Cloud Outage Sparks Urgent Regulatory Action on Vendor Cybersecurity Oversight
The recent outage of Amazon Web Services (AWS) in its US-EAST-1 region led to widespread disruptions for companies, governments, and individuals, once again highlighting the systemic risks associated with heavy reliance on a few third-party cloud providers. A technical error within AWS rippled through the digital infrastructure of many organizations, demonstrating how dependent the modern digital world has become on a small number of providers. Although this incident involved reliance on third-party cloud service providers, the lessons learned extend to all third-party service providers (TPSP). The incident underscores the need for organizations of all sizes, in all industries, to improve their cyber resilience by focusing on and strengthening third-party risk management. Proactively managing third-party risks is a critical component of any comprehensive cybersecurity program because using third-party vendors expands your “attack surface.” This creates additional areas of vulnerability that can be exploited by a malicious actor who could gain access to your systems and data.
Shortly following the AWS disruption, on October 21, 2025, the New York State Department of Financial Services (NYS DFS) issued guidance (the āGuidanceā) to all executives and information security personnel at all entities regulated by NYS DFS. The Guidance clarifies the related requirements under the departmentās Cybersecurity Regulation related to TPSPs and outlines best practices for third-party risk mitigation and management. The key areas of focus outlined in the Guidance are:
1. Identification, Due Diligence, and Selection
- Assess TPSPs’ cybersecurity posture before engagement.
- Classify TPSPs by risk level and evaluate controls, data handling, and certifications.
- Use tools like questionnaires and interviews to validate claims.
2. Contracting
- Include access controls, encryption, breach notification, and compliance clauses.
- Address data location, subcontractor use, Artificial Intelligence usage, and exit obligations.
3. Ongoing Monitoring and Oversight
- Periodically reassess TPSPs and monitor cybersecurity practices.
- Integrate TPSP risk into incident response and business continuity planning.
4. Termination
- Revoke access, ensure secure data return or destruction, and conduct final risk reviews.
In addition to the risk mitigation and management tips in the Guidance, organizations should also be thinking about cyber insurance. While a robust third-party risk management strategy aims to prevent incidents, cyber insurance helps to mitigate financial losses when a TPSP-related cyber event inevitably occurs. Most cyber insurance policies contain dependent business interruption coverage, also known as contingent business interruption, which protects against financial losses from disruptions at third-party vendors, suppliers, or customers. Unfortunately, the scope of this coverage varies greatly from policy to policy. Organizations should work with an experienced insurance broker or attorney to review their cyber policy so they are clear on what types of events would trigger coverage and what limits are available.
Remember, third-party cyber risk is your risk. Having a proactive and deliberate approach to managing third-party cyber risk is essential to protecting sensitive data, maintaining operational resilience, and safeguarding your organization’s reputation.
