The New York State Department of Financial Services (DFS) issued new cybersecurity guidance for regulated entities, including insurance agencies, focused on third-party service provider (TPSP) oversight under the state’s financial services cybersecurity regulation.
The update doesn’t add new requirements but clarifies how agencies may want to manage vendors with access to nonpublic information.
What DFS Section 500.11 Requires
Insurance agencies and other covered entities must maintain written TPSP cybersecurity policies and procedures that address:
- Identifying your third-party service providers
- Setting minimum cybersecurity standards
- Performing due diligence on vendor security
- Periodically reassessing each TPSP’s controls
These steps are part of the DFS Cybersecurity Regulation, a key compliance framework for New York licensed banking, financial services, and insurance licensed and chartered entities.
What’s in the DFS TPSP Guidance Letter
DFS’s recent industry letter targets executives and information security officers across the financial sector from insurance carriers to credit unions and virtual currency firms.
It’s detailed, technical, and assumes access to full cybersecurity teams. The department notes the letter is not a new rule, but a clarification and best-practice guide.
What’s Realistic for Small Insurance Agencies
Not everything in the DFS letter fits small or mid-sized agencies. DFS itself says, “This is not an exhaustive list of contractual provisions … nor is this list viable or appropriate in all situations." For most independent agencies, focus on practical steps like:
- Requiring multifactor authentication (MFA)
- Enforcing data encryption
- Requiring breach notifications from vendors
Do what your agency can afford both in terms of dollars and time.
Action Steps for Agencies
- Use the DFS cybersecurity program template (pages 6 & 15), also available at biginy.org/cyber.
- Take advantage of Big I New York resources:
- Sample TPSP questionnaire in our Cybersecurity Compliance Bundle.
- Public cybersecurity reports from carriers
- Vendor due diligence checklists
- Document your process. Even simple steps show good-faith compliance.
Why It Matters for New York Agencies
Your client and policyholder data is a critical asset. Every third-party vendor, from your agency management system provider to your information technology consultant, can access it. That’s what Section 500.11 is designed to protect. And it’s not just New York. As of August 2025, 28 other states have similar insurance data security laws.
Key Takeaways
- Take TPSP security seriously.
- Prioritize safeguards your agency can reasonably afford.
- Document your efforts. It shows compliance readiness.
- Review vendor cybersecurity practices regularly.
Cybersecurity = loss control. Treat it like any other type of risk mitigation in a way that is consistent, proportional, and affordable.
About the Author
Tim Dodge
Assistant Vice President of Research & Education, Big I New York
Tim Dodge helps independent insurance agencies navigate compliance, regulation, and emerging risks. Big I NY advocates for New York’s independent agents and provides education, tools, and resources to help members thrive.
For more cybersecurity guidance, visit www.biginy.org/cyber.