NY Department of Financial Services Signals Increased Scrutiny of Third-Party Technology Risk Management

According to the NYDFS, the guidance responds to increasing reliance by covered entities on TPSPs to manage technology services, such as cloud computing, file transfer systems, AI, and fintech solutions, and gaps identified by the NYDFS during recent reviews of TPSP risk management at various covered entities. 

The guidance does not impose new requirements. However, it clarifies regulatory requirements, aligning with reasonable practices for effective management of TPSP risks and promoting compliance with Part 500. 

The guidance covers four key areas, and directs covered entities to: 

Due Diligence

• Maintain policies and procedures for evaluating risks TPSPs pose to information systems and non-public information ("NPI"), including minimum standards and processes for obtaining, reviewing, and validating information provided by TPSPs. 
• Risk score each TPSP prior to onboarding, considering factors such as system access, data sensitivity, location, and the service's criticality to operations. 
• Develop a tailored, risk-based plan to mitigate risks posed by each TPSP, taking into account a non-exhaustive list of considerations referenced in the guidance.

Contracting

• Maintain policies and procedures describing required provisions for TPSP contracts.
• Ensure TPSP contracts address acceptable uses and training of AI. 

Oversight

• Maintain policies and procedures that address oversight of the TPSP, considering the evolving threat and regulatory landscape, changes to the covered entity's business, the TPSP's cybersecurity record, and other factors. 
• Incorporate third-party risk into incident response and business continuity plans. 
• Periodically assess TPSPs' vulnerability management, patching practices, and vulnerability remediation. 

Termination

• Maintain processes for disabling TPSP access to systems and data and ensuring the proper disposition of NPI. 
• Develop transition plans for critical services post-termination. 
• Complete a risk review to confirm compliance with termination procedures. 

Covered entities should conduct a comprehensive review of their third‑party supply chain to map dependencies, validate controls, and identify gaps across onboarding, monitoring, and termination. In parallel, TPSPs should be fully integrated into the covered entity's enterprise technology visibility and risk management program—ensuring continuous asset and data inventory, risk-based oversight, and governance that aligns TPSP risk with overall operational and cyber-resilience objectives. Covered entities entering into new, or renewing existing, contracts should ensure alignment with the new guidance.