News & Articles


Practice Areas

General Counsel Services

New York State Department of Financial Services Issues Expanded Cyber Security Examination Procedures

December 12, 2014
Joseph D. Simon
Garden City

As part of an ongoing effort to combat cyber attacks on financial institutions and promote enhanced cyber security, the New York State Department of Financial Services (“DFS”) has issued expanded examination procedures focusing specifically on cyber security and information technology (“IT”) issues. The expanded examination procedures were issued on December 10, 2014, and are applicable to all New York State chartered banks.

The expanded cyber security examination procedures will be integrated into DFS’s regular examination process going forward and implemented through updated pre-examination “First Day Letters” and revised procedures for scheduling and assessing IT/cyber security examinations.

The updated “First Day Letter” of IT/cyber security examinations will now include, but not be limited to, the following topics: IT management and corporate governance for cyber security related issues, risk assessment and management, network security such as multi-factor authentication, information security testing and monitoring, incident detection and response, training, vendor management, business continuity and disaster recovery plans, and cyber security insurance coverage.

Additionally, the timing for IT/cyber security examinations has been adjusted. Such examinations will now be scheduled after the comprehensive risk assessment of each institution. During risk assessments, banks will be asked by the DFS for responses to the following items:

If you have any questions regarding the new guidance or cyber security issues in general, please feel free to contact Joseph D. Simon at (516) 357-3710 or via email at, Kevin Patterson at (516) 296-9196 or via email at, or Mandy Xu at (516) 357-3850 or via email at