Overview

On October 21, 2025, the New York State Department of Financial Services (NYDFS) released comprehensive guidance for registrants regarding management of cybersecurity risks associated with third-party service providers (TPSPs) including cloud computing, file transfer system, AI and fintech solutions.[1] As reliance on external vendors for critical technology services grows, so too do the cyber threats to operations and sensitive customer data. The guidance clarifies regulatory expectations, highlights best practices, and underscores the importance of robust third-party risk management throughout the entire vendor relationship lifecycle.  In summary, companies can outsource functions but will still retain responsibility for cybersecurity oversight.