The New York State Department of Financial Services (NYDFS) has issued updated cybersecurity guidance for financial services firms concerning the management of cybersecurity risks linked to third-party service providers (TPSPs).
This guidance comes in response to the increasing reliance of financial services firms on third-party technologies, including cloud computing, file transfer systems, AI, and fintech solutions.
According to the NYDFS, the complexity and scale of cyber risks from TPSPs necessitate a proactive, risk-based, and adaptable approach to third-party governance. The agency notes the importance of enhanced due diligence, strong contractual agreements, ongoing monitoring, and effective risk management policies and procedures for TPSPs. It highlights that some firms may be outsourcing critical cybersecurity compliance tasks to third parties without sufficient oversight or verification.
While the new guidance does not introduce additional requirements or obligations, it aims to clarify existing regulatory expectations and share best practices.
Acting Superintendent Kaitlin Asrow stated, “While third-party service providers have driven innovation and enabled significant efficiencies in our financial system, regulated entities are still ultimately accountable for protecting consumers and managing risk. To ensure the safe and secure operation of financial services and the protection of nonpublic information, entities must establish and maintain appropriate internal risk management controls when using third-party service providers.”