/
NYFDS (New York State Department of Financial Services) Compliance

NYFDS (New York State Department of Financial Services) Compliance

  • The NYDFS (New York State Department of Financial Services) Cybersecurity Regulation works by imposing strict cybersecurity rules on covered organizations, including the installment of a detailed cybersecurity plan, the designation of a Chief Information Security Officer (CISO), the enactment of a comprehensive cybersecurity policy, and the initiation and maintenance of an ongoing reporting system for cybersecurity events.

  • Navigate to Company Level > Compliance > Assessments > NYDFS section to use the default template to start with NYDFS Assessment.

  • Click on Default Template to create your assessment for NYDFS. The assessment is divided into 15 sections. Every section has a set of questions to be answered for this assessment.

  • Click on Add to create a new NYDFS Assessment.

  • To start with please provide the Assessment Name of your choice. The current assessment will be stored by this name.

  • There are 15 sections in this assessment. Below are the different sections which will be used for the NYDFS assessment:

  1. CYBER SECURITY PROGRAM (SECTION 500.02): Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of the Covered Entity’s Information Systems.

  2. CYBER SECURITY POLICIES (SECTION 500.03): Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems.

  3. CHIEF INFORMATION SECURITY OFFICER (SECTION 500.04): Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”). The CISO may be employed by the Covered Entity, one of its Affiliates, or a Third Party Service Provider.

  4. PENETRATION TESTING AND VULNERABILITY MANAGEMENT (SECTION 500.05): The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic Penetration Testing and vulnerability assessments. Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities, Covered Entities shall conduct.

  5. AUDIT TRAIL (SECTION 500.06): Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its Risk Assessment.

  6. ACCESS PRIVILEGES (SECTION 500.07): Each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges.

  7. APPLICATION SECURITY (SECTION 500.08): Each Covered Entity’s cybersecurity program shall include written procedures, guidelines, and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing, or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.

  8. RISK ASSESSMENTS (SECTION 500.09): Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. Such Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity’s Information Systems, Nonpublic Information, or business operations. The Covered Entity’s Risk Assessment shall allow for the revision of controls to respond to technological developments and evolving threats and shall consider the particular risks of the Covered Entity’s business operations related to cybersecurity, Nonpublic Information collected or stored, Information Systems utilized, and the availability and effectiveness of controls to protect Nonpublic Information and Information Systems.

  9. RISK ASSESSMENTS (SECTION 500.09): Periodic risk assessments that address changes of Information Systems, Nonpublic Information, or business operations are required to inform the design and changes of the cybersecurity program.

  10. THIRD PARTY SERVICE PROVIDER (SECTION 500.11): Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible 7 to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall be addressed to the extent applicable.

  11. MULTI-FACTOR AUTHENTICATION (SECTION 500.12): Each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems.

  12. LIMITATIONS ON DATA RETENTION (SECTION 500.13): Each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information identified in section 500.01(g)(2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

  13. TRAINING AND MONITORING (SECTION 500.14): Each Covered Entity shall implement risk-based policies, procedures, and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users; and provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.

  14. ENCRYPTION OF NONPUBLIC INFORMATION (SECTION 500.15): Each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.

  15. INCIDENT RESPONSE PLAN (SECTION 500.16): Each Covered Entity shall establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event materially affecting the confidentiality, integrity, or availability of the Covered Entity’s Information Systems or the continuing functionality of any aspect of the Covered Entity’s business or operations.

  • Once all the details are provided click on Save and click on Next for the next page.

  • For every question in the assessment, evidence can be uploaded using Upload Evidence, while adding the details and also while editing the assessment in the draft mode.


Assessment Status

You can ONLY View/Download an assessment while it is in a COMPLETED status.

You can ONLY Edit an assessment while it is in DRAFT status.

  • Action options include: Edit, View/Download, and Delete.

  • Edit: Continue with updates/edits to an open assessment. The completed Assessment can’t be edited.

  • Delete: permanently deletes the assessment.

  • View/Download: Start the ZIP file download containing three files (DOCX, XLSX, and Evidence folder containing individual XLSX files with the answers or the evidence uploaded during the assessment).

When downloading the ZIP file, the name used is in the format ‘Company Name _ Assessment Name _ Date _ Time’.

This completes the NYDFS Compliance Assessment document.