N.Y.: DFS issues warning to agents about third-party cyber security risks

What happens when your cloud provider goes down?

If you were caught in the recent AWS outage, you already know the answer: websites crash, backend systems freeze, and clients are left wondering what’s going on.

For insurance agencies, these disruptions aren’t just inconvenient—they’re a wake-up call. That’s why the New York State Department of Financial Services just issued new guidance on managing cyber security risks tied to third-party service providers.

Why this matters to producers

Increasingly, insurance agencies rely on vendors for everything from cloud computing and file transfers to artificial intelligence and fintech tools, but with that reliance comes risk. If a vendor suffers from a cyber security incident, your agency could be exposed—operationally, financially and legally. In its recent bulletin, the DFS clarified that insurance agents must take a proactive, risk-based approach to managing third-party relationships.

What’s in the bulletin

It’s important to note that the DFS guidance doesn’t introduce new rules, but it does clarify what regulators expect. Agents must:

Assess vendor risk before engagement, including cyber security history, access levels and data handling practices.

Classify vendors based on risk profile—especially those with privileged access to systems or sensitive data.

Use due-diligence tools like questionnaires to evaluate vendor controls, incident response plans and audit history.

Maintain oversight throughout the vendor relationship, from onboarding to termination.

Ensure senior leadership is involved in cyber security decisions and can challenge management when needed.

The DFS has flagged a troubling trend: some agents are outsourcing critical cyber security compliance to vendors without proper oversight. That’s a problem. Regulators will hold agencies accountable if their vendors drop the ball.

Contracting matters

The DFS recommends agents include specific cyber security provisions in vendor contracts. These include:

• access controls and multifactor authentication;
• encryption of sensitive data in transit and at rest;
• immediate notification of cyber security events;
• clear data location and transfer restrictions;
• disclosure and approval of subcontractors; and
• exit obligations like data deletion and certification.

Agents also should consider clauses around the use of AI and remedies for breaches of cyber security terms.

Ongoing monitoring is essential

Vendor oversight doesn’t end after the contract is signed. Agents must periodically assess their vendors’ cyber security posture, request updates on vulnerability management and escalate unresolved risks. This includes integrating third-party risk into incident response and business continuity planning—like how to quickly switch vendors if one goes offline.

Termination isn’t just turning off access

When a vendor relationship ends, agents must revoke all access, ensure data is securely returned or destroyed and document the offboarding process. Final risk reviews and lessons learned should feed into future vendor decisions.

PIA has your back

Managing third-party risk isn’t easy—but PIA offers tools to help. Our Privacy Compliance Central includes dozens of resources to support your agency’s compliance with New York’s Cybersecurity Regulation (Part 500).

One standout tool is our Third-Party Service Provider Questionnaire, designed to help agents evaluate vendor cyber security practices and make informed decisions. In addition, if you have questions about cyber security requirements in contracts, PIA’s legal team is here to help.

Take action now

If your agency relies on vendors for IT, data storage or claims management, now’s the time to review those relationships. Use PIA’s resources to assess risk, document oversight and strengthen your cyber security posture. Don’t wait for the next outage to find out where your vulnerabilities are.