Financial services companies operating in New York now face renewed expectations regarding oversight of their third-party vendors, as state regulators aim to strengthen cybersecurity defenses amid a shifting technology landscape. Recent events—including a major Amazon Web Services outage—have revealed vulnerabilities persistent in industry reliance on external providers. The updated guidance, although not imposing new obligations, reflects a response to increasing risks posed by advances in artificial intelligence and widespread data sharing across the industry.
Regulations around third-party risk in financial services have appeared in numerous forms over the years, yet previous iterations concentrated largely on basic cybersecurity measures such as penetration testing and monitoring. Unlike earlier guidance, which provided broad direction or focused on specific risks, these recent adjustments focus on precise elements including the use of artificial intelligence by vendors, which was not clearly addressed until now. By drawing on lessons from recent incidents and sector feedback, the updates clarify how firms should contractually manage vendors’ AI practices, aiming for consistent standards without limiting technological innovation.
What Specific Changes Does the Guidance Include?
The policy updates include explicit language advising firms to outline in their contracts how third-party vendors will develop and use AI models. This move comes against concerns that service providers operating with insufficient oversight could amplify risks for financial sector entities and their customers. Bob Maley, chief information security officer at Black Kite and a longtime participant in the sector’s compliance evolution, noted,
“They’ve added language about AI and AI use and they’re recommending clauses to put into contracts around how your vendors are training their models and how AI should be treated at third parties.”
How Are Companies Responding?
Organizations are assessing how to interpret and apply the revised guidelines, with some reportedly implementing broad restrictions out of caution. At the same time, firms recognize the necessity for business leaders—not just IT teams—to remain informed about the risk landscape. Maley reflected on the challenges of achieving balance, stating,
“This is kind of like walking the edge of a sword.”
He emphasized that while requiring ongoing monitoring of third parties or annual penetration tests might seem similar on the surface, they involve distinctly different efforts and types of vigilance.
Will the Updates Keep Pace with Technology?
State authorities structured the new AI provisions to be broad enough to avoid obsolescence yet detailed enough to signal clear expectations. By mandating contract language and leadership awareness, regulators seek to ensure that new technologies are managed responsibly, regardless of how quickly they develop or are adopted by vendors. Industry observers suggest the changes provide a needed layer of direction, particularly as more vendors integrate AI into critical services affecting millions of consumers.
Organizations involved in financial services—especially those with business in New York—must now adapt to these clarified requirements in their risk management practices. As regulations continue to develop in response to both technological advances and cyber incidents, companies will need robust processes for monitoring their external partners. Understanding the specifics of these guidelines can prevent operational disruptions, foster trust among customers, and help organizations demonstrate that they are implementing current best practices. Regularly revisiting contracts and vendor management strategies will be essential, particularly where AI integration expands rapidly. Companies should also expect further refinements as regulators and industry stakeholders learn from evolving threats and shifting landscapes.
