Key Takeaways

• The New York Department of Financial Services (NYDFS) explicitly referenced HITRUST in its October 2025 Industry Letter on Managing Risks Related to Third-Party Service Providers, a signal of regulatory preference for HITRUST in financial services.
• While HITRUST has long been the gold standard in healthcare, this recognition underscores its growing influence as the trusted framework for managing supply chain and vendor risk across industries.
• For Covered Entities under 23 NYCRR Part 500, HITRUST offers a clear, regulator-recognized way to evaluate and demonstrate vendor cybersecurity assurance.
• Companies that value security demand HITRUST.

Guidance from NYDFS

The New York State Department of Financial Services (NYDFS) recently released new guidance. This letter clarifies how regulated financial institutions should assess and manage the cybersecurity risks that they’re exposed to through vendors and service providers. NYDFS directs Covered Entities under 23 NYCRR Part 500 to evaluate vendors’ cybersecurity controls and notes that organizations should consider whether a third-party service provider:

“Undergoes external audits or independent assessments (e.g., ISO/IEC 27000 series, HITRUST) or can otherwise demonstrate, in writing, compliance with Part 500.”
— NYDFS Industry Letter, Oct 21 2025

For over a decade, HITRUST has defined the benchmark for information security assurance in healthcare. The HITRUST CSF set the standard for a comprehensive and certifiable framework. NYDFS’s recognition builds on a growing pattern across U.S. regulators and critical infrastructure sectors: the shift from informal vendor surveys to formal, certifiable assurance mechanisms. HITRUST is leading that evolution.

Strengthening the financial services supply chain

The message from DFS is clear: the security of your institution is only as strong as the security of your vendors. HITRUST enables organizations to

• Demand consistent, measurable assurances from their service providers.
• Reduce audit fatigue and duplicative assessments through standardized, reusable certifications.
• Demonstrate a mature, risk-based vendor management program to regulators and boards.

Financial institutions are adopting HITRUST not because they have to, but because it’s the most efficient, defensible, and regulator-respected way to prove cybersecurity due diligence in complex vendor ecosystems.

The guidance emphasizes that regulated organizations remain accountable for the cybersecurity risks introduced by their third-party providers.

The bottom line? You can outsource operations, but you can’t outsource accountability.

Why organizations should demand HITRUST to meet NYDFS expectations

We believe the most effective way to meet the NYDFS expectations is to require validated, independently verified assurance from vendors. That’s where HITRUST delivers unmatched value. HITRUST-certified environments experience a 0.59% breach rate, proving measurable security and assurance.

HITRUST enables organizations to confirm that their vendors have implemented the appropriate controls to protect data and manage risk. Rather than conducting endless proprietary questionnaires or relying on self-attested reports, organizations can leverage HITRUST as proof that the third-party service provider has implemented security controls. NYDFS is clear that HITRUST is a strong way to get that assurance.

How leading organizations turn regulation into resilience

What regulators are now calling for — verified third-party assurance, ongoing oversight, and documented accountability — has been the foundation of the HITRUST model for years.

That’s why leading organizations across healthcare, finance, and technology rely on HITRUST not only to manage vendor risk but also to enforce trust and confidence while doing business. Learn more.

In 2025, healthcare cybersecurity is no longer just about defending your own walls. It’s about hardening the entire network of partners, vendors, suppliers, and service providers on which your operations depend, as your vendors are under attack. Two recent reports make that clear: one from the American Hospital Association (AHA) and another from Comparitech.

How are cyber threats evolving in healthcare?

According to the AHA’s 2025 Cybersecurity Year in Review, healthcare continues to be a frequent target of data breaches and cyber incidents. As of early October, 364 hacking incidents had been reported to the U.S. Department of Health and Human Services’ Office for Civil Rights, affecting more than 33 million individuals.

The AHA report notes that while the forms of attack continue to evolve, from phishing and ransomware to exploitation of software vulnerabilities, many breaches persist because organizations still lack comprehensive, organization-wide frameworks for managing cybersecurity and third-party risk.

Meanwhile, Comparitech reports a troubling shift: ransomware attackers are increasingly focusing on vendors and third-party service providers rather than hospitals themselves. Attacks on healthcare businesses, including technology vendors, pharmaceutical firms, and billing providers, rose 51% — from 43 to 65 — over the past year.

Why does vendor and third-party exposure matter more than ever?

This evolution underscores a critical reality: even if your own systems are well defended, your extended ecosystem may be your greatest vulnerability.

A single vendor compromise can expose multiple downstream organizations that rely on that vendor’s systems or data. Attackers understand this dynamic. By breaching a third party with weaker defenses, they can gain entry to many targets at once — health systems, health plans, and business partners included.

