Press Release - December 10, 2014: NYDFS Issues Examination Guidance To Banks Outlining New Targeted Cyber Security Preparedness Assessments

Skip to Content

Press Release

December 10, 2014

Contact: Matt Anderson, 212-709-1691


DFS-Regulated Banks to be Examined Based on Cyber Security Protocols, Governance, Third-party Vendor IT Security, Other Issues

Targeted Cyber Security Assessments Will Be Integrated As Ongoing, Regular Part of DFS Exam Process

Benjamin M. Lawsky, Superintendent of Financial Services, today issued an industry guidance letter to all New York State Department of Financial Services (DFS)-regulated banks outlining the specific issues and factors on which those institutions will be examined as part of new targeted, DFS cyber security preparedness assessments. These banks will be examined on their protocols for the detection of cyber breaches and penetration testing; corporate governance related to cyber security; their defenses against breaches, including multi-factor authentication; the security of their third-party vendors, and a number of other issues.

The new cyber security assessments will become regular, ongoing parts of all DFS bank examinations moving forward. Taking this step will help encourage stronger cyber security practices at banks since regulatory examination ratings can have significant impacts on the operations of financial institutions, including their ability to enter new business lines or make acquisitions.

Superintendent Lawsky said: "It is our hope that integrating a targeted cyber security assessment directly into our examination process will help encourage a laser-like focus on this issue by both banks and regulators. Cyber hacking is a potentially existential threat to our financial markets and can wreak serious havoc on the financial lives of consumers. It is imperative that we move quickly to work together to shore up our lines of defense against these serious risks."

The industry guidance letter Superintendent Lawsky sent today represents the formal commencement of the new cyber security assessment process.  As part of this cyber security assessment, the Department has incorporated into its examination process a series of new questions and topics, including but not limited to:

  • Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
  • Resources devoted to information security and overall risk management;
  • The risks posed by shared infrastructure;
  • Protections against intrusion including multi-factor or adaptive authentication and server and database configurations;
  • Information security testing and monitoring, including penetration testing;
  • Incident detection and response processes, including monitoring;
  • Training of information security professionals as well as all other personnel;
  • Management of third-party service providers;
  • Integration of information security into business continuity and disaster recovery policies and procedures; and
  • Cyber security insurance coverage and other third-party protections.
To view a full copy of Superintendent Lawsky’s letter on the cyber security assessment, please visit, link​.


Department of Financial Services


DFS Facebook page

Follow NYDFS on Twitter


Sign up online or download and mail in your application.