The New York State Department of Financial Services has introduced rigorous, ongoing third-party risk management requirements, reflecting a global shift towards continuous oversight in financial sector cybersecurity to prevent escalating vendor-related breaches.
The New York State Department of Financial Services has signalled a decisive shift in how banks and other regulated firms must manage vendor and supply-chain cyber risk. In an industry letter issued on 21 Octobe...
Continue Reading This Article
Enjoy this article as well as all of our content, including reports, news, tips and more.
By registering or signing into your SRM Today account, you agree to SRM Today's Terms of Use and consent to the processing of your personal information as described in our Privacy Policy.
r 2025, the NYDFS made clear that third-party service provider risk management must sit at the heart of every entity’s cybersecurity programme,and that regulated firms remain ultimately accountable for third-party cybersecurity outcomes rather than able to delegate compliance to vendors or affiliates. According to PwC, the letter sets out expectations across the entire third‑party lifecycle,including due diligence, contract negotiation, continuous monitoring and clear termination procedures.
The guidance is not an isolated nudge but part of a growing global realignment. Regulators from the European Union to Singapore are converging on the same premise:resilience requires continuous oversight and board‑level accountability. The EU’s Digital Operational Resilience Act demands ongoing third‑party supervision and detailed reporting; the UK’s operational resilience regime forces firms to map critical services,set disruption tolerances and test recovery capabilities;the Monetary Authority of Singapore’s 2024 update restated board responsibility for outsourcing;and the Basel Committee’s draft principles explicitly warn that boards cannot delegate accountability for technology outsourcing. Industry observers say this alignment reframes operational resilience as a measurable institution‑level asset akin to capital ratios.
The regulatory momentum follows hard lessons from the threat landscape. Verizon’s 2025 Data Breach Investigations Report, which analysed more than 22,000 incidents including over 12,000 confirmed breaches, found third‑party involvement in breaches doubled to 30% year on year and that exploitation of vulnerabilities grew by 34%. The report also highlights regional surges in system intrusions and malware;for example,Verizon’s EMEA and APAC analyses show large increases in intrusion‑driven breaches and ransomware activity,underscoring how vendor compromise can cascade across geographies and sectors. The DBIR further notes only around half of perimeter device vulnerabilities were fully remediated and that 15% of employees routinely used generative AI on corporate devices,adding new vectors for data exposure.
Those figures illuminate why the NYDFS emphasises “seeing into” third‑ and fourth‑party dependencies. Modern financial services are woven from cloud platforms,fintech APIs,open‑source components and AI services whose interconnections are often opaque. Diversifying across vendors can give a false sense of safety when many suppliers rely on the same underlying sub‑service providers;concentration risk and shared dependencies can transmit failure widely even when only a single provider is attacked. The 2025 NPM “Shai‑Hulud” campaign,which exploited transitive dependencies in widely used open‑source packages,illustrates how a fault deep in a shared component can ripple through the sector.
Operationalising the NYDFS expectations will be difficult. Research cited in the lead account shows many firms are understaffed and under‑automated:most have only a handful of people dedicated to vendor risk despite managing hundreds of suppliers,and few apply continuous telemetry,shared intelligence or dynamic governance. Regulators are therefore signalling that periodic checklists and annual reviews are insufficient;supervision itself is migrating toward near‑real‑time oversight and firms will be judged on their ability to trace and withstand digital shocks.
For boards and senior management this requires reframing third‑party oversight from a compliance cost to a strategic capability. Practical steps include mapping critical suppliers and downstream dependencies,contractually securing rights to audit and telemetry,deploying continuous monitoring and threat intelligence,testing recovery playbooks under adverse scenarios,and ensuring escalation paths reach board level. According to PwC,contracts and lifecycle processes must explicitly assign responsibilities for patching,incident notification and resilience testing so that accountability is not ambiguous in a crisis.
The stakes are regulatory,financial and reputational. Firms that fail to adapt risk fines,slower growth and loss of trust;those that adopt continuous visibility and treat resilience as a core competency stand to preserve continuity and move faster in the market. Clarence Chio, CEO of Coverbase, encapsulated the new posture:vendor oversight must become “an ongoing discipline that is rooted in transparency, collaboration, and adaptive governance”.
Source: Noah Wire Services
