On October 21, 2025, the New York Department of Financial Services (NYDFS) issued guidance to help licensees comply with its cybersecurity regulation.  The non-exclusive checklists may be of interest to companies not licensed by NYDFS and even those not offering financial services, given NYDFS’ comment that the guidance is intended to “recommend industry best practices.”  The guidance will also likely be of interest to vendors that serve the financial services community.  NYDFS stated that the guidance “does not impose new requirements or obligations,” but nevertheless included some recommendations on topics not expressly required in the cybersecurity regulation.

Vendor due diligence

NYDFS stated that “Covered Entities should develop a tailored, risk-based plan to mitigate risks posed by each” vendor, pointing out that vendors that “provide IT managed services, outsourced help desk services, and insurance claims management services” typically have access to sensitive data.” 

NYDFS provided a non-exclusive list of considerations for licensees during the identification, due diligence and selection of vendors processes, including:

  • Are access controls, including data segmentation and encryption, applied based on the sensitivity of the data, implemented by the vendor?
  • Are the vendor, its affiliates, and/or its vendors “located in, or operate from, a country or territory jurisdictions that is considered high-risk based on geopolitical, legal, socio-economic, operational, or other regulatory risks”?
  • What are the vendor’s practices for selecting, monitoring, and contracting with downstream service providers (“fourth parties”)?
  • Whether the vendor employs unique, traceable accounts for personnel accessing the covered entity’s systems and data and whether it maintains audit trails;
  • Whether the vendor undergoes external audits or independent assessments or can otherwise demonstrate compliance with an industry framework.

Licensees should have qualified personnel review the third-party service providers’ responses.  NYDFS also acknowledged that licensees may face “constraints when selecting, contracting with, or transitioning away from a [vendor] due to limited vendor options, industry concentration, or legacy system dependencies.”  In that instance, NYDFS recommended that the licensee document the risks, implement compensating controls, and assess the marketplace for alternatives.

Contracts

NYDFS also offered a non-exhaustive list of examples of baseline provisions for vendor contracts by licensees, including two provisions not explicitly required by the cybersecurity regulation, so we highlight those:

  • Data Location and Transfer Restrictions – require the vendor to (a) disclose where data may be stored, processed, or accessed; (b) obtain the licensee’s prior written approval for cross-border transfers (or full prohibitions of this practice); and (c) comply with applicable data residency or localization laws.  “Although this contractual provision is not explicitly required by the Cybersecurity Regulation, the Department recommends incorporating this provision in contracts because Covered Entities can more effectively analyze the risk to sensitive data, including NPI, when they understand where data is stored and processed.
  • Subcontractors – require the vendor to disclose any subcontractors with access  to the licensee’s systems or nonpublic personal information, and require that the vendor give the licensee the ability to reject the use of certain subcontractors.  “Although this practice is not required by the Cybersecurity Regulation, the Department recommends adoption of this practice so Covered Entities are better able to analyze the risk to sensitive data, including NPI.”

Other requirements described in the guidance include:  access controls, compliance, cybersecurity event notification, data use and exit obligations, encryption, and remedies for breach.

NYDFS also briefly addressed artificial intelligence vendor agreements:  “Where relevant, Covered Entities should consider including a clause related to the acceptable use of Artificial Intelligence (“AI”), and whether the Covered Entity’s data may be used to train AI models or be otherwise disclosed to additional parties.”

Ongoing monitoring

In contrast, NYDFS provided only brief guidance with respect to ongoing monitoring of vendors.  Licensees must have policies and procedures regarding ongoing monitoring, and “must conduct periodic assessments based on the risk(s) a [vendor] presents and the continued adequacy of their cybersecurity practices.”  NYDFS provided examples of items that can be considered in assessments:  “security attestations (e.g., SOC2, ISO 27001), penetration testing summaries, policy updates, evidence of security awareness training, and compliance audits”  NYDFS also cautioned that licensees “should request updates on vulnerability management, assess patching practices, and confirm remediation of previously identified deficiencies”  The Department also reminded licensees to “incorporate third-party risk into their incident response and business continuity planning” and assess how rapidly they could change vendors if necessary.

Our Take

Companies subject to NYDFS jurisdiction should be updating their policies, procedures, vendor due diligence practices, and vendor contracts so that they can certify their compliance with the cybersecurity by the April 15, 2026 deadline.  Moreover, the NYDFS guidance serves as another resource for all organizations to help them bolster and update their Third Party Risk Management (TPRM) programs with respect to cybersecurity.