On October 21, NYDFS issued an industry letter emphasizing several risks entities face when relying on third-party service providers. NYDFS warned that reliance introduces the risk of cybersecurity incidents at such third parties, which may impact sensitive data. NYDFS advocated for entities to perform more robust due diligence, draft stronger contractual provisions, and conduct enhanced oversight to reduce such risk. The letter also observed a trend of entities outsourcing critical cybersecurity compliance obligations to third-party service providers without ensuring proper oversight and verification.

NYDFS outlined a non-exhaustive list of considerations for entities when performing due diligence on third-party service providers. These considerations include assessing the type and extent of access to information systems and nonpublic information, evaluating the provider’s industry reputation and cybersecurity history, and determining whether the provider has implemented a strong cybersecurity program that meets the requirements of the state’s Cybersecurity Regulation (Part 500). The guidance also recommended several baseline contractual provisions, such as requirements for access controls, data encryption, timely notification of cybersecurity events, and data location and transfer restrictions. Of note, NYDFS advised entities to include clauses related to the acceptable use of AI, including specifying whether their data may be used to train AI models or be disclosed to additional parties.