In 2017, the New York State Department of Financial Services published a cyber security regulation, which takes effect between 2017 and 2019. The regulation applies to all businesses that fall under jurisdiction of the Department of Financial Services.  Therefore, any insurance company licensed in New York, and all state chartered banks and credit unions are subject to the regulation.

Cyber Defense Institute has been helping financial and insurance companies in New York State for many years and particularly since September, 2016 when the regulation was first announced. We have a turn- key set of solutions that meets the required cyber security program components such as a comprehensive risk assessment, cyber security policies, annual vulnerability assessments and penetration testing, employee training, etc. Cyber Security and regulatory compliance is our only business.

The Cyber Defense Institute Solution

Risk Assessment

Section 500.09 requires you to perform "periodic risk assessments."  We will perform a formal, comprehensive information systems risk assessment designed to meet regulatory compliance requirements the organization is subject to. This Risk Assessment follows the NIST methodology and includes technical, physical, and administrative security controls.


Comprehensive Security Program Creation

CDI will develop and customize a comprehensive security policy that includes all required security controls that meet your regulatory requirements. Over 17 policies and templates are included with this service. This will satisfy requirements under 500.02, 500.03, 500.08, 500.11, and 500.16

Vulnerability Assessment

Internal and External Network Vulnerability Assessments identify detailed security flaws that exist on your network devices (PC’s, servers, laptops, firewalls, switches, etc.) that can allow a hacker to gain access to your confidential or critical information. Our scanning process provides the level of detail and the specific remediation steps required to fix each device that exhibits a security flaw. Our vulnerability assessment reports prioritize security flaws and several types of reports are generated that meet the needs of executives and the network administrators required to remediate. 

Using this information we can improve your security and meet your biannual vulnerability assessment requirements under 500.05(a)(2).

Web Application Security Assessment

While standard vulnerability assessments focus on the host and server platforms, web application vulnerability assessments focus on the web applications themselves. WAS assessments can detect web vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and URL re-direction. WAS provides identification of the most common web application vulnerabilities including the OWASP Top Ten. Vulnerable external network connections (publicly facing IP addresses) and devices can provide access to internal networks that can be compromised by hackers using the internet. External network vulnerability assessments identify weaknesses in network configurations that organizations can fix before they are exploited. Combined with a biannual vulnerability assessment, this helps meet your obligations under 500.05(a)(2).


Section 500.04(a) requires that each organization appoint a "Chief Information Security Officer" who is responsible for maintenance and oversight of the company's information security policy.  The regulations also have a requirement, under section 500.10, that organizations utilize qualified cybersecurity personnel.  With decades of cybersecurity experience, Cyber Defense Institute can assist you in exceeding this requirement by performing this function for you.  As part of this service, and as required by section500.04(b), we will provide the annual report to your organization's Board of Directors or governing body.

Penetration Testing

Penetration testing is a primarily manual process by a CDI ethical hacker to attempt to gain access to an organizations information systems (internal or external) that contains proprietary or  confidential information. We assume the role of a malicious hacker and may actually break in without actually causing any damage or stealing any information. The goal of penetration testing is to determine if your systems can be broken into, how they can be broken into, and specify what fixes need to be applied to prevent a breach.  Annual penetration testing will satisfy the requirements of section 500.05(a)(1).


Security Awareness Training & Phishing

Cyber Defense Institute will provide online security awareness training for all employees with simulated phishing attacks to ensure users are vigilant in the use of e-mail and the internet. Online training consists of 14 different short courses on cybersecurity, PCI compliance and other topics.  Cybersecurity awareness training is a requirement in section 500.10.

Threat Monitoring-as-a-service

Provide a 24/7/365 Security Operations Center (SOC)-as-a-service that leverages a cloud-based Security Information & Event Management platform to monitor, detect, and respond to security threats in real time.  This service also provides incident response and forensic incident response as-a-service. 

Threat monitoring exceeds the requirements of section 500.16 requiring the establishment of audit trails when coupled with audit logs your policy management system probably already does. 

Key Deadlines

  • March 1, 2017

    • Regulation goes into effect
  • August 28, 2017
    • Section 500.02 - Maintain cybersecurity program
    • Section 500.03 - Implement & maintain cybersecurity policy
    • Section 500.04(a) - Designate Chief Information Security Officer (CISO) 
    • Section 500.07 - Limit user access privileges as part of cybersecurity program
    • Section 500.10 - Utilize qualified cybersecurity personnel
    • Section 500.16 - Establish a written incident response plan
    • Section 500.17(a) - Notify Superintendent of cybersecurity events as required
    • Section 500.19(d) - File Notice of Exemption with Superintendent
  • February 15, 2018
    • Section 500.17(b) - Submit annual certification of compliance to Superintendent
  • March 1, 2018
    • Section 500.04(b) - CISO must provide annual report to board or governing body of agency
    • Section 500.05(a)(1) - Conduct annual penetration testing
    • Section 500.05(a)(2) - Conduct bi-annual vulnerability assessments
    • Section 500.09 - Conduct periodic risk assessment
    • Section 500.12 - Multi-factor authentication if needed
    • Section 500.14(b) - Provide regular cybersecurity awareness training for all personnel
  • September 3, 2018
    • Section 500.06 - Establish audit trails
    • Section 500.08 - Establish procedures, guidelines and standards for development of in-house developed applications
    • Section 500.13 - Establish policies and procedures for data retention & disposal
    • Section 500.14(a) - Monitor authorized users
    • Section 500.15 - Encryption of data both in transit over external networks and at rest
  • March 1, 2019
    • Section 500.11 - Implement written policies and procedures to ensure security of nonpublic information that is accessible to, or held by, third party service providers