Managing Third‑Party Risk & the Final Phase of the NYDFS Cybersecurity Rule
Introduction
For financial institutions and other entities regulated by the New York Department of Financial Services (NYDFS), the coming months represent a critical juncture in cybersecurity compliance. On one front, new third‑party service provider (TPSP) guidance issued by NYDFS (October 2025) delivers enhanced expectations for managing outsourced risk. On the other, the final set of requirements under the second amendment to the cybersecurity rule (23 NYCRR Part 500) went into effect on November 1, 2025 — the expanded multi‑factor authentication (MFA) mandate and a formalized comprehensive asset inventory program. Together, these changes underscore the regulator’s intensifying posture toward cybersecurity governance, controls, and third‑party ecosystems. This article explores how entities should align their third‑party risk frameworks and internal controls to satisfy both sets of obligations.
Part I: NYDFS Guidance on Third‑Party Service Provider Risk
On October 21, 2025, NYDFS issued fresh guidance addressing the growing cybersecurity risk posed by a Covered Entity’s (a business required to operate under a license, registration, or similar authorization of New York banking, insurance, and financial services laws) reliance on third‑party service providers. Acting Superintendent Katlin Asrow highlighted that while outsourcing certain business functions to cloud providers, fintech‑platforms, data processors may drive innovation and efficiency, a Covered Entity remains fully responsible for protecting consumer data and maintaining adequate risk controls. The guidance underscores that third‑party relationships are not immune to oversight simply because the contracting entity is “outsourced.”
NYDFS outlines four discrete stages for third‑party risk management:
1. Identification, Due Diligence, and Selection
Covered Entities should classify providers by risk (system access level + sensitivity of data) and assess provider cybersecurity history, access controls, data‑handling practices, and alignment with frameworks such as National Institute of Standards and Technology (NIST). This includes assessing whether a TPSP handles nonpublic information (NPI), has system‑level access, and whether it supports compliance with Part 500.
2. Contracting
A Covered Entity’s written agreements with TPSPs should include:
Access‑control obligations (including MFA where applicable);
Encryption in transport and at rest;
Incident‑notification obligations (vendors must notify the regulated entity promptly);
Data‑location/transfer limitations (especially where cross‑border or cloud services are used);
Subcontractor disclosure and approval provisions;
Data return or deletion obligations on offboarding; and
AI‑use clauses (whether the TPSP may use the entity’s data to train models).
3. Ongoing Monitoring and Oversight
Vendor risk is not “set it and forget it.” The guidance urges periodic reassessments of vendor security programs, review of audit attestations/test results, documentation of remediation efforts, and integration of TPSP risk into a Covered Entity’s incident‑response/BCP plans. Material unresolved risks should prompt escalation through proper governance channels.
4. Termination and Off‑boarding
Covered Entities should treat TPSPs as an extension of their cybersecurity perimeter and ensure documented oversight at each stage.
At the conclusion of a third‑party relationship, Covered Entities must ensure access credentials and system connections are revoked, nonpublic information is securely migrated or deleted, and audit logs are retained. The “lessons learned” are to be fed back into future vendor‑risk management.
Takeaways
Covered Entities should treat TPSPs as an extension of their cybersecurity perimeter: The vendor’s controls and risks become their own. Contracting terms must be robust and aligned with technology, cloud, fintech, and AI‑related risks — not just standard IT outsourcing. In the event of supervisory attention, oversight must be documented (e.g., proof of due diligence, monitoring results, governance escalation, and termination procedures). If a Covered Entity’s TPSP has an incident that impacts the Entity itself, the business should be prepared to demonstrate how that vendor relationship was governed, how the risk was assessed, and how incident notification flows were established.
Part II: The Final Implementation of Cyber Rule Requirements
The second amendment to NYDFS’s cybersecurity regulation (“Second Amendment”) was adopted in November 2023 and initiates a multi‑year rollout of enhanced requirements. The final tranche of obligations took effect November 1, 2025, and focused on Multi‑Factor Authentication (Section 500.12) and Asset Inventory (Section 500.13(a)).
A. Multi-Factor Authentication
Beginning November 1, 2025, a Covered Entity must use MFA for any individual accessing any information system of the covered entity. The regulation allows the Entity’s CISO to approve, in writing, equally secure access controls reviewed annually. Limited exemptions apply for small businesses. NYDFS views MFA deficiencies as one of the most exploited cybersecurity gaps and continues to prioritize enforcement in this area. In recent years, a number of NYDFS enforcement actions included a failure to implement MFA by violators (See Healthplex, Inc. and National Securities Corp.).
B. Asset Inventory
Covered Entities must enact written procedures for the creation and maintenance of an asset inventory of their information systems. Policies must define update frequency, validation methods, and asset tracking data points (owner, location, classification, support expiration, recovery time objective). NYDFS expects organizations to maintain this information centrally and ensure accuracy, even if duplicative. A business cannot effectively protect information within its possession without adequate knowledge around what, where, and why it exists.
Part III: Practical Checklist for Compliance
| Item | Recommended Action | Owner | Status |
|---|---|---|---|
| Inventory of all information systems | Ensure all hardware, software, cloud apps, and vendor systems are inventoried with classifications and owners. | IT/Cyber | |
| MFA coverage analysis | Identify and enforce MFA across all access paths, including vendor systems. | Access/IAM | |
| Vendor contract updates | Include MFA, encryption, data transfer, and termination provisions in vendor contracts. | Legal/Vendor Risk | |
| Vendor monitoring program | Reassess vendor security programs periodically and document results. | Vendor Risk | |
| Board reporting | Provide leadership updates on MFA status, asset inventory, and vendor risks. | Cyber Leadership |
Conclusion
For institutions regulated by NYDFS, the convergence of enhanced third‑party service provider guidance and the final phase of control implementation marks a watershed in cybersecurity compliance. The expectations espoused in each should not reflect separate compliance tracks but rather an integrated program in which vendor risk coalesces with enterprise control governance. Boards and CISOs should ensure their organization’s cybersecurity program is well documented, operational, and auditable right now.