The New York State Department of Financial Services (DFS) today announced a partnership with the non-profit Global Cyber Alliance (GCA) to bring a free cybersecurity toolkit to small businesses, including those in financial services. The COVID-19 pandemic has required many small businesses to move online, from working remotely to selling on the internet. As New York builds back better, it is essential that small businesses protect themselves and their customers from cybercrime.

Cybersecurity is a major challenge for all organizations, and it can be especially challenging for businesses that are too small to have a dedicated Chief Information Security Officer and cybersecurity staff. According to the 2019 Verizon Data Breach Investigation report, more than 43% of cyberattacks are targeted at small businesses.

Together, these resources will help small businesses protect themselves and their customers from this growing cyber threat. The areas covered in the free cybersecurity toolkit include identifying hardware and software, updating defenses against cyber threats, strengthening passwords and multi-factor authentication, backing up and recovering data, and protecting email systems.

“DFS is committed to supporting small businesses that are the backbone of the economy,” said Superintendent of Financial Services Linda A. Lacewell, co-chair of the New York State Cybersecurity Advisory Board. “As small businesses adapt to the new demands of doing business online, they need to have the tools to guard against cybercrime. This toolkit provides free resources for small businesses to bolster their cybersecurity.”

DFS is pleased to work with GCA on this toolkit to offer free operational tools and educational resources that help small businesses reduce cyber risk and implement the fundamentals of cybersecurity – often referred to as “cyber hygiene.” Because governance is critical to effective cybersecurity, DFS also partnered with GCA to develop a set of sample cybersecurity policies based on cybersecurity best practices. These policies are designed to help small businesses install the governance and procedures necessary for effective cybersecurity. They include a risk assessment and a sample third-party service provider policy, among others. Small businesses should review the tools and sample policies and to adapt them to their specific business risks and operations, including to comply with any applicable state and federal laws.

“Small businesses are a vital part of society, and small and medium sized financial institutions provide banking, insurance and financial services to millions. Small financial institutions also face the same threat as large ones, but with fewer resources,” said Global Cyber Alliance CEO and member of the New York State Cybersecurity Advisory Board Philip Reitinger. “GCA is pleased to partner with DFS to provide additional information and resources to strengthen the cybersecurity and enhance the cyber resilience of small and medium-sized financial entities. In addition, the new resources being provided are just as useful to any small business, even if it doesn't offer financial services. I applaud DFS for leading by example, and providing not only necessary requirements but also help in meeting those requirements.”

The free cybersecurity toolkit for small businesses and the DFS-developed sample cybersecurity policies can be found on the DFS website.

The Department's Cybersecurity Regulation became effective in March 2017.  The Cybersecurity Regulation was drafted with substantial industry input: DFS surveyed nearly 200 regulated banking institutions and insurance companies, met with a cross-section of those surveyed and cybersecurity experts during the drafting period, and granted two rounds of notice and comment. Additional implementation time was granted for multiple provisions, and the regulation was not fully in effect until March 2019.  The Regulation grants particular exemptions for smaller businesses.

DFS’s Cybersecurity Regulation has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, and the National Association of Insurance Commissioners (NAIC).