NY Regulator Tightens Oversight on Third-Party Cyber Risks

The New York State Department of Financial Services (NYDFS) has released new guidance urging financial institutions to strengthen cybersecurity governance over third-party service providers (TPSPs). As banks increasingly rely on external technologies—such as cloud platforms, AI tools, and fintech systems—cyber risks tied to these providers have grown significantly.

NYDFS calls for a proactive, risk-based, and adaptive oversight framework, emphasizing due diligence, clear contractual terms, and continuous monitoring. The guidance highlights industry gaps, noting that some firms outsource critical cybersecurity functions without proper oversight—a risk the new measures aim to mitigate.

Though not legally binding, the guidance clarifies regulatory expectations and promotes best practices. Acting Superintendent Kaitlin Asrow stressed that while third-party tools bring innovation, financial firms remain fully responsible for safeguarding consumer data and securing their systems.

NYDFS reminds institutions that accountability cannot be outsourced. Firms must maintain strong internal controls and integrate cybersecurity into their third-party risk frameworks to defend against evolving threats. The move reaffirms NYDFS’s commitment to protecting the financial ecosystem amid growing digital dependencies.