New York updates third-party risk guidance, adds AI provisions | CyberScoop<\/title> <meta name=\"description\" content=\"The New York Department of Financial Services published updates this week to longstanding industry guidance that urges financial services companies to closely watch their third-party providers.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/new-york-third-party-risk-guidance-ai-update-financial-services\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"New York updates third-party risk guidance, adds AI provisions\"> <meta property=\"og:description\" content=\"The New York Department of Financial Services published updates this week to longstanding industry guidance that urges financial services companies to closely watch their third-party providers.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/new-york-third-party-risk-guidance-ai-update-financial-services\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-10-23T16:50:24+00:00\"> <meta property=\"article:modified_time\" content=\"2025-10-23T16:50:27+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/new-york-updates-third-party-risk-guidance-adds-ai-provisions-2.jpg\"> <meta property=\"og:image:width\" content=\"6000\"> <meta property=\"og:image:height\" content=\"4000\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1759256725g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1761070183g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/86477\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=86477\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnew-york-third-party-risk-guidance-ai-update-financial-services%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnew-york-third-party-risk-guidance-ai-update-financial-services%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-86477 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/new-york-third-party-risk-guidance-ai-update-financial-services\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.809744779582\">\n<div class=\"single-article__header-content\" readability=\"35.310096153846\">\n<p> The New York Department of Financial Services has clarified rules for financial institutions, highlighting AI oversight and lessons from recent cloud outages. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/86477\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/new-york-updates-third-party-risk-guidance-adds-ai-provisions.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/new-york-updates-third-party-risk-guidance-adds-ai-provisions-2.jpg 6000w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/new-york-updates-third-party-risk-guidance-adds-ai-provisions-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/new-york-updates-third-party-risk-guidance-adds-ai-provisions-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/new-york-updates-third-party-risk-guidance-adds-ai-provisions-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/new-york-updates-third-party-risk-guidance-adds-ai-provisions-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/new-york-updates-third-party-risk-guidance-adds-ai-provisions-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/new-york-updates-third-party-risk-guidance-adds-ai-provisions-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/new-york-updates-third-party-risk-guidance-adds-ai-provisions-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/new-york-updates-third-party-risk-guidance-adds-ai-provisions-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/new-york-updates-third-party-risk-guidance-adds-ai-provisions-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/new-york-updates-third-party-risk-guidance-adds-ai-provisions-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"28.991134209722\"><body readability=\"58.685217391304\"><\/p>\n<p>The New York Department of Financial Services published updates this week to longstanding industry guidance that urges financial services companies to closely watch their third-party providers.<\/p>\n<p>While <a href=\"https:\/\/www.dfs.ny.gov\/industry-guidance\/industry-letters\/il20251021-guidance-managing-risks-third-party\">the guidance\u2019s updates<\/a> are numerous, they are, according to the state, mostly intended to provide clarity as the technology landscape shifts. A department <a href=\"https:\/\/www.dfs.ny.gov\/reports_and_publications\/press_releases\/pr20251021?ref=metacurity.com\">press release<\/a> notes that the guidance \u201cdoes not impose new requirements or obligations,\u201d but Bob Maley, chief information security officer at the cyber risk firm Black Kite, said there some clauses, like those about AI, that are worth noting, particularly after this week\u2019s <a href=\"https:\/\/www.wired.com\/story\/aws-cloud-outage-long-tail\/\">Amazon Web Services outage<\/a> illustrated the outsized role a single service provider can have on internet health.<\/p>\n<p>The clarified rules apply to banking, insurance and financial services companies transacting with people in New York. The rules, called Part 500 of the state\u2019s cybersecurity regulations, were created in 2017 to protect the financial services industry from the growing tide of data breaches that were compromising the personal information of the state\u2019s residents. The rules include reporting requirements, the use of two-factor authentication and data-retention requirements.<\/p>\n<p>Maley, who headed PayPal\u2019s global third party security division in the early days of New York\u2019s third-party service provider rules, said the new additions of AI were likely deemed necessary because of the technology\u2019s ubiquity. He noted that such regulations are deliberately written in a broad way so that they don\u2019t become outdated too quickly or become overly restrictive.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThis is kind of like walking the edge of a sword,\u201d Maley said. \u201cThey\u2019ve added language about AI and AI use and they\u2019re recommending clauses to put into contracts around how your vendors are training their models and how AI should be treated at third parties.\u201d<\/p>\n<p>Maley said the AI guidance is \u201can amazing thing\u201d but also potentially problematic for service providers. He anticipated that some companies, unsure of how to restrict their vendors, will take a \u201cshotgun approach.\u201d He recalled seeing one contract prohibiting a vendor from making a single change to its AI models without customer authorization, potentially hampering agility.<\/p>\n<p>Maley said he also liked the clauses encouraging heads of business to be appraised of potential risks of third-party providers. Business leaders need to be aware of the technology landscape more so than in years past, he said.<\/p>\n<p>New York\u2019s rules have undergone many revisions. Maley said that some versions of the rules haven\u2019t always made sense, but that that\u2019s what revisions are for.<\/p>\n<p>\u201cOriginally in the act they said it\u2019s important that you continuously monitor your third parties or you get an annual penetration test,\u201d he said. \u201cThose two are extremely different concepts.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.9645569620253\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/new-york-updates-third-party-risk-guidance-adds-ai-provisions-1.jpg?w=640&ssl=1\" alt=\"Colin Wood\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Colin Wood<\/h4>\n<p> Colin Wood is the managing editor of StateScoop and EdScoop. He’s reported on government information technology policy for the past decade, on topics including cybersecurity, IT management and governance, health care, public safety and criminal justice reform. He lives in the Sacramento area with his family. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/new-york-third-party-risk-guidance-ai-update-financial-services\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New York updates third-party risk guidance, adds AI provisions |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78,679,5285,824,5286],"tags":[86,680,5287,828,5288],"class_list":["post-8105","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-financial","category-new-york-dfs","category-third-party-risk","category-third-party-vendors","tag-cybersecurity","tag-financial","tag-new-york-dfs","tag-third-party-risk","tag-third-party-vendors"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/financial\/\" rel=\"category tag\">Financial<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/new-york-dfs\/\" rel=\"category tag\">New York DFS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/third-party-risk\/\" rel=\"category tag\">Third-Party Risk<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/third-party-vendors\/\" rel=\"category tag\">third-party vendors<\/a>","tag_info":"third-party vendors","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8105","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8105"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8105\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8105"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8105"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8105,"date":"2025-10-23T11:50:24","date_gmt":"2025-10-23T16:50:24","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=86477"},"modified":"2025-10-23T11:50:24","modified_gmt":"2025-10-23T16:50:24","slug":"new-york-updates-third-party-risk-guidance-adds-ai-provisions","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/10\/23\/new-york-updates-third-party-risk-guidance-adds-ai-provisions\/","title":{"rendered":"New York updates third-party risk guidance, adds AI provisions"},"content":{"rendered":"