The New York State Department of Financial Services issued a letter on October 21, 2025 to assist regulated entities in managing the evolving cybersecurity risks associated with Third-Party Service Providers (TPSPs) that have access to sensitive nonpublic information. The guidances emphasizes a proactive, risk-based approach that spans the entire relationship lifecycle, including initial due diligence, robust contracting, continuous monitoring, and secure termination. Senior Governing Bodies and Senior Officers must remain engaged in oversight, as they are ultimately responsible for compliance and cannot delegate regulatory obligations to outside vendors. To protect data integrity, NYDFS recommends specific contractual safeguards such as multi-factor authentication, data encryption, and mandatory notification of cybersecurity incidents.

See the letter here and our section in the Gold Book.

See website for complete article licensing information.