SplitSecure for NYDFS TPRM Regulations

When a financial institution grants a third party access to its systems or cryptographic material, it is, in effect, handing over control. If that access is misused or compromised, the New York Department of Financial Services (NYDFS) holds the financial institution accountable—not the vendor.

This is no longer a theoretical risk. A significant majority of serious cyber incidents originate with third parties whose access was over-privileged, lasted too long, or was poorly controlled.

In response, the NYDFS has issued updated guidance on Third-Party Risk Management (TPRM). The guidance makes it unequivocally clear that institutions are accountable for how third-party access is designed, enforced, and reviewed.

NYDFS Expectations: What Institutions Must Prove

NYDFS now expects institutions to demonstrate, using objective evidence, that third-party access meets four key criteria:

• Limited to Necessity: Access is strictly limited to only what is required for the task.
• Actively Monitored: Access activity is constantly and actively monitored.
• Promptly Revoked: Access is terminated immediately when no longer needed.
• Technically Enforced: Controls are enforced through technical safeguards, not by relying on policies alone.

Institutions must be able to prove that their controls operate as intended, not merely assert that they exist.

SplitSecure: A Practical Way to Meet New Standards

SplitSecure provides a straightforward solution for financial institutions to manage third-party access risk without adding operational complexity or requiring specialized security staff. It is designed to be easily deployed as a control layer between the institution and its vendors. Vendors can perform their work while the institution retains complete control over how and when access occurs.

How SplitSecure Directly Supports NYDFS TPRM

The SplitSecure platform delivers enforceable safeguards that align with the regulator's focus on observable outcomes:

• No Reusable Secrets: Third parties never receive credentials, keys, or reusable secrets. Access is temporary, tightly scoped, and controlled by the institution at all times.
• Automatic Audit Logging: Access activity is recorded automatically as a fundamental part of the access process, creating a reliable, demonstrable record for examinations and internal review.
• Consistent Enforcement: Whether access is granted manually or through automation, the same controls and rules are enforced consistently across the board.
• Zero Third-Party Risk Added: SplitSecure never holds customer data or secrets and cannot access protected systems. All control remains with the institution.

The Flaw in Traditional Access Designs

Most organizations layer passwords, privileged access tools, and vaults to protect sensitive systems. The inherent problem is that each layer relies on another credential. No matter how many layers are added, there is always a final credential that unlocks the system. If that single credential is stolen or misused, all other controls are bypassed.

NYDFS is increasingly treating this as a design risk, not just an operational mistake.

How SplitSecure is Different: Eliminating the “Last Secret”

SplitSecure removes the need for a permanent "last secret." Instead of relying on a single credential, access requires participation from multiple authorized devices or parties.

• The sensitive secret is never stored in one place.
• It is never exposed to any single actor, including the vendor.
• Actions can be approved and completed without any one person, device, or vendor ever possessing full control.

Practical Benefits of SplitSecure

• Stronger Protection: An attacker cannot gain access simply by compromising a single account or system, as no single user or device holds the sensitive credentials.
• Institutional Control: The institution retains control over its cryptographic material at all times. Vendors support operations, but they never hold the keys.
• Clearer Policy Enforcement: Institutions can control not only who may request access, but precisely how that access may be used, ensuring tight alignment between security controls, regulatory expectations, and internal risk policies.

Conclusion

The NYDFS third-party risk guidance reflects a broader, industry-wide shift. Regulators now expect institutions to proactively design systems that remain safe even when vendors are compromised or make mistakes.

SplitSecure helps financial institutions meet this heightened expectation by enforcing access controls that are auditable, provable, and fundamentally designed to reduce reliance on trust alone.