentication.
• Data Encryption — Obligations to develop and implement policies and procedures addressing encryption in transit and at rest.
• Cybersecurity Event Notification — Provisions related to the immediate or timely notice to the institution upon the occurrence of a cybersecurity event directly impacting the institution's information systems or NPI being held by the TPSP.
• Compliance Representations — Obligations for the TPSP to provide representations and warranties regarding compliance with applicable laws and regulations.
• Data Location and Transfer Restrictions — Requirements for the TPSP to disclose where data may be stored, processed, or accessed; to obtain prior written approval for cross-border transfers (or full prohibitions of this practice); and to comply with applicable data residency or localization laws. Although this contractual provision is not explicitly required by any regulation, institutions can more effectively analyze the risk to sensitive data, including NPI, when they understand where data is stored and processed.
• Subcontractors — Requirements for the TPSP to disclose the use of subcontractors that may have access to or use the institution's information systems or NPI, as well as the ability of the institution to reject the use of certain subcontractors for work on its information systems or NPI after conducting appropriate due diligence. Although this practice is not required by regulation, institutions are better able to analyze the risk to sensitive data, including NPI.
• Data Use and Exit Obligations — Restrictions related to the use and sharing of data, obligations to delete or migrate data held by the TPSP upon termination of the relationship, and obligations to obtain appropriate certifications confirming the completion of these steps.

Financial institutions should also consider provisions concerning the acceptable use of AI and whether the institution's data may be used to train AI models or otherwise be disclosed to additional parties. Finally, the agreement should include remedies in the event that the TPSP has breached any of the material terms of the agreement related to cybersecurity, including timely remediation or permitting early termination.

Following implementation of the contract, periodic assessment of the TPSP will be required based on the risk presented, including analysis of evolving threat and regulatory landscapes, changes to products and services, and whether the TPSP has experienced a cybersecurity event. The continued adequacy of the TPSP's cybersecurity practices must be assessed, which may include security attestations, penetration testing summaries, policy updates, evidence of security awareness training, and compliance audits. In addition, a financial institution should request updates on vulnerability management and access patching practices as well as confirmation of remediation of previously identified deficiencies. If material or unresolved risks remain, they should be documented in the risk assessment and moved upstream through risk governance channels.

Upon termination of a contract, the financial institution must make provisions to disable the TPSP's access to the institution's information systems. This would include revoking access for TPSP personnel and subcontractors and deactivating service accounts. For organizations providing cloud-based services, the institution should revoke identity federation tools, application programming interface integrations, and external storage access. The institution should require certification of the destruction of NPI and secure the return of the data to the financial institution or the migration of it to another TPSP or internal environment. The financial institution should also confirm that any remaining snapshots, backups, or cached datasets are deleted from the TPSP's system.

As noted above, although most banks are outside regulation by the NYSDFS, the suggestions listed above from the NYSDFS constitute industry best practices and dovetail with requirements expected by federal banking regulators. Therefore, financial institutions should consider the above both for regulatory purposes and cybersecurity hygiene.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.