New York State Department of Financial Services (DFS) Acting Superintendent Kaitlin Asrow today issued new cybersecurity guidance addressing the risks associated with entities becoming increasingly reliant on third-party service providers (TPSPs). The guidance builds on the Department’s ongoing work to protect New Yorkers and DFS-regulated entities from cybersecurity risks through its nation-leading cybersecurity regulation. 

“While third-party service providers have driven innovation and enabled significant efficiencies in our financial system, regulated entities are still ultimately accountable for protecting consumers and managing risk,” said Acting Superintendent Kaitlin Asrow. “To ensure the safe and secure operation of financial services and the protection of nonpublic information, entities must establish and maintain appropriate internal risk management controls when using third-party service providers.” 

This guidance does not impose new requirements or obligations on DFS-regulated entities. Rather, the guidance is intended to clarify regulatory requirements under DFS’s cybersecurity regulation and share best practices that entities should consider implementing.  

A copy of the guidance can be found on the Department's website. Additional cybersecurity resources can be found on the Department’s Cybersecurity Resource Center.