Risk Analysis Form

Cybersecurity Self-Assessment

Important Disclaimer

This self‑assessment is intended for a preliminary overview. The information provided is for informational and planning purposes. Results are preliminary and based solely on the data you submit. They may not represent full compliance with NY DFS (23 NYCRR 500), NIST, CIS, or other applicable standards, and do not constitute legal, regulatory, accounting, or cybersecurity advice.

For a detailed cybersecurity assessment, NIST gap analysis, and a prioritized remediation plan, contact our team.

By proceeding with this self-assessment, you acknowledge and agree to the above terms.

Your Information

Please provide your contact details to receive your assessment results.

Full Name *

Email Address *

Phone Number *

Organization *

DFS Requirements

Let's determine if you qualify for a full or limited exemption from DFS's Cybersecurity Regulation.

How to answer:

Yes = in place and working

No = not in place

DFS1: Are you a covered entity, an employee, agent, wholly owned subsidiary, representative, or designee of another DFS-regulated business whose Cybersecurity Program covers you?

Cybersecurity Self‑Assessment

Let's determine your cybersecurity risk profile.

How to answer:

Yes = in place and working

Partial = underway or inconsistent

No = not in place

Unsure = don't know

Q1: Do you keep an up-to-date list of all devices that can connect to your network?

Q2: Do you keep an up-to-date list of all software/apps in use (including cloud/SaaS)?

Q3: Is sensitive data (e.g., consumer/health/financial/student) identified and labeled?

Q4: Is sensitive data protected (encryption in transit/at rest; access on least-privilege)?

Q5: Do you have defined retention rules and secure disposal for data you no longer need?

Q6: Are systems configured to a secure baseline and kept patched (OS & apps)?

Q7: Do all admins use separate admin accounts, and is MFA required for admin/remote/cloud access?

Q8: Are dormant/unused accounts found and disabled promptly?

Q9: Do you centrally collect and review security logs, with enough storage retained?

Q10: Are anti-malware/EDR tools deployed and auto-updated on endpoints/servers?

Q11: Do you filter risky web/DNS traffic and restrict to supported browsers/email clients?

Q12: Are backups automated, tested, and include an offline/isolated copy?

Q13: Do you maintain an inventory of critical vendors and assess their cyber risk?

Q14: Do staff receive regular security awareness training and phishing simulations?

Q15: Do you have named incident handlers, current contact lists, and a simple reporting process?

Q16: Do you run an external penetration test at least annually?

Calculating your risk assessment...

Risk Analysis Form

Cybersecurity Self-Assessment

Important Disclaimer

Your Information

Regulatory Requirements

How to answer:

DFS Requirements

How to answer:

Cybersecurity Self‑Assessment

How to answer: