← Back to Resources
Section 500.09

Risk Assessment Template

A comprehensive template to help you conduct and document cybersecurity risk assessments that meet NY DFS 23 NYCRR 500.09 requirements.

Request Template

Template Includes:

  • Asset inventory worksheet
  • Threat catalog with descriptions
  • Vulnerability checklist
  • Risk scoring matrix (5x5)
  • Control assessment worksheet
  • Remediation tracking template
  • Executive summary template
  • Auditor-ready documentation format

Section 500.09 Requirements

500.09(a)

Periodic risk assessment

Conduct periodic risk assessments of information systems sufficient to inform the design of the cybersecurity program.

500.09(b)(1)

Asset identification

Identify and assess internal and external cybersecurity risks to the security of nonpublic information.

500.09(b)(2)

Control assessment

Assess adequacy of existing cybersecurity controls in light of identified risks.

500.09(b)(3)

Documentation

Document the risk assessment including the criteria for evaluating risks and controls.

What's in the Template

Asset Inventory

Identify and categorize all information systems, data, and assets

  • Hardware inventory (servers, workstations, mobile devices)
  • Software inventory (applications, operating systems)
  • Data classification (nonpublic information, PII, financial data)
  • Network infrastructure and topology

Threat Identification

Document potential threats to your information systems

  • External threats (hackers, malware, ransomware)
  • Internal threats (employees, contractors)
  • Natural disasters and environmental risks
  • Third-party and supply chain risks

Vulnerability Assessment

Identify weaknesses that could be exploited

  • Technical vulnerabilities (unpatched systems, misconfigurations)
  • Process weaknesses (lack of procedures, inadequate controls)
  • Human factors (training gaps, social engineering susceptibility)
  • Physical security gaps

Risk Analysis

Evaluate the likelihood and impact of identified risks

  • Likelihood scoring (1-5 scale)
  • Impact scoring (financial, operational, reputational)
  • Risk level calculation (likelihood × impact)
  • Risk prioritization matrix

Control Assessment

Document existing controls and their effectiveness

  • Preventive controls (firewalls, access controls, encryption)
  • Detective controls (monitoring, logging, alerts)
  • Corrective controls (incident response, backup/recovery)
  • Control effectiveness ratings

Remediation Planning

Plan actions to address identified risks

  • Risk treatment options (accept, mitigate, transfer, avoid)
  • Remediation actions and timelines
  • Resource requirements and responsibilities
  • Residual risk after treatment

Risk Assessment Best Practices

Conduct Annually (Minimum)

Review and update your risk assessment at least annually, or whenever material changes occur to your environment.

Involve Key Stakeholders

Include IT, security, compliance, legal, and business unit leaders in the assessment process.

Use Consistent Methodology

Apply the same risk scoring criteria across all assessments for meaningful comparison over time.

Document Everything

Keep detailed records of findings, decisions, and rationale. Auditors will ask for this.

Track Remediation

Create action items for identified risks and track them to completion.

Report to Leadership

Present findings to senior management and board. This is required under 500.04.

Important Note

This template is a starting point. Your risk assessment should be tailored to your organization's specific:

  • • Business operations and industry
  • • Technology environment
  • • Data types and volumes
  • • Regulatory requirements
  • • Risk tolerance

Consider working with a qualified risk assessment professional for your initial assessment.

Automate Your Risk Assessments

Buffalo Sentinel includes built-in risk assessment tools with automated evidence collection and continuous monitoring.

Start Free TrialRequest Template