Get Started
NYDFS: Achieving the New Risk Assessment Requirement

SaltyCloud Research Team

Updated Mar 5, 2019 Read Time 10 min


The NYDFS cybersecurity regulations for the financial services industry aim to protect sensitive consumer information by mandating risk assessments and implementation of security controls to detect and respond to cyber attacks, with compliance as an ongoing requirement.

In 2017 the New York State Department of Financial Services (NYDFS) enacted cybersecurity regulations for entities operating within the financial services industry – No other state has issued such regulations. This statute is similar to the federal FFIEC guidance that includes a comprehensive cybersecurity assessment test (FFIEC CAT). The new regulation has strict requirements for data retention and breach reporting. There are rules defined for the basic principles of documentation for all security policies, risk assessments, and data security.

The purpose of these new requirements is to protect sensitive and non-public consumer information that could be used to identify someone.

That said, executing a proper risk assessment is the foundation of your cybersecurity program and NYDFS compliance. The purpose of these new requirements are to protect sensitive and non-public consumer information that could be used to identify someone. The best way to prevent this from happening and simultaneously maintain compliance is to rely heavily upon risk assessment, taking note of gaps in your security posture before they become problems.

The new regulation NYDFS Section 500.09(a), states that it is “designed to promote consumer information protection while simultaneously protecting Information technology systems used by regulated entities.” This new regulation requires every company to conduct a risk assessment and implement a program thereafter with security controls necessary to detect and respond to any cyber attacks to which the company is currently exposed. The intent of the regulation is to conduct a thorough and holistic, documented risk assessment.

It is important to understand that these regulatory changes are recurring and not a one-off.  So, your organization will need to make changes going forward that are long lasting knowing that compliance will continue to remain an industry-wide requirement.

Risk Assessment Policies and Procedures – NYDFS Section 500.09(b)


Organizations in the financial sector must comply with new cybersecurity regulations, which involve conducting risk assessments, implementing controls, and documenting processes to protect sensitive consumer information, unless they meet specific exemption criteria.

Who’s required to comply?

Achieving risk assessment compliance begins by determining which organizations are subjected to this new regulation. This includes:

  • Commercial banks
  • Foreign banks
  • Mortgage brokers
  • Savings and loan associations
  • Life insurance companies
  • Investment companies
  • Private bankers
  • Credit unions
  • Health insurers
  • Licensed lenders


There are a few exemptions to the above list. Companies that fall under at least one the following criteria are not required to comply:

  • Less than $10M in year end total assets under Generally Accepted Accounting Principles (GAAP)
  • Have fewer than 10 employees (including independent contractors)
  • No storing or processing of nonpublic information
  • Less than $5M in gross annual revenue in each of the last three fiscal years from NY business operations

Evaluation criteria

Criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the covered entity.

In fact, organizations are currently asked to assess their existing security risks and subsequently develop policies for system monitoring, classification, data governance, access controls, and incident responses and recoveries.  Companies are being called to implement specific controls as part of the compliance standards.


Assessment criteria

Criteria for the assessment of the confidentiality, integrity, security, and availability of the covered entity’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks include a handful of new implementations.

Risk Assessments – Covered entities are required to conduct risk assessments periodically in order to assess the confidentiality, security, integrity, and availability company its infrastructure.

Audit Trail – Covered entities will also need to implement an audit trail which is designed to record cybersecurity events and responses therein. All of these records will need to be maintained for 5 years.

Data Retention – There are new limitations on data retention that state covered entities must securely dispose of consumer information that is no longer necessary for daily operations of the business or any other legitimate business purpose.

Access Privileges – Covered entities will also have to limit the access privileges to such sensitive information and periodically review.

Risk mitigation

Requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks.

Organizations need to outline and describe how they will address risks within their cybersecurity program. Employee response should also be tested to ensure that their protocols are being followed and that they are effective.


Use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts.

Covered entities need to develop written plans that document all internal processes for responding to cybersecurity events. This information should include every role and responsibility, communication plan, and any necessary remediations of control. If a cybersecurity event has been detected, notices to the superintendent must be received within 72 hours.

A successful risk assessment process for NYDFS compliance


Covered entities must conduct at least annual risk assessments, with frequency and granularity determined by each organization, to facilitate a thoughtful approach and justify actions.

Covered entities are expected to periodically conduct risk assessments but it’s going to be up to each entity to determine how frequently things like these are done, so long as the minimum annual assessment is met.

Organizations might choose to complete the risk assessment two or three times per year if necessary. Covered entities must take a thoughtful approach to the process. A certain level of granularity is desired – detailed but not overwhelming.

Risk assessment is used as a baseline to justify actions,  and therefore the results of risk assessments and the more frequent risk assessments conducted, the easier it will be for entities to take a thoughtful approach and justify different actions throughout the year.

