The New York Department of Financial Services Cares About Your Asset Inventory and Retention Practices

The New York Department of Financial Services (NYDFS) has made it clear through both regulation and enforcement that organizations cannot manage, secure, or certify what they cannot see. Asset inventories and documented retention practices are no longer administrative exercises — they are foundational components of cybersecurity governance, executive accountability, and regulatory trust.

Recent NYDFS consent orders demonstrate that these expectations are not theoretical. Most recently, in October 2025, eight auto insurance companies agreed to pay more than USD 19 million in aggregate penalties for violations of the NYDFS Cybersecurity Regulation (23 NYCRR Part 500), reflecting deficiencies in cybersecurity programs and controls protecting nonpublic information.

NYDFS is evaluating how governance frameworks operate in practice, not just how they are documented. Executives should assume that NYDFS examiners will not simply ask whether policies exist — they will ask how those policies are implemented, enforced, and evidenced.

Can you produce a current, complete asset inventory?

Organizations should expect NYDFS examiners to request a documented inventory of information systems and data repositories, including on-premises environments, cloud services, third-party platforms, and business-managed applications. Inventories should clearly identify system ownership, data classifications, and lifecycle attributes.

NYDFS enforcement activity has repeatedly highlighted situations where systems containing nonpublic information were excluded from formal inventories and, as a result, fell outside established security monitoring, risk assessment, and disposal controls. An incomplete inventory is not a documentation issue — it is a governance failure.

How do you enforce your retention schedule across systems?

NYDFS expects organizations to demonstrate that retention schedules are operationally enforced, not merely written. This includes showing how systems and repositories are mapped to retention categories and how exceptions — such as legal holds or regulatory retention requirements — are managed.

Across enforcement matters, NYDFS has treated reliance on “paper policies” without technical or procedural enforcement as a control weakness, particularly where over-retention expanded the exposure of nonpublic information during cybersecurity incidents.

How do you verify secure disposal occurs in accordance with retention requirements?

Examiners may request evidence of deletion and disposal processes, including validation controls and audit trails confirming that nonpublic information is disposed of when it is no longer required to be retained.

NYDFS scrutiny increasingly focuses on whether secure disposal practices are tested, logged, and periodically reviewed, rather than assumed — especially in environments such as email, cloud storage, and legacy systems where data can quietly accumulate over time.

Why this Matters

NYDFS enforcement activity reflects a clear and consistent theme: effective cybersecurity compliance depends on visibility, governance, and execution. Asset inventories, retention schedules, and secure disposal practices are no longer peripheral compliance tools — they are central to how regulators assess risk management maturity and executive accountability.

For financial organizations doing business in New York, the message is straightforward: If you cannot clearly identify what information you have, where it resides, how long it is retained, and how it is securely disposed of, NYDFS will view that as a material control gap — regardless of how polished your policies may appear.

#informationgovernance #infogov #recordsretention #cybersecurity #risk