TO: All NYS-Chartered Depository Institutions

FROM: Benjamin M. Lawsky

DATE: February 6, 2014

RE: Banking Division Industry Letter: FS-ISAC Participation Recommended For All NYS-Chartered Depository Institutions

The New York State Department of Financial Services (“DFS”), in a cyber security survey conducted last summer, found that fewer than one-quarter of small depository institutions and only about two-thirds of medium and large depository institutions are members of an

Information Sharing and Analysis Center (“ISAC”).1

As part of its ongoing commitment to promoting cyber security in the financial services industry, DFS encourages all NYS-chartered depository institutions, irrespective of size, to become members of the Financial Services-Information Sharing and Analysis Center (“FS-ISAC”). DFS considers membership in this type of organization an important component of a comprehensive cyber security program, with FS-ISAC membership in particular viewed as a “best practice.”

The FS-ISAC is a non-profit industry forum, supported by the U.S. Department of Treasury and the Financial Services Sector Coordinating Council (“FSSCC”), for collaboration on critical security threats. Its primary objective is to disseminate and foster the sharing of relevant and actionable information about physical and cyber security threats among participants.

FS-ISAC membership has a number of benefits. Members receive timely notification and authoritative information specifically designed to help protect critical systems and assets from physical and cyber security threats. In fact, both the U.S. Department of Treasury and the U.S. Department of Homeland Security rely on the FS-ISAC to disseminate critical information to the financial services sector in times of crisis. In addition, the FS-ISAC provides an anonymous information-sharing capability across the entire financial services industry that enables institutions to exchange information regarding physical and cyber security threats, as well as vulnerabilities, incidents, and potential protective measures and practices.

While the FS-ISAC is a non-profit run by its members, membership does require an annual fee that can range from $250 to $49,950 depending upon the size and sophistication of the institution participating and the level of service selected. DFS does not recommend one level of membership over another; however, each institution should make its own determination regarding the appropriate level of membership tailored to its cyber-risk profile.

Additional information about the benefits of FS-ISAC membership can be found on their website:


Benjamin M. Lawsky
Superintendent of Financial Services

1 Small institutions were defined as having less than $1 billion in assets. Medium institutions were defined as having between $1 billion to $10 billion in assets. Large institutions were defined as having more than $10 billion in assets.