New York Codes, Rules and Regulations
Title 23 - FINANCIAL SERVICES
Chapter I - Regulations of the Superintendent of Financial Services
Part 200 - VIRTUAL CURRENCIES
Section 200.16 - Cyber security program
Current through Register Vol. 45, No. 13, March 29, 2023
(a) Generally. Each Licensee shall establish and maintain an effective cyber security program to ensure the availability and functionality of the Licensee's electronic systems and to protect those systems and any sensitive data stored on those systems from unauthorized access, use, or tampering. The cyber security program shall be designed to perform the following five core cyber security functions:
(b) Policy. Each Licensee shall implement a written cyber security policy setting forth the Licensee's policies and procedures for the protection of its electronic systems and customer and counterparty data stored on those systems, which shall be reviewed and approved by the Licensee's board of directors or equivalent governing body at least annually. The cyber security policy must address the following areas:
(c) Chief Information Security Officer. Each Licensee shall designate a qualified employee to serve as the Licensee's Chief Information Security Officer ("CISO") responsible for overseeing and implementing the Licensee's cyber security program and enforcing its cyber security policy.
(d) Reporting. Each Licensee shall submit to the Department a report, prepared by the CISO and presented to the Licensee's board of directors or equivalent governing body, at least annually, assessing the availability, functionality, and integrity of the Licensee's electronic systems, identifying relevant cyber risks to the Licensee, assessing the Licensee's cyber security program, and proposing steps for the redress of any inadequacies identified therein.
(e) Audit. Each Licensee's cyber security program shall, at a minimum, include audit functions as set forth below.
(f) Application Security. Each Licensee's cyber security program shall, at minimum, include written procedures, guidelines, and standards reasonably designed to ensure the security of all applications utilized by the Licensee. All such procedures, guidelines, and standards shall be reviewed, assessed, and updated by the Licensee's CISO at least annually.
(g) Personnel and Intelligence. Each Licensee shall:
Adopted New York State Register June 24, 2015/Volume XXXVII, Issue 25, eff.6/24/2015