Iron Bridge Cyber Governance
Complimentary Resource

Financial Services
Cybersecurity Compliance
Checklist

Issued By Iron Bridge Cyber Governance
Covers NYDFS Part 500 · SEC Rule 206(4)-9 · Reg S-P · FINRA · NIST CSF 2.0
Current As Of 2025 — reflects 2023 NYDFS amendments and SEC final rules
Contact info@cybergovernanceironbridge.com
How to use this checklist. Each item reflects a requirement tested in active regulatory examinations or enforcement actions. Items marked Critical represent the most frequently cited deficiencies or those carrying the highest enforcement risk. This document is a self-assessment tool, not legal advice. Consult qualified counsel to evaluate your specific obligations.
Completion
0 of 0 items
I NYDFS 23 NYCRR Part 500 — Amended 2023
Applies to all entities holding a license, registration, charter, or similar authorization under the New York Banking Law, Insurance Law, or Financial Services Law. The 2023 amendments significantly expanded requirements — enforcement is active. The annual Certification of Compliance is due April 15 each year.
Governance & Program
  • Written cybersecurity policy formally adopted and approved by a senior officer or the board of directors Critical
  • Designated CISO — in-house or a qualified third party who performs the function; must have the authority and resources to execute the cybersecurity program Critical
  • CISO reports to the board of directors at least annually on material cybersecurity risks and the state of the program
  • Senior officer reviews and approves the cybersecurity policy at least annually
  • Cybersecurity program covers all Information Systems — including those operated by or on behalf of the Covered Entity
  • Program is designed based on the results of the annual risk assessment — not merely a generic industry template
Risk Assessment
  • Annual written risk assessment of the confidentiality, integrity, and availability of information systems; documented and retained Critical
  • Risk assessment methodology is documented and consistent year over year or updated with explanation
  • Nonpublic Information (NPI) is inventoried and classified by sensitivity level
  • Risk assessment includes third-party and supply chain risks for service providers with access to information systems or NPI
  • Risk assessment results are used to update the cybersecurity program, policies, and controls
Access Controls & Authentication
  • Multi-factor authentication (MFA) for all remote access to the information system, including VPN and remote desktop connections Critical
  • MFA for all privileged accounts — administrative access to information systems, databases, and cloud environments Critical
  • MFA required for access to any third-party application holding NPI where technically feasible
  • Principle of least privilege applied — access limited to systems and data required for the role
  • User access reviews conducted at least annually with documentation of results and any remediation
  • Terminated employee access revoked promptly — defined procedure and timeframe in policy (commonly within one business day) Critical
  • Privileged account password rotation on a defined schedule; no shared administrator credentials
Asset Management & Vulnerability Management
  • Current inventory of all information systems, hardware, and software maintained; reviewed and updated regularly
  • Annual penetration test by a qualified external party; results documented and remediation tracked Critical
  • Vulnerability scans conducted at least quarterly and after any material system change
  • Patch management program in place with defined timelines based on severity; critical patches applied on an expedited basis
  • Vulnerability remediation is tracked to closure with risk acceptance documented for any open items
Data Security & Encryption
  • Encryption of NPI in transit using current industry-standard protocols (TLS 1.2 minimum; TLS 1.3 recommended) Critical
  • Encryption of NPI at rest on laptops, removable media, and any portable storage that holds covered data Critical
  • Data retention schedule established and enforced; NPI not retained longer than necessary for business or legal requirements
  • Secure disposal procedures for NPI — physical and electronic media destroyed per documented standards (e.g., NIST 800-88)
Third-Party Service Provider Security
  • Written third-party service provider (TPSP) security policy addressing due diligence, contractual requirements, and ongoing monitoring Critical
  • Security due diligence conducted before onboarding any TPSP with access to information systems or NPI
  • Vendor contracts include minimum security requirements — encryption, access controls, incident notification timelines
  • Inventory of all TPSPs with access to NPI or information systems maintained and current
  • Periodic re-assessment of critical TPSPs — SOC 2 reports, security questionnaires, or equivalent reviewed annually
Incident Response & Notification
  • Written incident response plan (IRP) covering detection, containment, notification, and recovery; formally adopted Critical
  • IRP tested at least annually — tabletop exercise, simulation, or functional test; results documented
  • 72-hour notification to NYDFS for any cybersecurity event that has a reasonable likelihood of materially harming normal operations — personnel know this obligation and the reporting mechanism (DFS Online Portal) Critical
  • Notice to Superintendent if any ransom is paid in connection with a cybersecurity event (within 24 hours of payment)
  • Written documentation of all cybersecurity events maintained — timeline, nature of event, systems affected, response steps, and outcome
Training & Awareness
  • Annual cybersecurity training for all personnel; completion tracked and documented per individual Critical
  • Training includes social engineering, phishing awareness, and reporting procedures for suspicious activity
  • Personnel with privileged access or security responsibilities receive role-specific training
Annual Certification of Compliance
  • Annual Certification of Compliance submitted to NYDFS by April 15 via the DFS Online Portal; signed by a senior officer Critical
  • Documentation supporting the certification — evidence of completed program requirements — maintained and available for examination
  • Any compliance gaps, exceptions, or remediation plans noted and addressed with documented timelines
II SEC Rule 206(4)-9 & Regulation S-P — Investment Advisers
The SEC adopted final cybersecurity rules for investment advisers in August 2023. Rule 206(4)-9 is effective as of 2024 for most advisers. Reg S-P was amended in 2024 to require formal breach notification obligations, including 30-day customer notification. Compliance dates vary by AUM tier — confirm your firm's deadline.
