Audit of the New York Public Library’s Emergency Preparedness

June 27, 2025 | SR24-083A

Table of Contents

    By Electronic Mail

    Anthony Marx
    President
    New York Public Library
    476 5th Avenue Suite 210
    New York, NY 10018

    Re: Audit of the New York Public Library’s Emergency Preparedness, SR24-083A

    Dear Mr. Marx:

    This Final Audit Letter Report concerns the New York City Comptroller’s audit of the New York Public Library’s Emergency Preparedness.

    Background

    The New York Public Library (NYPL) is a private non-profit organization with 92 locations across the Bronx, Manhattan, and Staten Island. Those locations include 88 neighborhood branch libraries and four research centers. NYPL’s mission is to “inspire lifelong learning, advance knowledge, and strengthen our communities” which it accomplishes, in part, by providing free and open access to materials and information. According to the Mayor’s Management Report, the NYPL served nearly 8 million visitors in Fiscal Year 2024.

    The Robert T. Stafford Disaster Relief and Emergency Assistance Act (the Stafford Act) is a federal law that allows libraries to receive disaster assistance if they provide critical services in the event of a major disaster. Both the Stafford Act and the American Library Association recognize the important role that libraries play in responding to disasters—in particular in providing information to the public.

    Given its established role in the community and borough-wide locations, NYPL is positioned to provide the public with information and to serve as an access point for services during emergencies. For example, during the COVID-19 pandemic, NYPL expanded its digital materials collection, offered virtual programming which included support for students, and provided grab-and-go services. NYPL branches also served as vaccination and testing sites and distributed free at-home test kits.

    The objective of this audit was to determine whether NYPL is adequately prepared to plan for and respond to emergencies, to ensure continuity of its operations and to serve the public during major disasters and other events.

    Findings

    The audit found that NYPL served the public in numerous ways during emergencies but needs to improve certain aspects of its emergency preparedness to ensure the continuity of operations.

    Serving the Public

    During the audit period, NYPL assisted during extreme heat and cold weather events. When the National Weather Service issues a heat advisory with a forecasted heat index of 95 degrees or higher for two or more days, or 100 degrees for any period, New York City opens cooling centers located in air-conditioned facilities. These locations are free and open to the public, such as libraries. From June through August 2024, heat emergencies were declared on 14 days. NYPL branches that were open for business generally served as cooling centers on those days.

    NYPL branches also served as a warm place for people to go on extremely cold days. The audit team visited nine branches on days when the outside temperature was below freezing and tested the inside temperature at various locations within each branch. Each of the branches provided adequate heat with temperatures ranging from 64.9 to 79.3 degrees.

    In addition, NYPL branch sites have free Wi-Fi at all locations. NYPL has separate Wi-Fi networks for staff, IT, and public use which may be used during emergencies. For the nine branches mentioned above, the audit team tested Wi-Fi connectivity and found it to be working.

    NYPL officials stated that library branches have been used as staging areas or command posts during emergency situations and may serve as temporary shelters for displaced individuals. Furthermore, officials stated that NYPL provided resources to support asylum seekers and refugees, on its own and in partnership with City agencies. This included providing English for Speakers of Other Languages and citizenship classes, conducting outreach at Humanitarian Emergency Response and Relief Centers, distributing bilingual welcome kits, and providing multilingual resources and materials and information on citizenship and services for immigrants, among other things.

    Emergency Preparedness

    NYPL has policies and procedures for both the Central Office and branch locations that address a range of emergency situations, including fire safety and evacuation plans, active shooter protocols, dealing with bomb threats or suspicious packages, active shooter/shelter in place situations, and guidelines for dealing with patrons’ emergencies, such as sickness, injury, or disruptive behavior. The Emergency Protocols Guide was prepared for the Central Office and serves as a guide for all library branches. In addition, the NYPL Safety, Security, and Orderly Conduct in The Library handbook applies to branch libraries and other NYPL locations. This handbook assists staff in designing safety and security plans for local, citywide, and national emergencies, among other things.

