The New York State Department of Financial Services (NYDFS) issued guidance for small businesses attempting to comply with its cybersecurity regulations.

New York has had rules for financial institutions regarding cybersecurity in place since 2017. The state issued amended rules in 2023 that require financial institutions to conduct risk assessments more often and improve governance.

Under the amended rules, “[C]overed entities must maintain a cybersecurity program designed to identify and assess cybersecurity risks; protect nonpublic information (such as confidential customer information or sensitive business information) and the computers, phones, and other electronic devices storing such information from unauthorized access and other malicious acts; detect, respond, and recover from cybersecurity events; and comply with applicable regulatory reporting obligations,” the NYDFS said Monday in a guidance letter.

As part of the guidance, the agency issued a cybersecurity program template intended to help small businesses understand the core concepts of its cybersecurity regulations. The template includes frameworks for developing and tracking asset inventories, risk assessments, multifactor authentication exceptions, and third-party service providers, the guidance letter stated.

The template also covers how to:

  • Create a compliant cybersecurity program;
  • Conduct an asset inventory of your firm’s existing information systems and a cybersecurity risk assessment;
  • Assess the adequacy of the cybersecurity practices of a firm’s third-party service providers;
  • Manage which employees, contractors, and third parties have access to sensitive company data;
  • Set policies for data retention and disposal;
  • Conduct cybersecurity awareness training with employees and managers;
  • Create a policy for responding to a cybersecurity incident; and
  • File reports on cyber intrusions with the NYDFS.

The template is targeted for covered entities that might qualify for a limited exemption to the agency’s cybersecurity regulation, including those with 20 or fewer employees and independent contractors, less than $7.5 million in gross annual revenue generated in New York, or less than $15 million in total assets.

The NYDFS published a flow chart to help small financial institutions understand whether the regulations apply to them. There are a series of questions contained in the template that attempt to do the same.