Written Cybersecurity Policies & Procedures
  • Written cybersecurity policies and procedures adopted and implemented; reasonably designed to address cybersecurity risks to the adviser and its clients Critical
  • Policies reviewed and updated at least annually and after any material change in circumstances
  • Policies address all six required categories: risk assessment; user security; information protection; threat/vulnerability management; cybersecurity incidents; and oversight of service providers
Annual Risk Assessment
  • Annual written risk assessment covering adviser's cybersecurity risks, information systems, and client data; documented and retained Critical
  • Risk assessment addresses service provider risks — vendors, sub-advisers, and others with access to client data or information systems
  • Results of risk assessment used to update policies and controls; documentation reflects this linkage
User Security & Access Controls
  • Access controls implemented limiting who can access client data and adviser information systems; documented and enforced Critical
  • Strong authentication deployed for access to client accounts and information systems — MFA where feasible
  • Monitoring capabilities in place to detect unauthorized access or unusual activity involving client data
Service Provider Oversight
  • Due diligence conducted on service providers that have access to client data or adviser information systems before onboarding Critical
  • Service provider contracts include cybersecurity requirements — minimum security controls, breach notification obligations, audit rights
  • Ongoing oversight of critical service providers — periodic review of security posture, incident reporting, and control changes
Cybersecurity Incident Response
  • Written incident response procedures addressing detection, containment, recovery, and notification for cybersecurity incidents Critical
  • Procedures include roles and responsibilities, escalation paths, and decision tree for SEC reporting obligations
  • Incident response capabilities tested at least annually; results documented and used to improve the program
Regulation S-P — Breach Notification (Amended 2024)
  • Formal incident response program written and adopted to address unauthorized access to, or use of, customer information Critical
  • Process to notify affected customers within 30 days of discovery of a breach of customer information; notification procedures documented Critical
  • Customer notification includes: type of data involved, scope of breach, contact information for questions, and steps taken to protect customer
  • Service providers contractually required to notify the adviser promptly of any breach of customer information they hold
Books & Records
  • Cybersecurity policies and procedures maintained as books and records under Rule 204-2; all versions retained with effective dates Critical
  • Written risk assessments retained as books and records; current and prior versions available for exam
  • Documentation of cybersecurity incidents — timeline, nature, affected data, response — retained as required records
  • Evidence of annual policy reviews retained — who reviewed, when, what changed, and approvals obtained
III FINRA — Rules 4370 & 3110 and Annual Examination Priorities
FINRA does not have a standalone cybersecurity rule, but cybersecurity is consistently among the top examination findings. Rule 4370 requires a written Business Continuity Plan. Rule 3110 requires a supervisory system that encompasses technology controls. The annual FINRA Report on Examination and Risk Monitoring Program details current priority areas — cybersecurity has appeared in every edition since 2014.
Rule 4370 — Business Continuity Plan
  • Written Business Continuity Plan (BCP) addressing the firm's response to significant business disruptions including cybersecurity incidents Critical
  • BCP reviewed and updated at least annually and following any material change to operations, personnel, or technology
  • BCP covers cybersecurity incident scenarios — ransomware, data breach, system outage — not only natural disasters or physical events
  • Emergency contacts documented: regulators, clearing firms, key vendors, external counsel, cybersecurity incident response retainer
  • Alternate means of communication identified for use when primary systems are unavailable
  • Data backup and recovery procedures documented and tested; recovery point and recovery time objectives defined Critical
  • BCP tabletop or functional test conducted at least annually; results and lessons learned documented
Rule 3110 — Supervisory System
  • Written Supervisory Procedures (WSPs) that address technology and cybersecurity risks relevant to the firm's business activities Critical
  • Designated principal responsible for technology and cybersecurity oversight named in the supervisory structure
  • WSPs address remote access and mobile device security — acceptable use, authentication requirements, device management standards
  • WSPs cover email and electronic communications security, including acceptable use and data loss prevention
  • Supervisory system documented and enforced — evidence of reviews, escalations, and corrective actions maintained
Access Controls & Privileged Account Management
  • Privileged account inventory maintained — all accounts with administrative, root, or elevated system access identified and documented Critical
  • Multi-factor authentication deployed for all privileged account access and remote access to firm systems Critical
  • Principle of least privilege enforced — users have access only to systems and data required for their function
  • Terminated employee access revoked on the day of termination — evidence of revocation retained Critical
  • Service account and shared passwords rotated on a defined schedule; no single-use credentials remain active after departure of personnel
  • Access rights reviewed at least annually; documentation of reviews and remediation retained