Traditional approaches like securing internal systems and auditing a limited set of vendors are no longer enough. Effective cybersecurity now requires continuous oversight, consistent control standards, and validated assurance across the entire vendor network.

Table: Comparing internal vs. third-party cyber risk

Why is HITRUST TPRM the right strategic response?

If attackers are moving upstream, organizations must shift their defenses accordingly. A robust Third-Party Risk Management (TPRM) program, anchored in the HITRUST framework, enables organizations to manage and reduce cyber risk across their ecosystems.

Built-in assurance through a trusted framework

The HITRUST Framework provides a prescriptive and scalable set of controls that are widely recognized across healthcare, finance, and technology sectors. A HITRUST-aligned TPRM approach standardizes expectations for vendors and streamlines the process of assessing and verifying their security posture.

TPRM is about prevention, not reaction

TPRM is about prevention, ensuring vendors have strong controls in place before a breach occurs. Continuous monitoring, policy enforcement, and clear accountability transform risk management from a reactive compliance exercise into an active defense strategy.

A business differentiator

As regulators, partners, and customers demand more transparency about cyber risk, organizations that can prove their TPRM maturity have a competitive advantage. Demonstrating HITRUST alignment signals that your organization and its vendors meet the highest standards of security assurance.

What steps should you take now?

• Reassess your vendor portfolio to identify which partners have access to sensitive data or critical systems.
• Move from periodic vendor assessments to continuous, data-driven oversight.
• Align your TPRM program with a trusted approach, such as HITRUST, to enforce consistency and accountability.
• Elevate third-party risk to a board-level discussion. It is a business risk, not just an IT concern.

In today’s environment, cyber attackers don’t need to breach your defenses directly, they can simply compromise someone you depend on. As ransomware and breach campaigns increasingly target vendors, organizations must recognize that the security of their ecosystem is inseparable from their own.

The only sustainable path forward is to embed cybersecurity and third-party risk management into the organization’s DNA. With HITRUST as the foundation, that shift becomes measurable, repeatable, and trustworthy.

California has officially enacted Senate Bill 53 (SB 53), the Transparency in Frontier Artificial Intelligence Act, marking a pivotal moment in U.S. technology regulation. Signed by Governor Gavin Newsom on September 29, SB 53 introduces the nation’s first comprehensive safety and transparency requirements for frontier AI developers — those building the most advanced and computationally intensive AI systems.

What does SB 53 require?

California’s AI safety law, SB 53, focuses on transparency and risk mitigation rather than liability, distinguishing it from last year’s vetoed SB 1047. Key provisions include

• Public safety frameworks: Large AI developers (annual revenue >$500M and training models at ≥10²⁶ FLOPs) must publish documented frameworks detailing how they incorporate national and international standards into their AI development processes.
• Catastrophic risk assessments: Companies must disclose assessments of risks that could lead to mass harm or $1B+ in damages, such as autonomous misuse or bioweapon development.
• Incident reporting: Critical safety incidents must be reported to California’s Office of Emergency Services (OES) within 15 days, and imminent threats within 24 hours.
• Whistleblower protections: Employees who raise safety concerns are shielded from retaliation, reinforcing accountability.
• Civil penalties: Noncompliance can result in fines up to $1 million per violation, enforceable by the state attorney general.

Why does this matter?

California’s move underscores a growing trend: state-level leadership in AI governance amid stalled federal action. SB 53 is widely viewed as a blueprint for future regulation, similar to how GDPR influenced global privacy standards. Analysts predict that transparency requirements will become a competitive differentiator, shaping procurement decisions and investor confidence.

How does HITRUST help with SB 53 compliance?

HITRUST is uniquely positioned to help organizations navigate SB 53’s requirements through its AI Security Assessment and Certification, which includes

• 44 harmonized AI controls mapped to NIST, ISO, OWASP, and the HITRUST CSF.
• Catastrophic risk mitigation strategies addressing model poisoning, prompt injection, and supply chain threats
• Incident response alignment with SB 53’s 15-day and 24-hour reporting windows
• Governance and transparency support for publishing safety frameworks and enabling whistleblower protections
• Independent assurance through HITRUST’s centralized QA and certification process

“As California leads the way in AI governance, HITRUST offers a certifiable path to compliance that balances innovation with accountability,” said Jeremy Huval, Chief Innovation Officer at HITRUST.

Will other states follow California’s AI law?

SB 53 signals a new era of AI accountability. Whether other states follow suit or Congress steps in with a federal standard, organizations that prioritize risk management and transparency today will be better positioned for tomorrow’s regulatory landscape.

Learn more about HITRUST’s AI Security Certification and how we can help your organization meet SB 53 requirements.