- Key insight: New NYDFS guidance reinforces that banks are “ultimately accountable” for cybersecurity risks from third-party vendors and cannot delegate compliance.
- What’s at stake: Banks face enforcement actions, like those previously taken against OneMain and LifeMark, if their third-party risk management and oversight are found lacking.
- Forward look: The guidance details specific actions banks must take, including assessing a vendor’s “fourth parties,” contingency plans and geopolitical risks.
Overview bullets generated by AI with editorial review
While the New York Department of Financial Services on Tuesday issued new cybersecurity guidance, the regulator’s position that banks assume third party risk has not changed.
The NYDFS is not imposing “new requirements or obligations” on banks, per the guidance, but it clearly warns institutions that they “may not delegate responsibility for compliance” with the department’s cybersecurity regulation to third party vendors.
This focus on banks bearing third-party risks outlasts the recently ended tenure of Adrienne Harris, whose four-year term as the NYDFS superintendent ended on Saturday. Acting superintendent Kaitlin Asrow issued the Tuesday guidance.
“While third-party service providers have driven innovation and enabled significant efficiencies in our financial system, regulated entities are still ultimately accountable for protecting consumers and managing risk,” Asrow said in a press release about the guidance.
In the guidance, NYDFS highlighted supervisory activities it made against OneMain Financial Group in 2023 and LifeMark Securities in 2021 as examples of the department enforcing this guidance, specifically noting the need for more robust due diligence, better contractual provisions and stronger monitoring and oversight.
The guidance also arrives the day after a technical outage at Amazon Web Services took digital services offline across the internet, including at a handful of banks and credit unions.
While the AWS incident was not caused by a cybersecurity incident, it highlighted the impacts that third parties have on banks’ resilience and echoed similar impacts felt last year when cybersecurity company CrowdStrike issued a faulty update that grounded planes and temporarily took television broadcasters offline.
NYDFS said in the guidance that reliance on third parties introduces the risk of cybersecurity incidents at the vendor, which can have a “significant impact” on a bank’s operations and information. Appropriately managing these risks remains a “crucial element” of any bank’s cybersecurity program, according to the Tuesday guidance.
The guidance also emphasized that institutions cannot delegate responsibility for compliance with the department’s cybersecurity regulation to an affiliate or the vendor itself.
NYDFS officials conduct examinations and investigations in which they review banks’ information security policies and procedures, including those addressing third-party risk.
Based on these reviews, the department identified areas where banks should strengthen their third-party risk programs.
The department said banks need to require more robust due diligence, contractual provisions, monitoring and oversight and third-party risk management policies and procedures.
The department noted a trend that some banks outsource critical cybersecurity compliance obligations to third-parties without ensuring appropriate oversight and verification by senior governing bodies or senior officers at the bank.
NYDFS warned in its guidance that it considers the absence of appropriate third-party risk management practices in its enforcement actions.
Financial regulators at the state level in New York and at the national level consistently place the burden of risk squarely on banks when they use third-parties for digital services.
In its action against OneMain, NYDFS said that a third-party vendor processing and managing online payments for the lender gave some customers unauthorized access to other customers’ private information because the vendor failed to purge old customer account numbers before assigning them to new customers.
Separately, LifeMark failed to implement required third-party policies, an omission NYDFS concluded “made LifeMark vulnerable to threat actors.”
Nationally, regulators have also maintained in 2025 that banks ultimately retain responsibility for managing and mitigating the risks posed by their third-party relationships.
A July report from the Federal Reserve Board emphasized that the central bank “expects financial institutions to effectively manage risks associated with their third-party service providers.”
The Financial Industry Regulatory Authority, a self-regulatory organization, also reaffirmed the principle of non-delegation in an annual report. The report, published in January, introduced the third-party risk landscape as a new topic area for 2025.
The guidance describes steps banks should consider taking throughout the lifecycle of a third-party vendor relationship, covering due diligence, contracting, ongoing oversight, and termination.
NYDFS instructed banks to develop a tailored, risk-based plan to mitigate risks posed by each third party. The department provided the following “non-exhaustive list of considerations” that banks should make when performing due diligence:
- Access and controls: Evaluate the type and extent of access the third party requires to the bank’s information systems and private data. Determine the third party’s access controls, including whether it applies data segmentation and encryption based on data sensitivity.
- Fourth parties: Check the third party’s practices for selecting, monitoring and contracting with downstream service providers, i.e. fourth parties.
- History and stability: Assess the vendor’s reputation within the industry, including its cybersecurity history and financial stability.
- Security program compliance: Confirm the vendor implemented a strong cybersecurity program addressing, at a minimum, the cybersecurity practices and controls required by the NYDFS regulations. The vendor should demonstrate compliance by undergoing external audits or proving adherence to industry frameworks, such as the National Institute of Standards and Technology’s cybersecurity framework.
- Contingency planning: Verify the third-party vendor maintains and regularly tests its incident response and business continuity plans.
- Geopolitical risk: Check whether the third party, its affiliates, or downstream vendors operate from a jurisdiction considered high-risk due to geopolitical, legal or other regulatory risks.