Risk assessment methodology for NYDFS compliance


Compliance requires covered entities to identify and classify critical assets, assess cybersecurity threats, align threats to assets, map threats to controls, and evaluate the effectiveness of those controls.

The risk assessment methodology required for compliance stipulates that covered entities need to identify critical assets and classify them.  After that, they should identify and assess any of cybersecurity threats. Once this is done covered entities need to align the cybersecurity threats to assets and map any of those threats to controls. The final step is to determine the effectiveness of those controls.

Developing the methodologies and what to do with it next


Long-term sustainability in risk assessment methodology is crucial, and using workflow automation software can efficiently build upon previous work, address annual requirements, and improve processes for recurring regulations.

Long-term sustainability should be a key theme when you’re constructing your risk assessment methodology. It can be easy to go with the one and done approach of using a spreadsheet or by bringing in an outside consultant but a system that builds off and expands previous year’s work and responses will help you leverage your efforts much better in the long term. Making the risk assessment process more efficient by using workflow automation software will help you build off your previous workload. There are two big pain points near term – last year’s risk assessment requirements and this year’s vendor assessment. Knowing that you have an annual assessment coming up presents an opportunity to come up with a better process. This regulation is here and not going away (will happen yearly). You might as well invest in a workflow solution now.

Making the process more efficient


Efficiently managing the risk assessment process involves prioritizing critical assets, regularly reviewing and improving assessments, utilizing automation tools, and leveraging unified platforms for document management and access control.

In order to make the process more efficient for your organization you should start by reviewing your most critical assets first. To stay in line with best practices, you should go back and review your critical assets on a regular basis. In fact, remember that since this is an ongoing process your first attempt doesn’t have to be perfect. You can always continue to look back on your risk assessments and related processes as you move forward, making changes and improvements on a regular basis.  Another way that you can make the process more efficient is to use automation tools to save time and money.

NIST CST and FFIEC CAT are two gold standards for risk assessments in the financial services industry. FFIEC CAT is more comprehensive and financial specific but maps back to NIST CSF. With workflow automation software you could do one comprehensive assessment, but report off of (demonstrate compliance to) others via good software.

You can also use software to achieve compliance more efficiently by relying upon a unified platform to manage all documents and reports which will no doubt make it easier to search information necessary to comply with the audit trail requirement. This type of tool would also make it easier to map who has access to which systems or files in order to comply with the access privileges portion of the regulation.

What’s next?


Compliance with upcoming vendor assessment requirements can be achieved through data classification, additional training, and workflow automation software to manage documents and access privileges efficiently.

There are upcoming vendor assessment requirements in March 2019, but you can make sure you are compliant by addressing data classification first and foremost. Your security team will need to conduct the data classification aspect of the risk assessment first so that sensitive data can be evaluated for potential risk and access to said data given to only those who need it. There will be additional training requirements for security staff and reports no longer focus only on situations where information was stolen but on situations where someone attempted nefarious actions.

You can use workflow automation software to achieve compliance more efficiently by relying upon a unified platform to manage all documents and reports which will no doubt make it easier to search information necessary to comply with the audit trail requirement. Workflow automation software can also make it easier to map who has access to which systems or files in order to comply with the access privileges portion of the regulation.

Financial information continues to be a significant driver in breaches, and the NY DFS Cybersecurity regulation aims to curb some of those breaches by requiring appropriate controls are in place. Take the next step toward compliance by performing a risk assessment today!”

How Isora GRC from SaltyCloud can help


Isora GRC from SaltyCloud is the powerfully simple solution making regulatory compliance easier while helping organizations improve their cyber resilience.

The stakes have never been higher for organizations as they confront escalating cyberattacks and mounting regulations.

With business-critical data and privacy on the line, companies need a simple solution that helps them move beyond a ‘check-the-box’ mindset towards a risk-informed, data-driven, and proactive approach.

Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.

  • Ace compliance audits with collaborative surveys, adaptable security frameworks, dynamic dashboards, and insightful reporting for key regulations.
  • Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
  • Protect critical data with comprehensive inventory management, seamless integration, continuous assessments, and insightful reporting.
  • Minimize third-party risk with a complete vendor inventory, risk assessment surveys, and approval workflows.

Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.

Discover how Isora GRC from SaltyCloud can streamline compliance and risk management for your organization.

Learn More
Our GRC Resources

Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.

Learn More
Other Relevant Content

This guide covers everything you need to know about TAC 202, including what it entails, why it's important, and how you can comply. We even included a TAC 202 checklist to make it easy for your organization to get started.

This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule risk assessment of customer information security programs.

This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule requiring IT security programs securing customer data

Stay ahead of the curve
Get insightful guides, original research, regulatory updates, and novel solutions delivered straight to your inbox.
Get Started
Manage assessments
confidently with
collaborative GRC tooling