ARTICLE
21 January 2026

NYDFS TPRM Guidance: What Financial Institutions Need To Know

KR
Kaufman Rossin

Contributor

Kaufman Rossin logo
Kaufman Rossin, one of the top CPA and advisory firms in the U.S., has guided businesses and their leaders for more than six decades. 600+ employees deliver traditional audit, tax, and accounting, plus business consulting, risk advisory and forensic advisory services. Affiliates offer wealth, insurance, and fund administration. We’ve earned many awards, but we’re most proud of our Best of Accounting®️ Award for superior client service for four years running, because it’s based on ratings from more than 1,000 of our clients.
Explore Firm Details
Third-party relationships are the lifeblood of modern financial innovation. From cloud computing and fintech partnerships to artificial intelligence, reliance on outside experts...
United States Finance and Banking
Kanishk Mehta
Kanishk Mehta’s articles from Kaufman Rossin are most popular:
  • within Finance and Banking topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • in United States
  • with readers working within the Media & Information industries

Third-party relationships are the lifeblood of modern financial innovation. From cloud computing and fintech partnerships to artificial intelligence, reliance on outside experts allows institutions to scale faster and work smarter. But this interconnectedness comes with a steep price tag: increased cyber risk.

On October 21, 2025, the New York State Department of Financial Services (NYDFS) released critical new guidance on managing risks related to third-party service providers (TPSPs). This isn't just another memo to file away; it is a clarification of the existing Cybersecurity Regulation (Part 500) and a direct signal of what examiners will be looking for in upcoming reviews.

If you are a Covered Entity under NYDFS regulation, understanding this guidance is no longer optional. It clarifies that you cannot outsource your risk management responsibilities, even if you outsource your operations. This article breaks down the key pillars of the new expectations—from governance and due diligence to ongoing monitoring and termination—offering actionable steps to help your Third-Party Risk Management (TPRM) program meet regulatory standards with confidence.

Governance and oversight: It starts at the top

One of the strongest messages in the new guidance is that TPRM is a boardroom issue, not just an IT problem. The NYDFS has observed a concerning trend where institutions delegate critical cybersecurity compliance obligations to vendors without sufficient oversight.

To correct this, the guidance emphasizes that Senior Governing Bodies (like the Board) and Senior Officers (like the CISO) must be actively involved. This goes beyond “checking the box” on annual reports.

What is expected of leadership?

  • Active Engagement: Leadership must possess a sufficient understanding of cybersecurity matters to exercise appropriate oversight. This includes the ability to “credibly challenge” management's decisions regarding third-party risk.
  •  No Delegation of Responsibility: While you can delegate tasks to a vendor, you cannot delegate the responsibility for compliance. The responsibility lies with the institution.
  • Annual Policy Review: Your cybersecurity policies—including those addressing TPRM—must be reviewed and approved at least annually by a Senior Officer or the Senior Governing Body.

Actionable Insight: Does your Board have the cyber literacy required to challenge your CISO's vendor selection? If not, consider targeted training sessions to bridge the gap between technical risk and business strategy.

Identification, due diligence, and selection

Before you sign a contract, you must understand who you are doing business with. The guidance stresses that due diligence must be risk-based. Not all vendors are created equal, and your assessment process should reflect that.

Risk classification

You should classify third parties based on their risk profile. A cleaning service that doesn't touch your data requires different scrutiny than a managed service provider with administrative access to your core banking platform.

When classifying risk, consider factors such as the vendor's level of access—do they have privileged access to your information systems? Evaluate data sensitivity: will they handle Non-Public Information (NPI)? Assess the criticality of their services to your daily operations, and consider their geography—are they located in a high-risk jurisdiction or all core services performed from the same region?

The due diligence checklist

Covered Entities need a tailored, risk-based plan for every onboarded vendor. The NYDFS suggests assessing:

  • Access Controls: Do they use Multi-Factor Authentication (MFA) and unique accounts?
  • Encryption: How do they protect your data while at rest and in transit?
  • Supply Chain: How do they manage their vendors (your fourth parties)?
  • Financial Stability & Reputation: Do they have a history of security incidents?
  • Business Continuity: Do they regularly test their incident response and business continuity plans?

Pro Tip: Don't just rely on a standardized questionnaire. Verify the answers. If a vendor claims to be compliant with NIST or ISO standards, ask for the audit report or certification to prove it.

Contracting: put it in writing

Strong contracts are your first line of defense when things go wrong. The guidance outlines specific contractual provisions that Covered Entities should consider to protect their interests. These provisions establish your security standards as their contractual obligations.

Baseline contract provisions

  • Access & Encryption: Mandate MFA and encryption for data both in transit and at rest.
  • Notification Requirements: Define clear timelines for the vendor to notify you of a cybersecurity event. You need time to understand the impact and your obligations.
  • Subcontractor Transparency: Require disclosure of downstream subcontractors. Ideally, you should have the right to reject a subcontractor if they don't meet your security standards.
  • Data Location: Know where your data lives. Consider restrictions on cross-border data transfers.
  • Right to Audit: Include provisions that give you the ability to verify their compliance through audits or third-party assessments.

Addressing AI risk

The guidance specifically highlights the need for AI-specific terms. If you are using a vendor that leverages Artificial Intelligence, your contract should address whether your data can be used to train their models. Without explicit restrictions, your proprietary data could inadvertently become part of a public model.

Ongoing monitoring: Due diligence doesn't end at signing

A common pitfall in TPRM programs is the “set it and forget it” mentality. The risk profile of a vendor can change overnight due to a new zero-day vulnerability, a merger, or a change in their subcontractors.

The NYDFS requires continuous monitoring aligned with the risk level of the vendor.

What should you monitor?

Monitor key areas that signal your vendor's ongoing security and compliance posture. Regularly review security metrics, including penetration test summaries, vulnerability reports, and patching cycles. Request updated compliance artifacts, such as SOC 2 reports or ISO certifications, at least annually. Stay informed about the external threat landscape by checking whether the vendor has experienced any recent cybersecurity incidents.

Key Question: If a critical vendor goes offline tomorrow, do you have a plan? The guidance insists that third-party risk must be integrated into your Incident Response and Business Continuity Plans. You need to know how you would transition to an alternate provider or manual process if a disruption occurs.

Termination: the art of a clean break

Ending a vendor relationship is often riskier than starting one. When a contract ends, confirm that their access is revoked and your data is returned or destroyed. The guidance explicitly states that Covered Entities must have a clear offboarding plan for critical services.

The offboarding checklist

  1. Revoke Access: Immediately disable system access for all vendor personnel. This includes deactivating service accounts, API tokens, and SSO integrations.
  2. Data Destruction: Require the vendor to certify that all NPI has been securely deleted or returned.
  3. Unmonitored Access Points: Check for “shadow” access points that may have been created outside of routine provisioning systems.
  4. Final Risk Review: Conduct a post-termination review to confirm all obligations were met and document lessons learned for future contracts.

Legal Hold Note: Before demanding data destruction, verify that the data isn't subject to a legal or regulatory hold. You don't want to accidentally destroy evidence required for litigation.

Turning NYDFS guidance into action

The October 2025 guidance from the NYDFS serves as a reminder that in a hyper-connected financial ecosystem, your perimeter extends to your third-party providers. Managing this risk requires more than just paperwork; it demands active leadership, dynamic monitoring, and robust contractual enforcement.

By aligning your TPRM program with these expectations, you do more than just pass an exam. You build a resilient institution capable of withstanding the inevitable shocks of the digital supply chain.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Kanishk Mehta
Kanishk Mehta
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More