The New York State Department of Financial Services (DFS) has issued cybersecurity guidance addressing risks arising from DFS-regulated entities’ increasing reliance on third-party service providers (TPSPs). The guidance reminds regulated entities that they remain ultimately accountable for protecting consumers and nonpublic information, and it clarifies expectations under DFS’s cybersecurity regulation without creating new obligations. The guidance builds on DFS’s existing cybersecurity regulation and highlights the need for appropriate internal risk management controls when using TPSPs. Issued during Cybersecurity Awareness Month, it is framed as a clarification of regulatory requirements and a set of best practices that regulated entities should consider implementing.
New York State Department of Financial Services 2025-10-21
New York State Department of Financial Services issues cybersecurity guidance on managing third-party service provider risks
The New York State Department of Financial Services issued cybersecurity guidance emphasizing the risks of relying on third-party service providers. It clarifies that regulated entities remain accountable for consumer protection and nonpublic information under existing DFS cybersecurity regulations. The guidance outlines best practices and internal risk management controls without introducing new obligations.