NYDFS Third-Party Risk Guidance Decoded

A Practical Implementation Guide for NYDFS-Regulated Entities • December 2025

Why This Matters Now

On October 21, 2025, NYDFS issued comprehensive guidance on managing third-party service provider (TPSP) risks under 23 NYCRR Part 500. While framed as "clarifying regulatory requirements," this guidance establishes explicit examination benchmarks and cites recent enforcement actions as precedent.

Key Enforcement Signal

"DFS has and will continue to consider the absence of appropriate TPSP risk management practices by Covered Entities in its examinations, investigations, and enforcement actions."

This isn't theoretical. DFS references enforcement actions against LifeMark Securities (2021) and OneMain Financial (2023) as evidence of their willingness to act on TPSP deficiencies. The guidance also explicitly states that Covered Entities cannot delegate compliance responsibility to vendors—your TPSP's SOC 2 report doesn't get you off the hook.

What's New in This Guidance

AI Governance Requirements Contracts should address AI usage and whether your data can be used to train models. This is a notable addition to NYDFS's third-party risk expectations.

Fourth-Party Risk is Explicit You must assess your vendors' subcontractors. "Downstream service providers" are now part of the examination scope.

Board Accountability Elevated Senior Governing Bodies must provide "credible challenge" to management decisions. Passive oversight isn't sufficient.

Termination Requirements Detailed Specific requirements for revoking SSO, OAuth tokens, API integrations, and certifying data destruction.

Concentration Risk Guidance addresses vendor concentration as a constraint requiring documented risk decisions and compensating controls when limited vendor options exist.

The TPSP Risk Management Lifecycle

The October 2025 guidance structures TPSP oversight across four lifecycle phases. Each phase has specific requirements and examination touchpoints. Understanding this framework is essential for building an examination-ready program.

Identification & Due Diligence

Classify TPSPs based on risk profile (system access, data sensitivity, criticality)
Assess cybersecurity practices and controls before engagement
Evaluate reputation, financial stability, and geographic risk
Review external audits (SOC 2, ISO/IEC 27000 series, HITRUST) or framework compliance
Document fourth-party relationships and subcontractor practices

Contracting

Access controls and MFA requirements (§500.7, §500.12)
Data encryption in transit and at rest (§500.15)
Cybersecurity event notification provisions
Data location disclosure and transfer restrictions
Subcontractor disclosure and approval rights
AI usage limitations and training restrictions
Data deletion/migration obligations upon termination

Ongoing Monitoring & Oversight

Periodic risk-based assessments (§500.11(a)(4))
Review security attestations, penetration testing, compliance audits
Monitor vulnerability management and patching practices
Document and escalate material or unresolved risks
Incorporate third-party risk into incident response and BC planning
Test business continuity plans with critical TPSPs

Termination

Disable TPSP access to Information Systems (§500.7)
Revoke SSO, OAuth tokens, API integrations, external storage access
Obtain certification of NPI destruction or secure data return
Confirm deletion of snapshots, backups, and cached datasets
Address residual access points outside routine provisioning
Document offboarding and retain audit logs

Key Requirements: Part 500 Section Reference

The following table maps core NYDFS requirements to specific Part 500 sections. Use this as a reference when building or auditing your TPSP program documentation.

Requirement	Section	Practical Action
Risk-based TPSP policies	`§500.11(a)`	Develop written policies for evaluating and classifying TPSPs by risk tier
Due diligence procedures	`§500.11(b)`	Document minimum cybersecurity standards and assessment procedures
Access control provisions	`§500.11(b)(1)`	Require MFA and access policies in contracts; unique traceable accounts
Encryption requirements	`§500.11(b)(2)`	Contractual obligation for encryption in transit and at rest
Incident notification	`§500.11(b)`	Define notification timelines and procedures in contracts per guidance requirements
Compliance representations	`§500.11(b)(4)`	Require written warranties of Part 500 compliance from TPSPs
Periodic reassessment	`§500.11(a)(4)`	Schedule risk-based assessments; document and escalate findings
Access termination	`§500.7(a)(4)`	Disable all TPSP access upon relationship termination
Policy approval	`§500.3`	Annual Senior Officer or Board review and approval of policies
Board oversight	`§500.4(d)`	Senior Governing Body engagement with TPSP risk management

Important: Covered Entities may not delegate responsibility for compliance with Part 500 to an affiliate or TPSP. Your vendor's compliance certifications support but do not replace your own verification and oversight obligations.

