Current through Register Vol. 45, No. 52, December 27, 2023
(a)
Notice of cybersecurity incident .
(1) Each
covered entity shall notify the superintendent electronically in the form set
forth on the department's website as promptly as possible but in no event later
than 72 hours after determining that a cybersecurity incident has occurred at
the covered entity, its affiliates, or a third-party service
provider.
(2) Each covered entity
shall promptly provide to the superintendent any information requested
regarding such incident. Covered entities shall have a continuing obligation to
update the superintendent with material changes or new information previously
unavailable.
(b) Notice
of compliance.
(1) Annually each covered
entity shall submit to the superintendent electronically by April 15 either:
(i) a written certification that:
(a) certifies that the covered entity
materially complied with the requirements set forth in this Part during the
prior calendar year; and
(b) shall
be based upon data and documentation sufficient to accurately determine and
demonstrate such material compliance, including, to the extent necessary,
documentation of officers, employees, representatives, outside vendors and
other individuals or entities, as well as other documentation, whether in the
form of reports, certifications, schedules or otherwise; or
(ii) a written acknowledgment
that:
(a) acknowledges that, for the prior
calendar year, the covered entity did not materially comply with all the
requirements of this Part;
(b)
identifies all sections of this Part that the entity has not materially
complied with and describes the nature and extent of such noncompliance;
and
(c) provides a remediation
timeline or confirmation that remediation has been completed.
(2) Such certification
or acknowledgment shall be submitted electronically in the form set forth on
the department's website and shall be signed by the covered entity's
highest-ranking executive and its CISO. If the covered entity does not have a
CISO, the certification or acknowledgment shall be signed by the
highest-ranking executive and by the senior officer responsible for the
cybersecurity program of the covered entity.
(3) Each covered entity shall maintain for
examination and inspection by the department upon request all records,
schedules and other documentation and data supporting the certification or
acknowledgment for a period of five years, including the identification of all
areas, systems and processes that require or required material improvement,
updating or redesign, all remedial efforts undertaken to address such areas,
systems and processes , and remediation plans and timelines for their
implementation.
(c)
Notice and explanation of extortion payment. Each covered entity, in the event
of an extortion payment made in connection with a cybersecurity event involving
the covered entity, shall provide the superintendent electronically, in the
form set forth on the department's website, with the following:
(1) within 24 hours of the extortion payment,
notice of the payment; and
(2)
within 30 days of the extortion payment, a written description of the reasons
payment was necessary, a description of alternatives to payment considered, all
diligence performed to find alternatives to payment and all diligence performed
to ensure compliance with applicable rules and regulations including those of
the Office of Foreign Assets Control.
Adopted,
New
York State Register March 1, 2017/Volume XXXIX, Issue 09, eff.
3/1/2017
Amended
New
York State Register April 22, 2020/Volume XLII, Issue 16, eff.
4/22/2020
Amended
New
York State Register November 1, 2023/Volume XLV, Issue 44, eff.
11/1/2023