Policy on Compliance with Cybersecurity Requirements of NYS Department of Financial Services
Statement of Policy
New York University and its affiliates (“NYU” or “University) are committed to safeguarding the privacy of the NYU community as well as protecting the confidentiality, integrity, and availability of information and systems that are important to the University’s mission. In connection with certain mortgage loans that NYU offers to its faculty and senior administrators as a recruitment and retention tool, NYU must comply with the Cybersecurity Requirements for Financial Services Companies (the “Cybersecurity Requirements”) promulgated by the NYS Department of Financial Services (“NYSDFS”). As required by the Cybersecurity Requirements, this Policy sets forth NYU’s minimum requirements to protect its Information Systems used in connection with NYU’s mortgage loan programs and Nonpublic Information (NPI) stored on those systems (as defined in Section 500.01 of the NYSDFS Cybersecurity Requirements).
To Whom This Policy Applies
This Policy applies to all University units and/or affiliates that work on the Program, which includes:
- Faculty Housing Office
- Office of General Counsel
- Office of the Controller
- New York University School of Law Foundation
NYSDFS CYBERSECURITY PROGRAM
To comply with the NYSDFS Cybersecurity Requirements, NYU performed a cybersecurity risk assessment and has designed a cybersecurity program (the “NYSDFS Cybersecurity Program”) that addresses the risks identified in such assessment as well as performs the following functions: identifies internal and external cybersecurity risks; protects the University’s Information Systems and the Nonpublic Information stored on those systems; enables the detection of cybersecurity events; responds to cybersecurity events; enables the recovery from cybersecurity events and the restoration of normal operations; and fulfills any applicable regulatory reporting requirements.
NYU’s Global University Chief Information Security Officer (“Global CISO”) will oversee the implementation of the NYSDFS Cybersecurity Program and enforce this Policy. The Global CISO shall designate a qualified individual in each affected unit or affiliate to create and carry out the Policy and may designate other individuals to coordinate particular elements of the NYSDFS Cybersecurity Program with the applicable unit or affiliate, such as:
- information security;
- data governance and classification;
- asset inventory and device management;
- access controls and identity management;
- business continuity and disaster recovery planning and resources;
- systems operations and availability concerns;
- systems and network security;
- systems and network monitoring;
- systems and application development and quality assurance;
- physical security and environmental controls;
- customer data privacy;
- third party service provider management;
- risk assessment; and
- incident response.
- monitoring and testing measures (e.g., continuous monitoring or periodic penetration testing and vulnerability assessments);
- audit trails;
- limited access privileges;
- risk-based monitoring of authorized users to help detect unauthorized access or use of, or tampering with, Nonpublic Information by such authorized users;
- periodic risk assessments of NYU’s Information Systems;
- utilization of qualified personnel to manage the core cybersecurity functions;
- written policies that warrant the security of Nonpublic Information that is accessible to or stored by third-party service providers and vendors;
- use of multi-factor authentication or equivalent effective access control;
- limited data retention;
- secure periodic or targeted covered information disposal;
- provision of regular cybersecurity awareness training;
- controls, including encryption, to protect Nonpublic Information transmitted by NYU over external networks or at rest; if not encryption, then a compensating control;
- written incident response plan to document internal processes for responding to cybersecurity events;
- report of cybersecurity events to the Superintendent not later than 72 hours from determination of the occurrence; and
- a report to the Superintendent annually by April 15th covering the prior calendar year1.
In addition, the Global CISO is responsible for reporting at least annually to NYU’s Board of Trustees on its cybersecurity posture and risks. Within the report, the Global CISO must consider the following to the extent applicable:
- the confidentiality of Nonpublic Information and the integrity and security of NYU’s Information Systems;
- NYU’s Cybersecurity policies and procedures;
- material cybersecurity risks to NYU;
- the overall effectiveness of NYU’s NYSDFS Cybersecurity Program; and
- material cybersecurity events involving NYU during the period addressed by the report.
The Global CISO will work with the Office of General Counsel to oversee and assist the affected units or affiliates as necessary to implement the NYSDFS Cybersecurity Program and this Policy. Questions regarding the NYSDFS Cybersecurity Program or this Policy should be directed to the Global CISO (OIS-Compliance@nyu.edu).
1. New York University and the New York University School of Law Foundation are considered separate “Covered Entities” under the Cybersecurity Requirements since each entity originates its own loans. As such, they are each required to file a separate Certification of Compliance to NYSDFS each year.
About This Policy
Effective Date Supersedes N/A Issuing Authority Vice President, Information Technology & Global University Chief Information Officer Responsible Officer Associate Vice President, NYU IT Global University Chief Information Security Officer