New York Codes, Rules and Regulations
Title 23 - FINANCIAL SERVICES
Chapter I - Regulations of the Superintendent of Financial Services
Part 500 - CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
Section 500.17 - Notices to Superintendent
Universal Citation: 23 NY Comp Codes Rules and Regs ยง 500.17
Current through Register Vol. 46, No. 39, September 25, 2024
(a) Notice of cybersecurity incident .
(1) Each
covered entity shall notify the superintendent electronically in the form set
forth on the department's website as promptly as possible but in no event later
than 72 hours after determining that a cybersecurity incident has occurred at
the covered entity, its affiliates, or a third-party service
provider.
(2) Each covered entity
shall promptly provide to the superintendent any information requested
regarding such incident. Covered entities shall have a continuing obligation to
update the superintendent with material changes or new information previously
unavailable.
(b) Notice of compliance.
(1) Annually each covered
entity shall submit to the superintendent electronically by April 15 either:
(i) a written certification that:
(a) certifies that the covered entity
materially complied with the requirements set forth in this Part during the
prior calendar year; and
(b) shall
be based upon data and documentation sufficient to accurately determine and
demonstrate such material compliance, including, to the extent necessary,
documentation of officers, employees, representatives, outside vendors and
other individuals or entities, as well as other documentation, whether in the
form of reports, certifications, schedules or otherwise; or
(ii) a written acknowledgment
that:
(a) acknowledges that, for the prior
calendar year, the covered entity did not materially comply with all the
requirements of this Part;
(b)
identifies all sections of this Part that the entity has not materially
complied with and describes the nature and extent of such noncompliance;
and
(c) provides a remediation
timeline or confirmation that remediation has been completed.
(2) Such certification
or acknowledgment shall be submitted electronically in the form set forth on
the department's website and shall be signed by the covered entity's
highest-ranking executive and its CISO. If the covered entity does not have a
CISO, the certification or acknowledgment shall be signed by the
highest-ranking executive and by the senior officer responsible for the
cybersecurity program of the covered entity.
(3) Each covered entity shall maintain for
examination and inspection by the department upon request all records,
schedules and other documentation and data supporting the certification or
acknowledgment for a period of five years, including the identification of all
areas, systems and processes that require or required material improvement,
updating or redesign, all remedial efforts undertaken to address such areas,
systems and processes, and remediation plans and timelines for their
implementation.
(c) Notice and explanation of extortion payment. Each covered entity, in the event of an extortion payment made in connection with a cybersecurity event involving the covered entity, shall provide the superintendent electronically, in the form set forth on the department's website, with the following:
(1) within 24 hours of the extortion payment,
notice of the payment; and
(2)
within 30 days of the extortion payment, a written description of the reasons
payment was necessary, a description of alternatives to payment considered, all
diligence performed to find alternatives to payment and all diligence performed
to ensure compliance with applicable rules and regulations including those of
the Office of Foreign Assets Control.
Disclaimer: These regulations may not be the most recent version. New York may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.