Current through Register Vol. 46, No. 43, October 23, 2024
Section 500.4 - Cybersecurity governance(a) Chief information security officer. Each covered entity shall designate a CISO . The CISO may be employed by the covered entity, one of its affiliates or a third-party service provider. If the CISO is employed by a third-party service provider or an affiliate, the covered entity shall: (1) retain responsibility for compliance with this Part;(2) designate a senior member of the covered entity's personnel responsible for direction and oversight of the third-party service provider; and(3) require the third-party service provider or affiliate to maintain a cybersecurity program that protects the covered entity in accordance with the requirements of this Part.(b) Report. The CISO of each covered entity shall report in writing at least annually to the senior governing body on the covered entity's cybersecurity program, including to the extent applicable: (1) the confidentiality of nonpublic information and the integrity and security of the covered entity's information systems;(2) the covered entity's cybersecurity policies and procedures;(3) material cybersecurity risks to the covered entity;(4) overall effectiveness of the covered entity's cybersecurity program;(5) material cybersecurity events involving the covered entity during the time period addressed by the report; and(6) plans for remediating material inadequacies.(c) The CISO shall timely report to the senior governing body or senior officer(s) on material cybersecurity issues, such as significant cybersecurity events and significant changes to the covered entity's cybersecurity program.(d) The senior governing body of the covered entity shall exercise oversight of the covered entity's cybersecurity risk management, including by: (1) having sufficient understanding of cybersecurity-related matters to exercise such oversight, which may include the use of advisors;(2) requiring the covered entity's executive management or its designees to develop, implement and maintain the covered entity's cybersecurity program;(3) regularly receiving and reviewing management reports about cybersecurity matters; and(4) confirming that the covered entity's management has allocated sufficient resources to implement and maintain an effective cybersecurity program.N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.4
Adopted, New York State Register March 1, 2017/Volume XXXIX, Issue 09, eff. 3/1/2017Amended New York State Register November 1, 2023/Volume XLV, Issue 44, eff. 11/1/2023