The industry letter describes steps covered entities should consider taking to assess and address cybersecurity risks throughout the lifecycle of a third-party service provider relationship, including diligence considerations when selecting service providers, contractual protections addressing cybersecurity responsibilities, ongoing monitoring of controls, and the eventual termination of the relationship.

Some takeaways from the guidance include:

Active governance

The letter highlights the accountability of senior governing bodies and officers in effectively overseeing and managing third-party service provider-related risks. Senior governing bodies and senior officers must engage actively in cybersecurity risk management and, unless an exemption applies, sufficiently understand cybersecurity risks and be able to credibly challenge management’s cybersecurity-related decisions. The letter also emphasizes that covered entities may not delegate responsibility for compliance with Part 500 to an affiliate or a third-party service provider.

Due diligence and selection

NYDFS expects risk-based vetting of third-party service providers. The letter includes a non-exhaustive list of due diligence considerations, such as:

• The type and extent of system and data access
• The service provider’s reputation, including its cybersecurity history and financial stability
• Whether the service provider’s cybersecurity program addresses the cybersecurity practices and controls required by the covered entity and Part 500
• The criticality of the services provided and the availability of alternative service providers
• The service provider’s use of unique, traceable accounts for personnel access and the maintenance of audit trails
• The location of the service provider and its affiliates and vendors
• The regular testing of incident response and business continuity plans
• The service provider’s service provider diligence process
• Whether the service provider undergoes external audits or independent assessments or can demonstrate compliance with Part 500 or industry cybersecurity frameworks

Contractual protections

The letter includes examples of baseline contractual provisions covered entities should consider incorporating into their third-party service provider agreements, such as:

• Obligations to develop and implement policies and procedures addressing access controls (including multifactor authentication (MFA)) and encryption in transit and at rest
• Cybersecurity event notifications
• Compliance representations and warranties

The letter also recommends incorporating contract terms addressing:

• Disclosure of where data may be stored, processed, or accessed
• Restrictions on cross-border transfers
• Compliance with data residency or localization laws
• Disclosure of the use of subcontractors, and the ability to reject the use of certain subcontractors
• Data use and sharing restrictions, data deletion or migration obligations upon termination of the service provider relationship, and appropriate certifications confirming the completion of such steps
• Restrictions relating to the acceptable use of AI (this reinforces guidance NYDFS issued last year regarding cybersecurity risks arising from AI)
• Remedies, such as timely remediation or early termination, in the event the service provider breaches material cybersecurity terms

Ongoing monitoring and oversight

The letter requires covered entities’ third-party risk management policies to address, to the extent applicable, the periodic and risk-based assessments of service providers. The policies and procedures for ongoing service provider oversight and monitoring should be informed by a variety of factors, such as the evolving threat and regulatory landscape, changes to products and services, and whether the service provider experienced a cybersecurity event. The letter also instructs covered entities to, where relevant, request updates on vulnerability management, access patching practices, and confirm remediation of identified vulnerabilities. Covered entities should also incorporate third-party risk into their incident response and business continuity planning.

Termination

The letter outlines certain actions that covered entities should take before and after the end of a third-party service provider relationship, which include disabling the service provider’s access to the covered entity’s information systems and confirming the deletion of data from the service provider’s systems. The letter also instructs covered entities to develop a transition plan for critical services with clearly defined timelines, roles, and responsibilities to ensure a secure and orderly termination.

Next steps

NYDFS emphasized that it will continue to consider the absence of adequate third-party risk management practices in its examinations, investigations, and enforcement actions. In light of this guidance, covered entities should:

• Reassess existing service provider relationships for compliance with Section 500.11 and related obligations under Part 500
• Benchmark current third-party risk management policies and procedures against NYDFS’s recommended practices
• Conduct a gap analysis of existing service provider contracts
• Engage legal, compliance, and IT teams to enhance service provider oversight and incident response planning

Additionally, the final phase of the 2023 amendments to Part 500 went into effect on November 1, 2025. As of that date, unless an exemption applies, covered entities are required to implement 1) MFA for any individual accessing their information systems, subject to limited exceptions, and 2) written asset inventory policies and procedures. Covered entities should review their cybersecurity programs in preparation for heightened NYDFS scrutiny with respect to MFA and asset inventories in addition to third-party oversight.

If you have questions or would like to discuss any issues addressed in this client alert, contact your regular McDermott Will & Schulte lawyer or one of the authors.