HITRUST: Now a Preferred Standard for Third-Party Risk in Financial Services

Key Takeaways

• The New York Department of Financial Services (NYDFS) explicitly referenced HITRUST in its October 2025 Industry Letter on Managing Risks Related to Third-Party Service Providers, a signal of regulatory preference for HITRUST in financial services.
• While HITRUST has long been the gold standard in healthcare, this recognition underscores its growing influence as the trusted framework for managing supply chain and vendor risk across industries.
• For Covered Entities under 23 NYCRR Part 500, HITRUST offers a clear, regulator-recognized way to evaluate and demonstrate vendor cybersecurity assurance.
• Companies that value security demand HITRUST.

Guidance from NYDFS

The New York State Department of Financial Services (NYDFS) recently released new guidance. This letter clarifies how regulated financial institutions should assess and manage the cybersecurity risks that they’re exposed to through vendors and service providers. NYDFS directs Covered Entities under 23 NYCRR Part 500 to evaluate vendors’ cybersecurity controls and notes that organizations should consider whether a third-party service provider:

“Undergoes external audits or independent assessments (e.g., ISO/IEC 27000 series, HITRUST) or can otherwise demonstrate, in writing, compliance with Part 500.”
— NYDFS Industry Letter, Oct 21 2025

For over a decade, HITRUST has defined the benchmark for information security assurance in healthcare. The HITRUST CSF set the standard for a comprehensive and certifiable framework. NYDFS’s recognition builds on a growing pattern across U.S. regulators and critical infrastructure sectors: the shift from informal vendor surveys to formal, certifiable assurance mechanisms. HITRUST is leading that evolution.

Strengthening the financial services supply chain

The message from DFS is clear: the security of your institution is only as strong as the security of your vendors. HITRUST enables organizations to

• Demand consistent, measurable assurances from their service providers.
• Reduce audit fatigue and duplicative assessments through standardized, reusable certifications.
• Demonstrate a mature, risk-based vendor management program to regulators and boards.

Financial institutions are adopting HITRUST not because they have to, but because it’s the most efficient, defensible, and regulator-respected way to prove cybersecurity due diligence in complex vendor ecosystems.

The guidance emphasizes that regulated organizations remain accountable for the cybersecurity risks introduced by their third-party providers.

The bottom line? You can outsource operations, but you can’t outsource accountability.

Why organizations should demand HITRUST to meet NYDFS expectations

We believe the most effective way to meet the NYDFS expectations is to require validated, independently verified assurance from vendors. That’s where HITRUST delivers unmatched value. HITRUST-certified environments experience a 0.59% breach rate, proving measurable security and assurance.

HITRUST enables organizations to confirm that their vendors have implemented the appropriate controls to protect data and manage risk. Rather than conducting endless proprietary questionnaires or relying on self-attested reports, organizations can leverage HITRUST as proof that the third-party service provider has implemented security controls. NYDFS is clear that HITRUST is a strong way to get that assurance.

How leading organizations turn regulation into resilience

What regulators are now calling for — verified third-party assurance, ongoing oversight, and documented accountability — has been the foundation of the HITRUST model for years.

That’s why leading organizations across healthcare, finance, and technology rely on HITRUST not only to manage vendor risk but also to enforce trust and confidence while doing business. Learn more.