• |

Dec. 10, 2025

Guidance From NYDFS in Industry Letter Stressing Vendor Risk Management and Oversight

  • Vincent Pitaro
    Cybersecurity Law Report
Detailing best practices related to managing third-party service provider risk, the New York State Department of Financial Services (NYDFS) issued guidance in the form of an industry letter at the end of October 2025 (Guidance). Entities subject to NYDFS’s groundbreaking cybersecurity regulation must employ a “proactive, risk-based, and continuously adaptive approach to third-party governance,” according to the Guidance. This article parses the Guidance, with insights from Norton Rose Fulbright partner David Kessler and Clifford Chance partner Celeste Koeleveld, who formerly served as Deputy Superintendent and Special Counsel at the NYDFS. See our two-part series “Amendment to NYDFS Cyber Regulation Brings New Mandates”: Governance Provisions (Dec. 13, 2023), and First Compliance Steps (Jan. 3, 2024).

To read the full article

Continue reading your article with a CSLR subscription.

Most-Read Articles

Women to Watch: Contributions, Achievements and Observations of Outstanding Female Professionals

To mark International Women’s Day, women editors and reporters at ION Analytics interviewed outstanding women in the industries and jurisdictions we cover. In this part, Law Report Group editors Jill Abitbol, Robin L. Barton and Megan Zwiebel profile notable women in data privacy, cybersecurity, private funds and anti-corruption law, including Anne-Gabrielle Haie, Jessica Lee, Micaela McMurrough, Laura Perkins, Amanda Raad, Madelyn Calabrese, Ranah Esmaili and Genna Garver. Enjoy reading their inspiring remarks here.

Celebrating Data Privacy Day 2025

Read the full brief here.

Cybersecurity Awareness Month

Read the full brief here.