North Dakota Cybersecurity Requirements
Financial Services Firms, Mortgage Lenders, Brokers, Servicers, and Money Service Businesses
North Dakota's regulatory framework requires financial institutions to implement comprehensive cybersecurity programs that protect customer information through written policies, regular risk assessments, employee training, vendor oversight, and robust data protection measures. These requirements align with state consumer-protection laws, the North Dakota Century Code (NDCC), and federal GLBA standards to ensure the confidentiality, integrity, and availability of nonpublic personal information.
Important Disclaimer
The information provided on this page is for general informational purposes only. North Dakota cybersecurity regulations are complex and subject to change. We recommend reaching out to our team to confirm you have covered all applicable requirements for your operations in North Dakota.
Required Cybersecurity Program
Financial institutions licensed in North Dakota must maintain a comprehensive information security program that is appropriate to the size, complexity, and nature of their operations. This program serves as the foundation for protecting customer information and maintaining regulatory compliance.
Core Program Components
- Documented Cybersecurity Policies and Procedures: Written policies that clearly define security standards, responsibilities, and operational procedures for protecting customer information across all business functions
- Designated Security Oversight Individual: A qualified person or team responsible for developing, implementing, and maintaining the information security program, with clear authority and accountability
- Customer Information Protection Controls: Administrative, technical, and physical safeguards designed to protect customer information in accordance with North Dakota consumer-protection laws and regulatory expectations
- GLBA and NDCC Alignment: Security controls that meet or exceed federal Gramm-Leach-Bliley Act requirements and North Dakota Century Code provisions for safeguarding nonpublic personal information
Risk Assessment Requirements
Regulated entities must perform periodic cybersecurity and IT risk assessments to identify, evaluate, and address threats to customer information. These assessments form the basis for prioritizing security investments and implementing appropriate controls.
Assessment Scope and Requirements
- Threat Identification: Systematic identification of potential threats to customer information, including cyber attacks, insider threats, natural disasters, system failures, and human error
- Vulnerability Evaluation: Comprehensive assessment of internal and external system vulnerabilities, including network architecture, application security, access controls, and third-party connections
- Likelihood and Impact Assessment: Analysis of the probability that identified threats could exploit vulnerabilities and the potential business, operational, and customer impact of successful attacks
- Documentation and Remediation: Detailed documentation of assessment findings, risk ratings, and specific remediation actions with timelines and responsible parties assigned
Actionable Results Required
Risk assessments must meaningfully influence the company's cybersecurity policies, control implementations, and resource allocations. Regulators expect to see clear connections between identified risks and the security measures implemented to address them.
Employee Training Requirements
Institutions must implement ongoing security awareness training programs for all personnel to ensure employees understand their role in protecting customer information and can recognize and respond appropriately to security threats.
Training Program Components
- Customer Information Handling: Training on proper procedures for collecting, storing, transmitting, and disposing of customer information in compliance with privacy and security requirements
- Threat Awareness: Education on recognizing and responding to phishing attempts, social engineering tactics, suspicious emails, and other common attack vectors targeting financial institutions
- Access Control Responsibilities: Training on password security, multi-factor authentication, physical security, clean desk policies, and the importance of protecting authentication credentials
- Role-Based Training: Specialized training for individuals with elevated access privileges, including IT staff, administrators, and personnel handling sensitive customer data
- Annual Refreshers: Regular training updates to address emerging threats, policy changes, and lessons learned from security incidents, with documented participation records
Access Control & Authentication
North Dakota regulators expect financial institutions to implement strong access management controls that ensure only authorized individuals can access customer information and critical systems, with appropriate authentication mechanisms in place.
Access Control Standards
- Password Standards: Enforcement of strong password policies including minimum length, complexity requirements, regular expiration, and prohibition of password reuse across multiple accounts
- Multi-Factor Authentication: Implementation of MFA for access to sensitive systems, customer information databases, remote access, and administrative functions to prevent unauthorized access
- Least-Privilege Access Models: Granting users only the minimum access rights necessary to perform their job functions, with regular reviews to ensure access remains appropriate
- Termination and Offboarding Procedures: Immediate revocation of system access, credentials, and physical access when employees leave the organization or change roles, with documented verification
Vendor & Third-Party Oversight
Firms must evaluate and continuously monitor third-party service providers that have access to customer information or provide critical services. This oversight ensures that vendors maintain security standards consistent with the institution's own requirements.