Note: Certain requirements have exemptions for smaller entities under §500.19 based on personnel count, revenue, and assets. Consult the full regulation and October 2025 guidance for exemption criteria applicable to your organization.

TPSP Program Self-Assessment

Use this checklist to evaluate your current TPSP program against the October 2025 guidance. For each item, assess whether your program fully addresses the requirement, partially addresses it, or has a gap that needs remediation.

Part 500 Requirement

NYDFS Recommendation (not explicitly required)

Policies & Governance

Written TPSP risk management policies exist and are approved annually by Senior Officer or Board
Policies include risk-based classification criteria for TPSPs (tiering methodology)
Senior Governing Body receives regular reporting on TPSP risk and provides documented "credible challenge"
Policies explicitly address AI vendors and requirements for AI usage limitations in contracts Recommended where relevant

Due Diligence & Selection

Documented procedures for assessing TPSP cybersecurity practices before engagement
Due diligence includes review of access controls, encryption, incident response, and BC/DR capabilities
Assessment of TPSP geographic/jurisdictional risks and data location practices
Review of fourth-party relationships and subcontractor management practices
Verification of external audits, certifications, or framework compliance (SOC 2, ISO/IEC 27000 series, HITRUST, or NIST CSF)

Contracting

Standard contract provisions address access controls and MFA requirements
Encryption requirements (transit and at rest) included in TPSP agreements
Cybersecurity event notification timelines and procedures specified in contracts
Data location disclosure and cross-border transfer restrictions addressed Recommended, not explicitly required by Part 500
Subcontractor disclosure and approval rights included Recommended, not explicitly required by Part 500
AI usage and training data limitations addressed for relevant vendors Recommended where relevant
Data return, deletion, and destruction obligations upon termination specified

Ongoing Monitoring

Risk-based schedule for periodic TPSP reassessments is documented and followed
Process exists for reviewing security attestations, pen test results, and compliance audits
Vulnerability management and patching practices are monitored for critical TPSPs
Material risks are documented and escalated through governance channels
Third-party risk is incorporated into incident response and business continuity plans

Termination

Documented offboarding procedures for TPSP relationship termination
Process for revoking all access (system accounts, SSO, OAuth, API, storage) upon termination
Procedures for obtaining certification of NPI destruction or secure data return
Audit logs retained to support verification of completed offboarding

Next Steps: Building an Examination-Ready Program

The October 2025 guidance creates clear expectations without a fixed compliance deadline—meaning any NYDFS-regulated entity could face examination scrutiny on their TPSP program at any time. The following prioritized actions will help you close gaps and build examination defensibility.

0-30 Days Immediate Priorities

Gap Assessment: Use the self-assessment checklist to identify your highest-risk gaps. Focus first on areas where you have no current process or documentation.
Policy Review: Ensure your TPSP policies are current and scheduled for annual Board or Senior Officer approval. Update to address AI governance if not already included.
Vendor Inventory: Confirm you have a complete inventory of TPSPs with access to Information Systems or NPI. Classify by risk tier if not already done.

30-90 Days Near-Term Actions

Contract Review: Audit existing TPSP contracts for required provisions (access controls, encryption, incident notification, termination obligations). Prioritize contracts up for renewal.
Fourth-Party Visibility: For critical TPSPs, request disclosure of material subcontractors and their security practices.
Monitoring Cadence: Establish or document your periodic reassessment schedule. Ensure it's risk-based—critical vendors should be assessed more frequently.

Ongoing Program Maturity

Board Reporting: Develop or enhance TPSP risk reporting to Senior Governing Bodies. Document the "credible challenge" process.
Termination Procedures: Build or strengthen offboarding checklists that address the specific technical requirements (SSO revocation, API termination, data destruction certification).
Concentration Risk Analysis: Map dependencies on critical vendors and cloud providers. Develop contingency strategies for high-concentration relationships.

Get a Free TPSP Assessment

We'll process your current vendor list and deliver risk scores, criticality classification, and gap analysis against NYDFS requirements—no commitment required.

Contact john@helmguard.ai