New York Codes, Rules and Regulations
Title 23 - FINANCIAL SERVICES
Chapter I - Regulations of the Superintendent of Financial Services
Part 500 - CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
Section 500.3 - Cybersecurity policy
Current through Register Vol. 46, No. 39, September 25, 2024
Each covered entity shall implement and maintain a written policy or policies, approved at least annually by a senior officer or the covered entity's senior governing body for the protection of its information systems and nonpublic information stored on those information systems. Procedures shall be developed, documented and implemented in accordance with the written policy or policies. The cybersecurity policy or policies and procedures shall be based on the covered entity's risk assessment and address, at a minimum, the following areas to the extent applicable to the covered entity's operations:
(a) information security;
(b) data governance, classification and retention;
(c) asset inventory, device management and end of life management;
(d) access controls, including remote access and identity management;
(e) business continuity and disaster recovery planning and resources;
(f) systems operations and availability concerns;
(g) systems and network security and monitoring;
(h) security awareness and training;
(i) systems and application security and development and quality assurance;
(j) physical security and environmental controls;
(k) customer data privacy;
(l) vendor and third-party service provider management;
(m) risk assessment;
(n) incident response and notification; and
(o) vulnerability management.