New York Codes, Rules and Regulations
Title 23 - FINANCIAL SERVICES
Chapter I - Regulations of the Superintendent of Financial Services
Part 500 - CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
Section 500.4 - Cybersecurity governance
Current through Register Vol. 46, No. 39, September 25, 2024
(a) Chief information security officer. Each covered entity shall designate a CISO . The CISO may be employed by the covered entity, one of its affiliates or a third-party service provider. If the CISO is employed by a third-party service provider or an affiliate, the covered entity shall:
(b) Report. The CISO of each covered entity shall report in writing at least annually to the senior governing body on the covered entity's cybersecurity program, including to the extent applicable:
(c) The CISO shall timely report to the senior governing body or senior officer(s) on material cybersecurity issues, such as significant cybersecurity events and significant changes to the covered entity's cybersecurity program.
(d) The senior governing body of the covered entity shall exercise oversight of the covered entity's cybersecurity risk management, including by: