April 09, 2026
NEWS

NYDFS RELEASES PRELIMINARY GUIDANCE FOR WORKING WITH THIRD-PARTY SERVICE PROVIDERS


The New York State Department of Financial Services (“NYDFS”) has issued updated guidance on managing risks related to third-party service providers that companies may retain to provide services and that have access to nonpublic information discussed in the New York Cybersecurity Regulation[1]. The guidance does not impose new requirements or obligations on companies regulated by the NYDFS but provides basic steps and information on other precautions and due diligence such “Covered Entities” can follow when using a third-party service provider or “TPSP”. The steps in the guidance are preliminary and non-exhaustive, and each Covered Entity should consider what is best for its unique situation.

Are you a Covered Entity?

You are a “Covered Entity” if you operate or are required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under

  • the New York Banking Law,
  • the New York Insurance Law, or
  • the New York Financial Services Law.

For example, state chartered banks, mortgage brokers, and consumer credit reporting agencies reporting on New York consumers are Covered Entities

What is a TPSP?

TPSP stands for third-party service provider. It is a person that is not an affiliate of the Covered Entity, or a governmental entity which provides services to the Covered Entity and maintains, processes or otherwise is permitted to access nonpublic information or “NPI” through the provision of those services and access to the Covered Entity’s information systems.

What are the guidelines?

The guidance offers examples of some basic preliminary considerations a Covered Entity should make when working with TPSP at the following stages:

  • Identification, Due Diligence, and Selection: Covered Entities should consider how critical the service is to operations, the sensitivity of the data that will be accessed, and the type of access the TPSP would need to provide the service.
  • Contracting: There should be provisions in any service agreement that conform to the requirements of the New York Cybersecurity Regulation, and the internal policies of the Covered Entity.
  • Ongoing Monitoring and Oversight: Internal policies and procedures must include regular review of the TPSP and identification and mitigation of vulnerabilities.
  • Termination: Service agreements with TPSPs should include provisions for how to revoke system access and continue safeguarding of NPI through its return or destruction by the TPSP.

This guidance is a non-exhaustive, preliminary look at the types of considerations a Covered Entity should make when contracting with a TPSP. Further and additional considerations may be necessary.

We are happy to help answer any questions! Please reach out to your Woods Oviatt attorney or any member of our Financial Services industry group at the following link: https://www.woodsoviattgilman....


[1] N.Y. Comp. Codes R. & Regs. tit. 23, § 500.0-500.24.

RELATED ARTICLES

April 09, 2026
NEWS

Comptroller Miller Williams 2025 Capital Bond Appeal Upheld

Buffalo, NY — City Comptroller Barbara Miller Williams announced today that the five judge panel of the Appellate Division in Rochester, New York has ...
April 09, 2026
NEWS

Receiver Exits Galleria Case as Pyramid Secures New Loan

The receiver for the Walden Galleria has been discharged, following the mall owner’s announcement of having secured new financing for the mall. Willia...
April 09, 2026
NEWS

How the affordable housing industry is tackling the housing crisis

A Q&A with John Bohrer-Yardley, Affordable Housing Practice Group Co-Chair at Woods Oviatt Gilman LLP What do you find most rewarding about your c...