N.J. Admin. Code § 17:20-12.13
A courier service shall submit, as part of its application, to the Division for the Division's written approval, a written description of the courier service's system of internal controls. Such system of internal controls shall demonstrate to the satisfaction of the Division that such courier service has adequate controls in place to address data security, responsiveness to cybersecurity events to mitigate any negative events, recovery from cybersecurity events and restoration of normal operations and services, risk assessment and mitigation, training, access controls and identity management, systems operations and availability concerns, courier customer data privacy, incident response, disaster recovery, security of physical tickets, ticket and document retention, self-exclusion process, responsible gaming limits, manual ticket matching, services that must be performed in New Jersey in accordance with N.J.A.C. 17:20-12.6(a)5, and any other control issue the Division may identify. The Director may approve, conditionally approve, or disapprove the courier service's system of internal controls. In the event that the Director disapproves, the courier service shall have a reasonable amount of time, but no more than 30 days, to submit a description of a satisfactory system of internal controls. A courier service shall notify the Director, in writing, of any change to internal controls, 30 days prior to the change. All such changes will be subject to the review and approval of the Director, consistent with the standards used in the initial registration approval.
N.J. Admin. Code § 17:20-12.13