Third-Party Management Requirements
- Due-Diligence Reviews: Comprehensive evaluation of potential vendors before engagement, including assessment of their cybersecurity capabilities, financial stability, business continuity plans, and regulatory compliance history
- Contractual Security Expectations: Written agreements that clearly define security requirements, data protection obligations, audit rights, incident notification procedures, and liability provisions
- Ongoing Monitoring: Regular assessment of vendor cybersecurity posture through security questionnaires, audit reports, penetration test results, and periodic reviews of their control environment
- Incident-Notification Provisions: Requirements for vendors to promptly notify the institution of any security incidents, breaches, or events that could impact customer information or service availability
Incident Response Requirements
Institutions must maintain a documented incident response plan that enables rapid, coordinated response to cybersecurity events. The plan should address detection, containment, investigation, recovery, and regulatory reporting obligations.
Incident Response Plan Components
- Roles and Responsibilities: Clear definition of incident response team members, their specific duties, decision-making authority, and escalation procedures for different types and severities of incidents
- Containment and Investigation Procedures: Step-by-step processes for isolating affected systems, preserving evidence, determining the scope and cause of incidents, and preventing further damage
- Communication Protocols: Guidelines for internal communication, customer notification, regulatory reporting, law enforcement coordination, and public relations management during and after incidents
- Recordkeeping and Audit Trails: Requirements for documenting all incident response activities, decisions made, actions taken, and lessons learned to support regulatory examinations and continuous improvement
- Regulatory Reporting Triggers: Clear criteria for determining when incidents must be reported to North Dakota regulators, particularly when customer data is exposed or operations are significantly disrupted
Data Protection & Technical Controls
North Dakota regulators expect financial institutions to implement comprehensive technical safeguards that protect customer information throughout its lifecycle, from collection through secure disposal.
Required Technical Safeguards
- Encryption Requirements: Implementation of strong encryption for sensitive data at rest (stored on servers, databases, and portable devices) and in transit (transmitted over networks or the internet)
- Secure System Configuration: Hardening of servers, workstations, and network devices by disabling unnecessary services, removing default accounts, and implementing security baselines
- Logging and Monitoring: Comprehensive logging of system activities, security events, and access to customer information, with active monitoring to detect anomalies and potential security incidents
- Patch Management: Timely application of security patches and updates to operating systems, applications, and firmware to address known vulnerabilities and reduce attack surface
- Network Security: Implementation of firewalls, intrusion detection/prevention systems, network segmentation, and secure remote access solutions to protect against external and internal threats
- Endpoint Protection: Deployment of anti-malware software, endpoint detection and response tools, and mobile device management solutions to protect workstations, laptops, and mobile devices
- Physical Security: Controls to restrict physical access to offices, server rooms, and equipment containing customer information, including locks, access cards, visitor logs, and surveillance systems
Examination Expectations
Financial institutions licensed in North Dakota are subject to periodic regulatory examinations that assess the effectiveness and completeness of their cybersecurity programs. These examinations evaluate compliance with GLBA requirements, state consumer protection laws, and general supervisory expectations for information security.
During examinations, North Dakota regulators assess the quality and completeness of your cybersecurity program, including policy documentation, risk assessment methodology, employee training records, vendor oversight practices, incident response capabilities, and technical controls. Examiners look for evidence of continuous improvement, timely remediation of identified deficiencies, and alignment with GLBA and state consumer protection requirements.
Institutions must maintain comprehensive documentation of all cybersecurity activities, including written policies and procedures, risk assessment reports, training completion records, vendor due diligence reviews, incident response logs, and evidence of board or management oversight. Documentation should demonstrate a systematic approach to information security and be readily available for regulatory review.
Regulators expect financial institutions to demonstrate ongoing enhancement of their cybersecurity posture through regular policy updates, incorporation of lessons learned from incidents or near-misses, adoption of emerging security technologies, and proactive response to evolving threat landscapes. Annual reviews and updates to security programs are considered best practice.
Preparation is Key
Examiners expect to see evidence of a mature, well-documented cybersecurity program with clear accountability, regular testing, and continuous improvement. Institutions should maintain organized records and be prepared to demonstrate how their security controls address identified risks and comply with applicable regulations.
Maintaining Compliance in North Dakota
Financial institutions, mortgage lenders, brokers, servicers, and money service businesses operating in North Dakota must maintain robust cybersecurity programs that protect customer information and demonstrate compliance with state and federal requirements. These programs require ongoing attention, regular updates, and continuous improvement to address evolving threats and regulatory expectations.
By implementing comprehensive security controls, conducting regular risk assessments, training employees, overseeing vendors, and maintaining effective incident response capabilities, institutions can protect their customers, maintain regulatory compliance, and build trust in their operations. North Dakota regulators expect financial firms to take these obligations seriously and demonstrate a commitment to information security through documented policies, effective controls, and continuous program enhancement.