    NYPL also participates in the NYPD Shield program, which keeps private sector partners informed of situations in the City and receives borough-specific alerts from New York City Emergency Management (NYCEM). NYPL officials stated that alerts are then relayed to branches as needed. In an emergency, NYPL sends information and instructions, known as e-alerts, to staff via text message, email, and phone.

    In addition, NYPL maintains backup power capabilities at the Central Library and Stavros Niarchos Foundation Library in Manhattan, Allerton and Bronx Library Center in the Bronx, and Library Service Center (BookOps) in Queens.

    However, the audit revealed the following weaknesses regarding emergency preparedness, detailed below.

    Business Continuity, Disaster Recovery, and IT Incident Response Plans and Evidence of Plan Testing Not Provided

    NYPL did not provide the auditors with its Business Continuity Plan, Disaster Recovery Plan, or IT Incident Response Plan, or evidence that these plans were tested. According to the NYPL Business Continuity Policy which was originally issued in July 2023, the Business Continuity Plan establishes a framework for ensuring the continuation of critical business operations during and after a service disruption. It is a comprehensive operational plan that organizes recovery strategies by business function. According to NYPL, the purpose of this plan is to lessen the impact of events, protect assets and information, keep core services going, and recover quickly. The plan should be reviewed and tested at least annually.

    According to the NYPL Disaster Recovery Policy, which was originally issued in May 2023, the Disaster Recovery Program addresses the protection and recovery of NYPL IT services so that critical operations and services are recovered timely. The Disaster Recovery Plan is a detailed technical plan that outlines step-by-step procedures for restoring critical systems, applications, and infrastructure in the event of a disruption. The Plan must address business impact analysis, data backup and recovery, business resumption, administration and organization responsibilities, emergency response and operations, and training and awareness. The NYPL Disaster Recovery Policy states that the Disaster Recovery Plan must be tested, reviewed, and updated at least every other year. Further, the policy states that the “first review conducted at inception of this policy will be completed no later than 6/30/2024.”

    In addition, the IT Incident Response Plan establishes the process for identifying, responding to, and recovering from information technology (IT) and cybersecurity incidents. NYPL officials stated that this includes “escalation procedures, communications protocols, and coordination with breach counsel and external partners when necessary.”

    NYPL officials stated that the Business Continuity, Disaster Recovery, and IT Incident Response Plans were updated in June 2025. However, officials stated that they would not share these plans because they detail procedures for handling incidents and identify key resources who would be involved, and disclosing this information would pose a security risk.

    In addition, NYPL did not provide the audit team with documentation to show that plans were recently tested or test results. NYPL provided only a memo stating that five tabletop exercises were conducted between October 1, 2024 and January 13, 2025.

    During the audit, NYPL provided the team with only an initial draft of the IT Incident Response Plan dated 2023, and an incident response tabletop exercise report dated November 2023. This report identified areas for improvement, including accountability during cyber events, sharing critical updates and relevant details with targeted groups throughout the course of an incident, and risk management and data classification.

    The New York City Charter authorizes the Comptroller’s Office to obtain access to agency records, including confidential records with limited exceptions. The NYPL Business Continuity, Disaster Recovery, and IT Incident Response Plans do not fall within those exceptions. The Comptroller’s Office routinely reviews sensitive and confidential information, takes appropriate measures to safeguard records, and does not publicly disclose them.

    In its response, the NYPL stated that “[c]opies of the Plans and tabletop exercises reports were not provided to the Comptroller’s Office because these documents include specific roadmaps …for addressing cybersecurity threats and proprietary information regarding Library systems dependencies that, if accessed by a third party, would compromise the security of the Library,” but stated that it would make hard copies available for inspection.

