When Big Doesn't Mean Bulletproof: The Importance Of Third-Party Service Provider Due Diligence

Leaders charged with safeguarding data privacy and cybersecurity often assume that size equates to security—that large, well-resourced organizations must have airtight defenses against cyberattacks and data breaches. It's a natural assumption: mature enterprises tend to have robust policies, advanced technology, and deep security teams. Yet, as recent events remind us, even the biggest organizations can be compromised. Sophistication and scale do not guarantee immunity.

On October 21, 2025, the New York Department of Financial Services (DFS) issued guidance on managing risks associated with third-party service providers, urging the entities they regulate to take a more active role in assessing and monitoring their vendors' cybersecurity practices.

The message is clear: strong internal controls are only as good as the weakest external connection. An organization's exposure to risk extends well beyond its own systems and policies. Its a message that entities beyond those regulated by DFS should heed. Consider, for example, the DOL mandate that affects any organization sponsoring an ERISA-covered employee benefit plan – fiduciaries must assess the cybersecurity of plan service providers.

DFS emphasizes that third-party relationships—whether for data hosting, software development, cloud services, or payment processing—must be governed by a structured risk-management framework. The guidance highlights several key components: thorough vendor due diligence before onboarding, contractual provisions addressing cybersecurity responsibilities, ongoing monitoring of vendors' controls, and incident-response coordination. These expectations are not new, but DFS's renewed attention signals that regulators continue to see third-party risk as a critical vulnerability.

Importantly, the guidance reminds organizations that performing these steps is not just a compliance exercise—it's a form of self-protection. Even when a company has invested heavily in its own cybersecurity defenses, it can still be affected by a breach through a vendor's compromised system or careless employee. The reputational and financial fallout from such an event can be just as severe as if the company's own network had been directly attacked.

Organizations can take several practical steps in response:

• Assess vendor criticality and data access. Identify which vendors handle sensitive information or provide essential services. DFS suggests that entities classify vendors based on the vendor's risk profile, considering factors such as system access, data sensitivity, location, and how critical the services is to its operations. Again, this is a step all organizations should consider when evaluating their vendors.
• Require detailed cybersecurity questionnaires or certifications. Review vendors' security controls, policies, and incident-response plans.
• Incorporate strong contract provisions. Ensure that agreements specify breach notification timelines, audit rights, and responsibilities for remediation costs. The DFS guidance includes several examples of baseline contract provisions, including how AI may be used in the course of performing services. There also are other important provisions DFS does not specifically call out, such as indemnity, insurance requirements, limitation of liability. Organizations should have qualified counsel review these critical provisions to help ensure contract terms do not stray too far from initial proposals and assurances.
• Monitor continuously. Risk assessments should not be one-time exercises; regular reviews and periodic attestations help keep oversight current. Third party service provides have personnel changes, system updates, new offerings, as well as financial challenges during the term of a services agreement. These and other factors are likely to have an impact on data privacy and cybersecurity efforts.
• Plan for the worst. Integrate vendors into incident-response exercises so all parties understand roles and communication channels in a breach.

By taking these steps, organizations not only strengthen their own resilience but also strengthen a defensible position if litigation follows a third-party breach. Courts and regulators increasingly look for evidence that a company acted reasonably in selecting and managing its vendors.

The DFS guidance serves as a reminder that in today's interconnected environment, no organization can outsource accountability for cybersecurity. Vigilant oversight of third-party relationships is not simply a best practice—it's an operational necessity.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.