Cybersecurity Tools for Small Businesses

The Department of Financial Services (DFS) recognizes that small businesses are the backbone of our economy. As doing business online becomes indispensable, it is essential that small businesses protect themselves and their customers from cybercrime.

To help small business improve their cybersecurity, DFS has partnered with the Global Cyber Alliance (GCA) to provide free cybersecurity resources. GCA has created a Cybersecurity Toolkit for Small Business (Toolkit) that contains a set of free tools, guidance, resources, and training for small businesses. It is targeted at small businesses that are too small to have a dedicated cybersecurity staff – for DFS-regulated entities, these are businesses that are so small as to be exempt from the requirement to have a Chief Information Security Officer pursuant to 23 NYCRR 500.19. DFS recognizes that cybersecurity can be especially challenging for small businesses and is committed to supporting small businesses as they address the risk of cybercrime.

Because governance is critical to effective cybersecurity, DFS also partnered with GCA to develop a set of sample cybersecurity policies based on cybersecurity best practices. These policies are designed to help small businesses install the governance and procedures necessary for effective cybersecurity. The sample policies provide a helpful starting point for all small businesses. The sample policies include:


All cybersecurity policies created by a business should be tailored to the business’s specific needs, risks, resources, and structure. Some businesses may require additional actions beyond those suggested in the sample policies; likewise, not every action suggested will be required for every business. Policies based only on the samples therefore may not constitute full compliance with state and federal laws and regulations, including DFS’s Cybersecurity Regulation. Best practices can also change over time. Businesses should review their policies for accuracy, completeness, and applicability, and update them as needed based on their risk assessments.

To access the Toolkit and sample policies, please visit Cybersecurity Toolkit.