    During the audit, the team repeatedly requested copies of NYPL’s Business Continuity, Disaster Recovery, and IT Incident Response Plans and tabletop exercises and informed NYPL that they were entitled to such records. However, NYPL failed to provide them. After the draft report was issued, NYPL offered to make plans and exercises available for inspection but did not allow the audit team sufficient time to review them. On June 24, 2025, NYPL officials scheduled a meeting with the audit team but allowed them only 30 minutes to review NYPL’s Cybersecurity Business Continuity Plan, IT Disaster Recovery Plan, IT Incident Response Plan, and a PowerPoint presentation regarding IT tabletop exercise scenarios. Given the limited time allotted for inspection, the audit team could not assess the adequacy of these plans. In addition, NYPL did not provide the team with evidence to show that plans were tested. Specifically, NYPL did not show the audit team tabletop exercise reports detailing test dates, participants, results, and areas identified for improvement, or associated recommendations for any of the five exercises that NYPL stated were conducted between October 1, 2024 and January 13, 2025.

    Furthermore, NYPL presented only a Cybersecurity Business Continuity Plan, IT Disaster Recovery Plan, and IT Incident Response. NYPL did not provide evidence that it has a broader Business Continuity Plan that outlines how it will function during or after an emergency, disaster, or other event, including accounting for and communicating with staff, assessing facilities and establishing standby locations, and continuing to operate or serve the public.

    Most Branches Did Not Conduct Annual Fire Drills as Required

    NYPL informed auditors that the Office of Environmental Health and Safety (OEHS) implemented a Fire Safety Program in August 2023. According to the Fire Drill Training Handout, each branch is required to conduct at least one fire drill annually, followed by a debriefing to review any challenges encountered and discuss opportunities for improvement. Branches are expected to maintain documentation for each drill, including the date, time, any deficiencies observed, and the corrective actions taken. In addition, branches must log their fire drills in an internal training platform. Based on NYPL’s fire drill tracking list, 70 (86.4%) of the 81 locations list did not conduct a fire drill during Calendar Year 2024.[1]

    NYPL officials stated that branches are asked to self-certify and report centrally, so the report they provided may not cover all fire drills at the branches. Without ensuring that branches conduct at least one fire drill a year, NYPL runs the risk that some branches may be unprepared in the event of an emergency requiring the evacuation of the branch.

    Sampled Branches Did Not Complete Emergency Preparedness Documents

    NYPL requires Branch Managers to complete a Life Safety/Physical Plant Survey each year. This document is completed under the guidance of NYPL Central Office Facilities and documents that a fire safety plan was completed and posted, evacuation drills were conducted semi-annually, emergency equipment is operable, emergency phone numbers are correct and posted, and staff are aware of the evacuation procedures.

    In addition, Branch Managers must complete a Location Security Plan and Checklist every two years at a minimum. These documents are completed under the guidance of NYPL Central Office Security. The Location Security Plan identifies key personnel and the assembly point in case of evacuation. Further, the Location Security Checklist documents that the Safety, Security, And Orderly Conduct in the Library policy and Location Security Plan were reviewed by all employees, and that the Location Life Safety/Physical Plant Survey and Internal and External Resource list were completed, among other things.

    For a sample of 17 branches, the audit team requested Life Safety/Physical Plant Surveys, Location Security Plan and Checklists, and Internal and External Resource lists from NYPL’s Central Office. NYPL provided all requested key documents for only eight (47.1%) sampled branches. NYPL submitted some but not all documents for seven branches and did not submit any documents for two branches.

    These are important documents that help libraries ensure they are adequately prepared in the event of an emergency. Since Branch Managers did not complete documentation, staff may not be prepared or adequately prepared to respond effectively in an emergency, potentially endangering staff and patrons and hindering coordinated response efforts. Regular completion, submission, and tracking of these documents are essential to ensuring a uniform and proactive approach to emergency preparedness across the NYPL system.

