Preparing a Cybersecurity Program for an Audit

Preparing a Cybersecurity Program for an audit

In the financial industry, various regulatory rules are required by the Federal Financial Institutions Examination Council (FFIEC), New York State Department of Financial Services (NYSDFS), Financial Industry Regulatory Authority (FINRA) or U.S Securities and Exchange Commission (SEC) to implement strong cybersecurity programs, policies, and controls.

1. What Happens If We Don’t Follow Regulations?

Failure to comply can result in massive financial penalties for your organization. Failing to comply with FFIEC guidelines can result in penalties totaling $2million. In 2018, NYSDFS issued a $1.8 million dollar fine to a New York State insurance company who failed to implement multi-factor authentication, an explicit control required by NYSDFS CRR 500.12(b).


Even with multifactor authentication, breaches can occur and must be reported to agencies within 72 hours. Failure to report cybersecurity events can result in heavy fines. NYSDFS issued a $1.5 million dollar fine to Residential Mortgage for failing to take appropriate notification requirements after an employee’s email mailbox was breached.


The risk of a breach significantly increases when an organization fails to implement cybersecurity controls, policies, and monitoring. Companies such as Equifax, Experian, and First American Financial have all suffered data-breaches resulting in tarnished reputations and exposed customer PII (personally identifiable information).

In addition, under 23 NYCRR 500.17(a)(2), Cybersecurity Events must be reported to the Department if they “have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” 

What is required to roll out a Cybersecurity program, and how long will it take?

A strong cybersecurity program consists of various information security policies, controls, assessments, procedures, IT system monitoring, and annual employee training. Secure247+ identifies what regulatory boxes are missing from your existing IT infrastructure and creates a robust cyber-program to identify, control, monitor, and mitigate risks.


The roll-out of a cybersecurity program is a gradual process that involves reviewing risk assessments and security baselines, mapping a plan-of-action out with your internal IT department or senior management, and deploying solutions that work. Learn more about how we can improve your IT security posture within 6 months at

Some controls your end-users may require:

  • The ability to login to applications utilizing their work email and password (SSO)
  • The need to push or approve a prompt prior to logging into services that contain PII/sensitive data (MFA)
  • Requirement to RDP into their office machine from home or enroll in a company portal (MDM + VPN)

What will be the controls and what will change in my office? How will this impact workflow?

The controls implemented will depend on your industry’s specific regulatory regulations. For example, NYS business owners in the financial industry must enforce Multi Factor Authentication, an explicit control of NYSDFS CRR 500. Typically, end users will see restrictions of where, and how they can login to their company email or office PC. Our team deploys software that effects end users’ day-to-day workflow in small batches, and our helpdesk staff is available 24/7 to assist your employees with their personal devices (such as logging in from home, and access to emails on their phone).

Want to learn more about our approach to high-level monitoring and how we can identify and protect your network? Check out our Secure247+ Cybersecurity Program

Utilizing qualified cybersecurity personnel or a qualified third party to address cybersecurity risks such as the Log4j Vulnerability is a commonly overlooked requirement when adopting a cybersecurity program. This provider should provide your employees with cybersecurity training, be alerted to unauthorized login attempts on IT systems, and implement risk-based policies to control or limit access to nonpublic information. 

What should I be looking for in my Cyber Program or Provider?

  • Annual cybersecurity training for employees 
  • Email alerts/or notifications to new cyber vulnerabilities and threats
  • Least privilege access rights on all IT systems
  • Monitoring for login attempts/excessive failures
  • Their employees using MFA to access your systems, firewall, administrator accounts, or network

Are You Audit Ready?

We can increase your cybersecurity stance before an audit occurs.