New York Codes, Rules and Regulations
Title 23 - FINANCIAL SERVICES
Chapter I - Regulations of the Superintendent of Financial Services
Part 500 - CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
Section 500.4 - Cybersecurity governance

Universal Citation: 23 NY Comp Codes Rules and Regs ยง 500.4

Current through Register Vol. 45, No. 52, December 27, 2023

(a) Chief information security officer. Each covered entity shall designate a CISO . The CISO may be employed by the covered entity, one of its affiliates or a third-party service provider. If the CISO is employed by a third-party service provider or an affiliate, the covered entity shall:

(1) retain responsibility for compliance with this Part;

(2) designate a senior member of the covered entity's personnel responsible for direction and oversight of the third-party service provider; and

(3) require the third-party service provider or affiliate to maintain a cybersecurity program that protects the covered entity in accordance with the requirements of this Part.

(b) Report. The CISO of each covered entity shall report in writing at least annually to the senior governing body on the covered entity's cybersecurity program , including to the extent applicable:

(1) the confidentiality of nonpublic information and the integrity and security of the covered entity's information systems;

(2) the covered entity's cybersecurity policies and procedures;

(3) material cybersecurity risks to the covered entity;

(4) overall effectiveness of the covered entity's cybersecurity program;

(5) material cybersecurity events involving the covered entity during the time period addressed by the report; and

(6) plans for remediating material inadequacies.

(c) The CISO shall timely report to the senior governing body or senior officer(s) on material cybersecurity issues, such as significant cybersecurity events and significant changes to the covered entity's cybersecurity program.

(d) The senior governing body of the covered entity shall exercise oversight of the covered entity's cybersecurity risk management, including by:

(1) having sufficient understanding of cybersecurity-related matters to exercise such oversight, which may include the use of advisors;

(2) requiring the covered entity's executive management or its designees to develop, implement and maintain the covered entity's cybersecurity program;

(3) regularly receiving and reviewing management reports about cybersecurity matters; and

(4) confirming that the covered entity's management has allocated sufficient resources to implement and maintain an effective cybersecurity program.

Adopted, New York State Register March 1, 2017/Volume XXXIX, Issue 09, eff. 3/1/2017

Amended New York State Register November 1, 2023/Volume XLV, Issue 44, eff. 11/1/2023

Disclaimer: These regulations may not be the most recent version. New York may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.