    In its formal written response, NYPL stated that the Comptroller’s Office may not have received emergency preparedness documents from the 17 cited branches because they requested documents directly from Branch Managers who typically do not respond to third-party requests.” In addition, NYPL stated that some Branch Managers had difficulty uploading documents to ShareFile. However, the audit team requested emergency preparedness documents from both the Central Office and Branch Managers. Further, the team advised managers that if they had difficulty uploading documents, they could submit them via email.

    Potential Communication Issues

    The audit team surveyed NYPL branch locations to determine whether the Central Office communicated existing policies and procedures to Branch Managers, provided training to staff, and ensured that key policies were implemented at the branch level. Of the 83 branches that are currently open, 17 (20.5%) did not respond to the survey.

    Of the 66 branches that did respond to the survey, 17 branches stated that the Central Office did not inform them of emergency alerts in their area. During the discussion of findings meeting, NYPL officials stated that branches are notified only of emergencies in their area that are expected to have a direct impact on branch operations. If an emergency occurs in the general vicinity of a branch but it is not anticipated to affect branch services of safety, an alert will not be sent.

    Resiliency and Flood Protection and Mitigation Measures

    NYPL has not implemented flood protection and mitigation measures at Aquilar, the only branch located in the 500-year floodplain. This branch is currently undergoing renovations, which include upgrades to the electrical and information technology systems, as well as the rehabilitation and reconstruction of the exterior masonry. However, NYPL officials informed the auditors that flood protection and mitigation measures, such as elevating electrical panels and IT infrastructure and floodproofing, will not be implemented.

    Recommendations

    To address the findings, the auditors recommend that NYPL should:

    1. Request that the Cybersecurity and Infrastructure Security Agency conduct an Infrastructure Survey Tool assessment to identify and document NYPL’s overall security and resilience. The Infrastructure Survey Tool is a web-based tool designed to assess and record a facility’s overall security and resilience.

    NYPL’s Response: NYPL agreed with this recommendation.

    1. Test, review, and update the Business Continuity Plan, Cybersecurity Plan, and IT Incident Response Plan on at least an annual basis.

    NYPL’s Response: NYPL agreed with this recommendation stating, “NYPL does test, review, and—if necessary—update these plans on an annual basis, with the latest review and update having taken place June 2025.”

    Auditor Comment: While the NYPL agreed with the recommendation and stated that it tests, reviews, and if necessary, updates these plans annually, it did not provide documentation to support that tests were conducted. Specifically, NYPL did not submit evidence detailing test dates, participants, results, or areas identified for improvement and associated recommendations.

    1. Consider implementing mesh Wi-Fi network which supports communications in hard-to-reach areas and can be used in emergency response communications.

    NYPL’s Response: NYPL disagreed with this recommendation stating, “NYPL’s central office and branches deploy a fiberoptic network connecting all locations.…..Mesh Wi-Fi (i.e., a decentralized network of buildings and homes that install rooftop antennas and routers to form a wide-area network) is not a practicable solution for emergency response communications.”

    Auditor Comment: We acknowledge that NYPL uses fiberoptic network; however, mesh Wi-Fi could serve as a supplementary solution to enhance connectivity in the event of a disruption to the primary network.  Therefore, the auditors urge NYPL to implement this recommendation.

    1. Ensure that annual drills are conducted for all NYPL locations.

    NYPL’s Response: NYPL agreed with this recommendation.

    1. Establish a centralized tracking and reporting system to ensure all branches submit their Location Security Plan, Location Security Checklist, Life Safety/Physical Plant Survey, and Internal and External Resources list.

    NYPL’s Response: NYPL agreed with this recommendation.

    1. Ensure that critical emergency alerts from NYCEM, including those related to public health, severe weather, and security events, are promptly relayed to all branch managers and staff.

    NYPL’s Response: NYPL agreed with this recommendation.

    1. Consider installing flood protection and mitigation measures at Aquilar Library due to its floodplain location.

    NYPL’s Response: NYPL agreed with this recommendation.

