The guidance, announced Tuesday (Oct. 21) by the New York State Department of Financial Services (DFS), comes as organizations become increasingly dependent on such providers, and cyberattacks involving third-party entities continue to grow.
“While third-party service providers have driven innovation and enabled significant efficiencies in our financial system, regulated entities are still ultimately accountable for protecting consumers and managing risk,” Kaitlin Asrow, acting superintendent of the NYDFS, said in a news release.
“To ensure the safe and secure operation of financial services and the protection of nonpublic information, entities must establish and maintain appropriate internal risk management controls when using third-party service providers.”
According to the release, the guidance does not impose new requirements or obligations on DFS-regulated entities but is designed to clarify requirements under DFS’s cybersecurity regulation and share best practices that entities should think about implementing.
As covered here last month, the number of attacks on major corporations’ third-party suppliers doubled in 2024, with cybersecurity experts predicting that the problem will only worsen.
Advertisement: Scroll to Continue
Tim Erridge, vice president of Europe, the Middle East and Africa at Unit 42 at Palo Alto Networks, told the Financial Times cybercriminals are going after supply chains in search of a “weak link” in corporate security defenses.
“If you ‘breach’ a supplier and it’s got access into many, many top-end organizations that are consuming their services or connected into them, you’re getting a many-for-one return on investment,” he said.
And as PYMNTS wrote in May, the problem presents a simple equation for many organizations: More third-party integrations + more human error = more breach opportunity.
“In 2021, there were 400 data breach lawsuits filed,” Philip Yannella, co-chair of the privacy, security and data protection practice at Blank Rome and the author of “Cyber Litigation: Data Breach, Data Privacy & Digital Rights,” 2025 edition, said in an interview with PYMNTS. “Last year, there were over 2,000.”
In other NYDFS news, PYMNTS CEO Karen Webster spoke earlier this week with Adrienne Harris, the regulator’s outgoing superintendent.
Harris pointed out that Asrow “has been a big part of what we’ve built over the past four years,” giving stakeholders confidence that DFS’s digital finance leadership will continue.
That continuity is critical as the agency makes its way through a financial landscape transformed by the “Internet of money.” Harris added that stablecoins will be key to that transformation.
“Thinking about how we might make especially wholesale payments and treasury functions more efficient for businesses … could really be a game changer,” she told Webster.
