The New York State Department of Financial Services (NYDFS) has released updated cybersecurity guidance outlining how financial services firms should manage risks associated with third-party service providers (TPSPs).

The guidance comes as financial institutions increasingly rely on third-party technologies such as cloud platforms, file transfer systems, artificial intelligence tools, and fintech applications. This growing dependence, the NYDFS warns, has expanded the scale and complexity of cybersecurity threats across the sector.

“The growing scale and complexity of cyber risks posed by TPSPs demands a proactive, risk-based, and continuously adaptive approach to third-party governance,” the regulator said in a letter to the entities it supervises.

The NYDFS emphasized the need for stronger due diligence, contractual safeguards, ongoing monitoring, and comprehensive TPSP risk management policies. The agency noted that some firms have been outsourcing critical cybersecurity compliance functions without maintaining sufficient oversight or verification processes.

While the new document does not introduce additional regulatory obligations, it aims to clarify existing requirements and promote best practices across the financial services industry.

“Third-party service providers have driven innovation and enabled significant efficiencies in our financial system,” said Acting Superintendent Kaitlin Asrow, “but regulated entities remain ultimately accountable for protecting consumers and managing risk. To ensure the safe and secure operation of financial services and the protection of nonpublic information, firms must maintain appropriate internal risk management controls when engaging third-party providers.”