Current through Register Vol. 45, No. 13, March 29, 2023
(a) Generally.
Each Licensee shall establish and maintain an effective cyber security program
to ensure the availability and functionality of the Licensee's electronic
systems and to protect those systems and any sensitive data stored on those
systems from unauthorized access, use, or tampering. The cyber security program
shall be designed to perform the following five core cyber security functions:
(1) identify internal and external cyber
risks by, at a minimum, identifying the information stored on the Licensee's
systems, the sensitivity of such information, and how and by whom such
information may be accessed;
(2)
protect the Licensee's electronic systems, and the information stored on those
systems, from unauthorized access, use, or other malicious acts through the use
of defensive infrastructure and the implementation of policies and
procedures;
(3) detect systems
intrusions, data breaches, unauthorized access to systems or information,
malware, and other Cyber Security Events;
(4) respond to detected Cyber Security Events
to mitigate any negative effects; and
(5) recover from Cyber Security Events and
restore normal operations and services.
(b) Policy. Each Licensee shall implement a
written cyber security policy setting forth the Licensee's policies and
procedures for the protection of its electronic systems and customer and
counterparty data stored on those systems, which shall be reviewed and approved
by the Licensee's board of directors or equivalent governing body at least
annually. The cyber security policy must address the following areas:
(1) information security;
(2) data governance and
classification;
(3) access
controls;
(4) business continuity
and disaster recovery planning and resources;
(5) capacity and performance
planning;
(6) systems operations
and availability concerns;
(7)
systems and network security;
(8)
systems and application development and quality assurance;
(9) physical security and environmental
controls;
(10) customer data
privacy;
(11) vendor and
third-party service provider management;
(12) monitoring and implementing changes to
core protocols not directly controlled by the Licensee, as applicable;
and
(13) incident
response.
(c) Chief
Information Security Officer. Each Licensee shall designate a qualified
employee to serve as the Licensee's Chief Information Security Officer ("CISO")
responsible for overseeing and implementing the Licensee's cyber security
program and enforcing its cyber security policy.
(d) Reporting. Each Licensee shall submit to
the Department a report, prepared by the CISO and presented to the Licensee's
board of directors or equivalent governing body, at least annually, assessing
the availability, functionality, and integrity of the Licensee's electronic
systems, identifying relevant cyber risks to the Licensee, assessing the
Licensee's cyber security program, and proposing steps for the redress of any
inadequacies identified therein.
(e) Audit. Each Licensee's cyber security
program shall, at a minimum, include audit functions as set forth below.
(1) Penetration testing. Each Licensee shall
conduct penetration testing of its electronic systems, at least annually, and
vulnerability assessment of those systems, at least quarterly.
(2) Audit trail. Each Licensee shall maintain
audit trail systems that:
(i) track and
maintain data that allows for the complete and accurate reconstruction of all
financial transactions and accounting;
(ii) protect the integrity of data stored and
maintained as part of the audit trail from alteration or tampering;
(iii) protect the integrity of hardware from
alteration or tampering, including by limiting electronic and physical access
permissions to hardware and maintaining logs of physical access to hardware
that allows for event reconstruction;
(iv) log system events including, at minimum,
access and alterations made to the audit trail systems by the systems or by an
authorized user, and all system administrator functions performed on the
systems; and
(v) maintain records
produced as part of the audit trail in accordance with the recordkeeping
requirements set forth in this Part.
(f) Application Security. Each Licensee's
cyber security program shall, at minimum, include written procedures,
guidelines, and standards reasonably designed to ensure the security of all
applications utilized by the Licensee. All such procedures, guidelines, and
standards shall be reviewed, assessed, and updated by the Licensee's CISO at
least annually.
(g) Personnel and
Intelligence. Each Licensee shall:
(1) employ
cyber security personnel adequate to manage the Licensee's cyber security risks
and to perform the core cyber security functions specified in Paragraph
200.16(a)(1)-(5);
(2) provide and
require cyber security personnel to attend regular cyber security update and
training sessions; and
(3) require
key cyber security personnel to take steps to stay abreast of changing cyber
security threats and countermeasures.
Adopted
New
York State Register June 24, 2015/Volume XXXVII, Issue 25,
eff.6/24/2015