Third-Party Vendor Risk Management
  • Vendor inventory — all third parties with access to firm systems or customer data identified and documented
  • Due diligence process for new vendors handling customer data or system access; results documented before onboarding Critical
  • Ongoing monitoring of critical vendors — annual review of security posture, SOC 2 reports, or equivalent
  • Vendor contracts include security requirements, data handling obligations, and breach notification requirements
Cybersecurity Training & Awareness
  • Annual firm-wide cybersecurity training; completion tracked and documented by individual Critical
  • Phishing simulation exercises conducted; results used to identify and remediate high-risk personnel
  • Training records maintained and available for examination — who was trained, when, on what topics
  • New employee onboarding includes mandatory cybersecurity training before access to firm systems is granted
Top 10 FINRA Cybersecurity Exam Deficiencies — Current Exam Cycle
  • No written information security policy — or policy not reviewed or approved in the prior year Critical
  • Multi-factor authentication not deployed for remote access or privileged accounts Critical
  • No formal incident response plan, or plan not tested and not tailored to the firm's operations Critical
  • Missing or materially outdated business continuity plan Critical
  • Inadequate vendor due diligence — no documented process or evidence of reviews for TPSPs with data access
  • Poor privileged access management — no inventory, no MFA, no timely revocation on termination
  • No cybersecurity training records — training conducted but no documentation of completion by individual
  • No patch management program — critical vulnerabilities unaddressed for extended periods
  • Inadequate branch office supervision — cybersecurity controls not extended or tested at branch locations
  • Insufficient data loss prevention — no controls or monitoring for unauthorized extraction of customer data
IV Universal Controls — NIST Cybersecurity Framework 2.0
The NIST CSF 2.0 is not a regulatory mandate for most financial services firms, but it is the framework most commonly referenced in SEC and FINRA examination guidance and most commonly used by examiners to evaluate whether a program is comprehensive. These controls represent the baseline expected of any regulated firm, regardless of size.
Govern — Cybersecurity Risk Management Strategy
  • Cybersecurity risk appetite and tolerance defined by senior leadership and communicated to relevant personnel
  • Roles and responsibilities for cybersecurity documented — who is accountable for each element of the program
  • Cybersecurity integrated into board and management reporting — risks, incidents, and program status presented at least annually
Identify — Know Your Assets and Risks
  • Asset inventory current and maintained — hardware, software, data, and cloud services; reviewed at least annually
  • Data classification policy in place — NPI, confidential, internal, and public data identified and handled per classification
  • Regulatory obligations mapped to specific controls — each applicable requirement linked to the policy or technical control that satisfies it
  • Supply chain and third-party risks identified and included in the overall risk assessment process
Protect — Implement Safeguards
  • Access control framework implemented — authentication, authorization, and audit logging for all information systems
  • Endpoint protection deployed on all workstations, laptops, and servers — anti-malware, EDR, or equivalent; managed and monitored Critical
  • Patch management program in place; vulnerability disclosure and patching timelines defined by severity
  • Secure configuration standards applied to servers, workstations, cloud environments, and network devices
  • Data encryption applied to NPI and sensitive data in transit and at rest per regulatory requirements
  • Email security controls in place — anti-phishing, domain authentication (DMARC/DKIM/SPF), and email filtering
Detect — Monitor for Threats
  • Security monitoring capabilities deployed — log aggregation, SIEM, or equivalent alerting for suspicious activity
  • Log management — security-relevant logs retained for a minimum of one year (three years for NYDFS covered entities)
  • Vulnerability scanning on a regular schedule; results reviewed and tracked to remediation
  • Anomalous activity detection configured — alerts for account lockouts, privilege escalation, large data transfers, and off-hours access
Respond & Recover
  • Incident response plan documented, approved, and tested — assigned roles, escalation procedures, and notification timelines Critical
  • Regulatory notification timelines known and documented in the IRP — NYDFS 72 hours, SEC 30 days, FINRA as required
  • Recovery time and recovery point objectives (RTO/RPO) defined for critical systems; achievable given backup and redundancy in place
  • Backup and recovery procedures tested at least annually — test results documented; backups confirmed restorable Critical
  • Lessons learned process conducted after incidents and tabletop exercises; findings used to update plans and controls
  • External incident response retainer in place with a qualified firm; engagement scope and notification procedures documented
This checklist is published by Iron Bridge Cyber Governance as a general informational resource. It does not constitute legal, regulatory, or compliance advice, and does not create an attorney-client or consulting relationship. Regulatory requirements vary based on your firm's jurisdiction, license type, assets under management, and other firm-specific factors. Consult qualified legal counsel to determine the specific obligations applicable to your firm.
Iron Bridge Cyber Governance

Questions about your firm's compliance posture? We offer confidential consultations.

info@cybergovernanceironbridge.com