NYDFS Releases Cybersecurity Guidance for Small Businesses in Financial Sector

The New York State Department of Financial Services (NYDFS) has issued guidance intended to aid small businesses in meeting their cybersecurity obligations. Since 2017, New York has enforced cybersecurity rules for financial institutions, with revised regulations introduced in 2023 focusing on more frequent risk assessments and improved governance.

Under these updated rules, covered entities must maintain a cybersecurity program addressing various facets, including risk identification and assessment, safeguarding nonpublic information, and fulfilling regulatory reporting requirements. In a guidance letter released on Monday, the NYDFS outlined the essential components of the cybersecurity program expected from financial institutions.

As part of this guidance effort, the NYDFS has furnished a cybersecurity program template tailored to assist small businesses in understanding the core tenets of its cybersecurity regulations. This template provides frameworks for establishing and overseeing asset inventories, conducting risk evaluations, managing exceptions to multifactor authentication, and supervising third-party service providers.

Furthermore, the template offers guidance on diverse aspects, such as establishing a compliant cybersecurity program, conducting asset inventories and risk assessments, evaluating the cybersecurity practices of third-party service providers, managing access to sensitive company data, formulating policies for data retention and disposal, conducting cybersecurity training, devising incident response protocols, and reporting cyber intrusions to the NYDFS.

Primarily crafted for covered entities potentially eligible for limited exemptions from the cybersecurity regulation – including those with 20 or fewer employees and independent contractors, generating less than $7.5 million in annual revenue in New York, or possessing total assets under $15 million – the template serves as a comprehensive tool for navigating compliance requirements.

In aiding small financial institutions in determining the applicability of the regulations to their operations, the NYDFS has also released a flow chart. This resource, along with the template, aims to simplify the compliance process by offering clarity on regulatory obligations and exemptions.

Overall, the guidance and accompanying resources underscore the NYDFS's commitment to elevating cybersecurity standards and ensuring that small businesses can adeptly navigate and adhere to regulatory mandates in this critical domain.

By fLEXI tEAM