Skip to Main Content

Parker Poe

Keeping you informed

New Industry Letter Provides Guidance for Companies Using Third-Party Service Providers

    Client Alerts
  • January 20, 2026

As organizations increasingly rely on third-party service providers (TPSPs) for critical services, including cloud computing, IT management, and fintech solutions, the scale and complexity of cyber risks have grown. A recent industry letter from the New York State Department of Financial Services (NYSDFS) provided guidance to regulated entities on managing cybersecurity risks associated with TPSPs. 

This guidance, directed to all NYSDFS-regulated entities, clarifies existing obligations under the department’s cybersecurity regulation and outlines best practices for managing risks associated with TPSPs. It further serves as sound guidance for all organizations, especially financial institutions, in their dealings with third parties that have access to their protected information.

Here are four key takeaways for companies. 

1. Risk-Based Assessment and Documentation: Entities should manage TPSPs with a risk-based approach, beginning with a clear understanding and documentation of the risks each TPSP relationship presents. Risk assessments should consider the type and extent of system and data access, the sensitivity of information involved, the criticality of the services provided, and the TPSP’s cybersecurity posture. Based on a TPSP’s risk profile, entities should tailor mitigation strategies to the level and nature of the risk presented, including the scope of due diligence, contractual protections, oversight mechanisms, and contingency planning.

2. Lifecycle Management of TPSP Relationships: The NYSDFS guidance outlines a lifecycle approach to engagement with TPSPs, with specific expectations at each stage. 

  • Identification, Due Diligence, and Selection:
     
    • Covered entities (meaning persons operating under or required to operate under a license or similar authorization under the New York Banking Law, Insurance Law, or Financial Services Law) are expected to assess each TPSP’s risk profile before signing an agreement with a TPSP. This includes evaluating the level of access to information systems and nonpublic information, the provider’s reputation, financial stability, and cybersecurity history, as well as the existence and adequacy of the TPSP’s cybersecurity program and its alignment with NYSDFS requirements. Entities should also consider the use of privileged accounts, audit trails, and controls for data handling and storage. They should also consider the location of the TPSP and its affiliates, incident response and business continuity planning, oversight of downstream providers, and the presence of external audits or certifications. Entities can use standardized questionnaires to collect information, but qualified personnel should interpret responses and make risk-informed decisions. 
       
  • Contracting:
     
    • Written policies and procedures should also have contractual requirements with TPSPs to reflect the TPSPs’ risk profile. For example, contracts should define access controls, specifying who may access the entity’s systems and data, and under what circumstances. Data encryption requirements should be articulated for both data in transit and at rest, ensuring that sensitive information remains protected throughout its lifecycle. Notification obligations must be explicit, requiring prompt and detailed reporting of any cybersecurity events that could impact the covered entity’s information systems or nonpublic information. The use of artificial intelligence (AI) and data sharing for AI training should also be addressed, along with remedies for material breaches, including remediation or early termination rights. Finally, contracts should have meaningful remedies in the event of a breach, including requirements for timely remediation or, where necessary, the right to terminate the agreement early. 
       
  • Ongoing Monitoring and Oversight:
     
    • After a contract is entered, entities should keep monitoring TPSP cybersecurity programs and that those programs remain aligned with the entity’s expectations and contractual obligations. Periodic assessments should be conducted, including review of security attestations, penetration testing, policy updates, and evidence of security awareness training. Entities should assess vulnerability management and remediation of deficiencies, document and escalate unresolved or material risks, and integrate TPSP risk into incident response and business continuity planning, including testing transition strategies for critical services.
       
  • Termination: 
    • Termination of TPSP relationships should be planned for and secure, with orderly offboarding. This includes disabling all TPSP access to information systems, revoking identity federation tools, API integrations, and external storage access, and requiring certification of data destruction or secure return or migration of data. In addition, businesses should proactively address residual or unmonitored access points, review contractual offboarding obligations, and retain necessary audit logs. Finally, companies should conduct a risk review and incorporate lessons learned into future practices.

3. Senior Leadership Involvement and Judgment: Senior governing bodies and officers, such as boards of directors, must be actively engaged in TPSP risk management, with sufficient understanding to provide credible challenge to management decisions. Policies and procedures must be reviewed and approved at least annually. Documentation of risk assessments, due diligence, contractual terms, and ongoing monitoring is critical for demonstrating compliance and effective oversight.

4. Managing Constraints in Third-Party Service Provider Selection: The NYSDFS recognizes that, in some situations, organizations may face significant constraints when selecting or transitioning away from a TPSP. These constraints can arise due to limited vendor options, market concentration, or operational dependencies. In such cases, it is important for organizations to document both the risks associated with the relationship and the rationale for maintaining it. Regular reassessments of the relationship are advised to determine if viable alternatives have emerged over time. 

TPSP risk management is not a one-time exercise but an ongoing, risk-based process requiring active oversight, thorough documentation, and continuous improvement. The recent industry letter from the NYSDFS is another example of how seriously state and federal regulators are treating cybersecurity risks involved in a company’s day-to-day operations.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.

×
By using this website, you agree to our use of cookies.