New York Department of Financial Services (NYDFS) Clarifies Expectations for Third-Party Cybersecurity Risks Under its Cybersecurity Regulation, and Additional Amendments Go into Effect on November 1, 2025

On October 21, 2025, NYDFS, the New York State agency responsible for regulating financial services and products, issued an Industry Letter clarifying how “Covered Entities”[1] should manage cybersecurity risks arising from Third‑Party Service Providers (TPSPs) under the NYDFS Cybersecurity Regulation (23 NYCRR Part 500).

The Industry Letter outlines a structured approach for Covered Entities to manage TPSP cybersecurity risks across the lifecycle of third-party relationships. This alpha to omega approach spans initial due diligence, contractual protections, and ongoing monitoring through eventual termination. Moreover, the guidance previews how NYDFS examiners will assess TPSP due diligence, contractual controls for TPSPs, and TPSP oversight. The Industry Letter also highlights the direct accountability of senior governing bodies and officers for overseeing and managing these risks effectively. The Industry Letter underscores that Covered Entities’ compliance responsibilities cannot be delegated to third parties.

Relatedly, a significant compliance milestone is imminent – the last phase of the 2023 amendments to the NYDFS Cybersecurity Regulation (Cybersecurity Amendments) will go into effect on November 1, 2025. As of the that date, Covered Entities will be required to implement: (1) multi-factor authentication (MFA) for all individuals accessing their information systems (with only limited exceptions), and (2) asset inventories designed to track key attributes for each data asset.

Why This Matters Now

The Industry Letter clarifies existing requirements and expectations for Covered Entities. Critically, the guidance specifies how NYDFS examiners will evaluate TPSP programs, and details documentation that examiners may expect to see with respect to TPSP governance and oversight, due diligence, and contracting. Also, because the NYDFS’s Cybersecurity Amendments will become fully effective on November 1st, organizations should be prepared for heightened NYDFS scrutiny pertaining to the additional requirements relating to MFA and asset control in regulatory cybersecurity examinations and enforcement actions. As a practical matter, in the past, NYDFS cybersecurity examinations have precipitated certain enforcement actions.

Key Guidance from the Industry Letter

• Governance and Oversight: Covered Entities must ensure senior management and board members:
  • possess a sufficient understanding of cybersecurity issues related to TPSPs;
  • receive regular reporting from the Chief Information Security Officer (CISO); and
  • can credibly assess management decisions regarding TPSP risks.
• TPSP Due Diligence:  The guidance outlines baseline due diligence steps Covered Entities should apply to TPSPs pursuant to the Cybersecurity Regulation.
  • While the Industry Letter details these efforts should be tailored and risk-informed, it includes a non-exhaustive list of topics Covered Entities should consider, including:

• • 1. the type and extent of access to Information Systems and non-public information (NPI);
    2. the TPSP’s reputation;
    3. the TPSP’s cybersecurity program and whether it meets the Cybersecurity Regulation requirements;
    4. access controls implemented by the TPSP;
    5. the criticality of the service provided;
    6. the possibility for audit trails by the TPSP;
    7. the locality of the TPSP, its affiliates, or vendors;
    8. whether the TPSP tests its incident response and business continuity plan;
    9. the TPSP’s vendor diligence process; and
    10. whether the TPSP undergoes external audits/assessments (e.g. ISO/IEC 27000 series, HITRUST).

• Recommended Contractual Provisions: The Industry Letter identifies baseline contractual terms that NYDFS states should be standard practice for Covered Entities to include pursuant to the Cybersecurity Regulation. These include:

1. 1. 1. clearly defined access control obligations, including the use of MFA under 500.12;
      2. encryption standards pursuant to 500.15;
      3. cybersecurity event notification provisions; and
      4. compliance representations under applicable law, including the Cybersecurity Regulation.

NYDFS additionally recommends incorporating contract terms addressing:

1. 1. 1. data location and residency;
      2. restrictions on data transfers;
      3. subcontractor disclosures;
      4. data-use limitations and data deletion obligations upon termination of the relationship;
      5. restrictions related to artificial intelligence data usage; and
      6. remedies in the event a TPSP has breached cybersecurity terms of the agreement.

• Operational Monitoring: Covered Entities should conduct periodic, risk-based assessments for all TPSPs. Covered Entities are expected to review TPSP based on initial due diligence considerations, as well as risk-based developments (e.g., changes to products and services, evolving threat landscape, and whether the TPSP has experienced a security incident). The Industry Letter details that Covered Entities should consider:

1. 1. 1. obtaining and reviewing third-party audit reports;
      2. penetration testing results;
      3. vulnerability and patch management evidence; and
      4. evidence of remediations.

The guidance also emphasizes that TPSP risk scenarios should be integrated into broader incident response and business continuity planning and exercises.

• Termination Practices: In the Industry Letter, NYDFS emphasizes the importance of clearly defined termination protocols for TPSPs. Covered Entities must ensure that TPSP system access – including service accounts and application interfaces – is promptly revoked upon termination. Obligations should include certified return or deletion of all data held by the TPSP and documentation confirming compliance.
• Additional Obligations for Covered Entities under the Cybersecurity Amendments (Effective November 1, 2025):
  • MFA Requirements: MFA must be used for any individual accessing any information systems of a Covered Entity, subject only to the limited exemption in Section 500.19(a), in which case MFA must still be used for remote access, access to third-party applications containing NPI, and all privileged accounts (excluding certain service accounts).
  • Asset Inventory: Covered Entities must maintain a complete, current asset inventory capturing, at a minimum, owner, location, classification/sensitivity, support/decommission dates, and recovery time objectives.

Conclusion: As a primary regulator of cybersecurity, NYDFS has again raised the stakes. Data security is imperative – and the stakes are rising. Cyber threats are ubiquitous and increasing in frequency and intensity. Threat actors are utilizing increasingly sophistical artificial intelligence and other tactics to attack companies in an effort to wreak havoc and extort huge ransom payments. NYDFS’s Industry Letter clarifies examiner expectations for TPSPs, while the November 1, 2025 MFA and asset‑inventory requirements become fully effective soon.

Protecting sensitive data is critical – for the protection of financial services customers, and for the companies charged with that responsibility. Compliance with the newly-released NYDFS guidance and full Cybersecurity Amendments should not wait. It is required, and it is also good business.

[1] A Covered Entity is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.”  N.Y. Comp. Codes R. & Regs. tit. 23, § 500.1(e) (2025).

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.