The New York State Department of Financial Services (NYDFS) recently released guidance that could reshape how financial institutions manage vendor and supply-chain risk. The letter states that third-party service provider (TPSP) risk management should be a central component of every entity’s cybersecurity programme.
This sends a very important message—the old ways that banking and financial institutions treat third-party oversight as a compliance exercise are over.
That’s because today’s financial institutions are built on fluid digital supply chains that span cloud, fintech, and AI services and create dynamic, interconnected, and opaque dependencies. With its new guidance, the NYDFS is telling the financial sector that cyber accountability can’t be outsourced. That responsibility of seeing into these dependencies and being resilient remains with the institution itself, even when it comes to third and fourth-party providers. This latter point is critical because the next systemic incident will likely not begin with a breach at a global bank, but with an unnoticed failure deep in a shared service provider that hundreds of firms rely on.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
The new counterparty risk
Financial firms, today, know where their money sits. What they don’t always know is who is holding their data or which vendors are maintaining software updates. Without these answers, they open themselves up to significant risks. The Verizon 2025 Data Breach Investigations Report (DBIR) found that third parties now account for 30% of breaches. That’s double the rate in 2024.
The financial sector is especially exposed. The DBIR reports that roughly 30% of breaches now stem from third parties, and their impact extends far beyond the vendors directly compromised. In 2024, 97% of major US banks were affected by a third- or fourth-party breach, even though only a handful of vendors were actually attacked.
This point is important because today, many institutions assume that spreading workloads across multiple vendors reduces exposure. However, the reality is that this diversification is more of an illusion, with many outsourcing to the same group of sub-service providers operating under different brand names. This illusion of diversity creates concentration risk. Look no further than the 2025 NPM “Shai-Hulud” malware campaign, which exploited dependencies across hundreds of open-source packages used by financial software vendors. The result was a cascading risk that no single institution directly controlled but nearly all felt.
From compliance to continuous oversight
These factors are what’s driving the guidance from the NYDFS, which is not alone. It echoes a broader shift that’s underway globally, with regulators demanding that resilience be monitored continuously, not just annually. Some examples include:
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalData- European Union: DORA (Digital Operational Resilience Act) requires continuous third-party oversight and detailed “register of information” submissions.
- United Kingdom: The UK’s Operational Resilience regime requires financial firms to identify critical business services, set disruption limits, test and document their ability to recover from severe incidents, and ensure board-level accountability.
- Singapore: The Monetary Authority’s 2024 update to its Technology Risk Management guidelines reinforces board-level responsibility for outsourcing risk.
- Global baseline: The Basel Committee’s proposed principles for technology outsourcing explicitly maintain that boards cannot delegate accountability for third-party relationships.
This worldwide alignment signals a philosophical shift in which resilience is becoming the new capital ratio and institutions are measured not only by their financial strength, but also by their ability to trace and withstand digital dependencies. Those who fail will face fines, diminished trust, and slower growth.
The case for continuous visibility
Traditional risk assessments—performed once a year or during vendor onboarding and using checklists and questionnaires—no longer capture the velocity of modern threats. Real resilience depends on continuous visibility and knowing in real time where data flows, which dependencies are active, and how changes in one system affect another.
This is by no means an easy undertaking. Institutions are already overwhelmed. Research from BlueVoyant and Ncontacts found that 73% of institutions have two or fewer full-time employees managing vendor risk, even though more than half oversee 300+ vendors. When you add that most are working without automation, shared intelligence, or stronger governance models, this becomes an impossible workload.
Shared accountability as strategy
Effected organisations should not view NYDFS’s guidance as another layer of compliance. It’s more of a preview of how supervision itself is evolving, as regulators follow the markets by moving toward real-time oversight.
The financial sector’s extended web of dependencies means that cybersecurity is now a form of counterparty risk, and resilience is a measurable asset. Institutions that treat third-party oversight as a cost centre will lag behind those that view it as a vital capability, enabling them to preserve trust, ensure continuity, and facilitate faster growth.
A new mindset
The “outsourced risk” era is ending, and organisations must adopt a new mindset. Namely, vendor oversight must shift from a static, back-office process to an ongoing discipline that is rooted in transparency, collaboration, and adaptive governance. In this post-outsourced risk era, businesses must model, monitor, and manage every dependency as if it were their own. Those that do will not only meet regulatory expectations—they’ll define the new standard for financial resilience in a world where every connection is a potential counterparty.
Clarence Chio is CEO, Coverbase
