Statement of Policy

New York University (“NYU” or “University) is committed to safeguarding the privacy of the NYU community as well as protecting the confidentiality, integrity, and availability of information and systems that are important to the University’s mission.  In connection with a mortgage loan program (the “Program”) implemented by the University as a recruitment and retention tool, NYU may come into possession of Nonpublic Information related to its borrowers.  The NYS Department of Financial Services (“DFS”) deems NYU to be a “Covered Entity” on account of the Program and NYU must therefore implement a cybersecurity program (a “Cybersecurity Program”) and cybersecurity policy (“Cybersecurity Policy”) so that it is in compliance with the Cybersecurity Requirements for Financial Services Companies (23NYCRR 500, the “DFS Cybersecurity Requirements”)

To Whom This Policy Applies

This Policy applies to all University units that work on the Program. At this time, those units include:

  1. Faculty Housing Office
  2. Office of General Counsel
  3. Office of the Controller (in the Office of the Senior Vice President for Finance and Budget and Chief Financial Officer)


Capitalized terms utilized but not defined in this Policy will have the meanings set forth in the DFS Cybersecurity Requirements (PDF).

Cybersecurity Program and Cybersecurity Policy

To comply with the DFS Cybersecurity Requirements, NYU performed a cybersecurity risk assessment (a “Risk Assessment”) and has designed a Cybersecurity Program that addresses the risks identified in the Risk Assessment as well as performs the following functions: identifies internal and external cybersecurity risks; protects the University’s Information Systems and the Nonpublic Information stored on those systems; enables the detection of cybersecurity events;  responds to cybersecurity events; enables the recovery from cybersecurity events and the restoration of normal operations; and fulfills any applicable regulatory reporting requirements.  

NYU’s Global University Chief Information Security Officer (Global CISO) will oversee and implement the Cybersecurity Program and will approve, monitor, and enforce the implementation and maintenance of this Policy as required by DFS. The Global CISO shall designate a qualified individual in each affected University Unit to create and carry out the Policy and may designate other individuals to coordinate particular elements of the Program with the affected Unit. The Policy addresses the following items:

  • information security;
  • data governance and classification;
  • asset inventory and device management;
  • access controls and identity management;
  • business continuity and disaster recovery planning and resources;
  • systems operations and availability concerns;
  • systems and network security;
  • systems and network monitoring;
  • systems and application development and quality assurance;
  • physical security and environmental controls;
  • customer data privacy;
  • vendor and Third Party Service Provider management;
  • risk assessment; and
  • incident response.
In addition to Policy oversight noted above, the Global CISO or designee(s) shall retain responsibility for regulatory compliance of the Program, including the following areas as required by DFS:
  • annual penetration testing;
  • bi-annual vulnerability testing;
  • audit trails;
  • limited access privileges;
  • written procedures, guidelines, and standards;
  • periodic risk assessments of NYU’s information systems;
  • utilization of qualified personnel to manage the core cybersecurity functions;
  • direction and oversight of Third Party Providers who have access to or hold Nonpublic Financial Information covered by the Program;
  • use of multi-factor authentication or an equivalent effective access control;
  • limited data retention;
  • secure periodic or targeted covered information disposal;
  • implemented training program;
  • controls, including encryption, to protect Nonpublic Financial Information transmitted by NYU over external networks or at rest; if not encryption, then a compensating control;
  • written incident response plan;
  • report of cybersecurity events to the Superintendent not later than 72 hours from determination of the occurrence;
  • submit to the Superintendent annually by April 15th a report covering the prior calendar year;
  • report in writing at least annually to the Vice President, Information Technology and Global University CIO on NYU’s Cybersecurity Program and material cybersecurity risks. The Global University CISO shall consider to the extent applicable:
    • the confidentiality of Nonpublic Information and the integrity and security of NYU’s information systems;
    • NYU’s Cybersecurity Policy and procedures;
    • material cybersecurity risks to NYU;
    • overall effectiveness of NYU’s Cybersecurity Program; and
    • material cybersecurity events involving NYU during the time period addressed by the report.


The Global CISO will work with the Office of General Counsel and the other affected Units as necessary to implement the Program and this Policy including developing Policy directives to facilitate Policy requirements. Questions regarding the Program or this Policy should be directed to the Global CISO (  

  1. Dates of official enactment and amendments: Not Available
  2. History: Last Review: February 10, 2020. Last Revision: February 10, 2020.
  3. Cross References: N/A