    Recommendations Follow-up

    Follow-up will be conducted periodically to determine the implementation status of each recommendation contained in this report. Agency reported status updates are included in the Audit Recommendations Tracker available here:

    https://comptroller.nyc.gov/services/for-the-public/audit/audit-recommendations-tracker/

    Scope and Methodology

    We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards (GAGAS). GAGAS requires that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions within the context of our audit objectives. This audit was conducted in accordance with the audit responsibilities of the City Comptroller as set forth in Chapter 5, §93, of the New York City Charter.

    As required under New York State law, the Comptroller sits on the NYPL’s Board of Trustees through a representative and is one of the Board’s four ex-officio members. In conjunction with the appointed trustees, these ex-officio members comprise the Board of the NYPL. Neither the Comptroller nor his representative on the Board were involved in the audit process.

    The scope period of this audit was Calendar Year 2023 until June 3, 2025. The methodology for this audit consisted of the following steps; specifically, the auditors:

    • Conducted an interview with NYPL’s Vice President for Government and Community Affairs, Senior Director of Security, and Manager of Government Grants and Aid to gain an understanding of how the NYPL prepares for emergencies at the branch and centralized level, how NYPL develops emergency plans, and how information is shared with the branches, as well as how NYPL assists the City in wider-scale emergency situations.
    • Obtained NYPL policies and procedures related to emergency preparedness, with regards to planning for and responding to emergencies, ensuring the continuity of operations, and serving the public during major disasters and other events.
    • Developed a checklist of potential emergencies NYPL may need to plan for at both the central library and branch locations. In addition, auditors reviewed existing NYPL policies and procedures to assess whether they adequately address the identified areas of concern.
    • Documented NYPL branch sites that were used as cooling centers during heat emergencies, and checked against the NYPL website to ensure locations that were closed according to the website were not included on the listing of cooling centers.
    • Visited sampled NYPL branch sites during cold weather to determine whether the sites had adequate heat. Auditors also tested the Wi-Fi connections at these sampled sites.
    • Developed and sent a survey to NYPL branches to solicit feedback concerning policies at the branch and to request their Location Security Plan, Location Security Checklist, Life Safety/Physical Plant Survey, and Internal and External Resources list.
    • Summarized the Location Security Plan, Location Security Checklist, Life Safety/Physical Plant Survey, and External Resources lists received from the branches that responded to the survey. Also requested that NYPL provide these forms for the branches that did not reply to the survey.
    • Summarized results of the branch survey and shared with NYPL Central.

    The results of the above tests provide a reasonable basis for the audit team to determine whether NYPL is adequately prepared to plan for and respond to emergencies, to ensure continuity of its operations, and to serve the public during major disasters and other events.

    Preliminary results of this audit were discussed with NYPL officials on June 3, 2025. On June 13, 2025, a Draft Audit Letter Report was submitted to NYPL with a request for written comments. Our office received a written response from NYPL dated June 23, 2025. In its response, NYPL agreed with six of the recommendations and disagreed with one, stating “NYPL intends to, as practicable, address the recommendation and findings of the Comptroller’s Audit”. The full text of NYPL’s response is attached to this report as an addendum.

    Sincerely,

    Maura Hayes-Chaffe

    c: George Mihaltses, Vice President, Government & Community Affairs
    Iris Weinshall, Chief of Operation Officer
    Donald Campbell, Senior Director of Security
    Jean-Claude Lebec, Director, Mayor’s Office of Risk Management and Compliance
    Douglas Giuliano, Deputy Director, Audit Management, Mayor’s Office of Risk Management and Compliance

    Footnotes

    [1] During Calendar Year 2024, 81 NYPL locations were open for the full year and 11 locations were closed for all or part of the year for renovations.

    Addendum

    See attachment.

    $294.61 billion
    Jun
    2025