Statutes, codes, and regulations
New York Codes, Rules and Regulations
Title 9 - EXECUTIVE DEPARTMENTSubtitle T - New York State Gaming CommissionChapter VI - Interactive Fantasy SportsSubchapter A - Public Access to Records
Part 5606 - Internal Controls
Section 5606.2 - Data security

N.Y. Comp. Codes R. & Regs. tit. 9 § 5606.2

Download
PDF
Current through Register Vol. 46, No. 53, December 31, 2024
Section 5606.2 - Data security
(a)Cybersecurity program requirements. Each registrant shall establish a cybersecurity program designed to ensure the confidentiality, integrity and availability of information systems that performs five core cybersecurity functions:
(1) identification of cyber risks;
(2) implementation of policies and procedures to protect unauthorized access or use or other malicious acts;
(3) detection of cybersecurity events;
(4) responsiveness to identified cybersecurity events to mitigate any negative events; and
(5) recovery from cybersecurity events and restoration of normal operations and services.
(b)Cybersecurity standards. A cybersecurity program as set forth in subdivision (a) of this section shall meet or exceed industry standards for website and payment data security, as the commission may announce by bulletin.
(c)Chief information security officer. Each registrant shall designate a chief information security officer responsible for overseeing and implementing the registrant's cybersecurity program and enforcing such registrant's cybersecurity policy. The chief information security officer shall make a written report to the commission every two years or upon commission request, to:
(1) assess the confidentiality, integrity and availability of information systems;
(2) detail exceptions to cybersecurity policies and procedures;
(3) identify cyber risks;
(4) assess the effectiveness of the cybersecurity program;
(5) propose steps to remediate any inadequacies identified; and
(6) include a summary of all material cybersecurity events that affected the registrant during the time period addressed by the report.
(d)Policies and procedures. Each registrant shall establish and implement policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties and include the following:
(1) identification and risk assessment of third parties with access to such information systems or such nonpublic information;
(2) minimum cybersecurity practices required to be met by such third parties;
(3) due diligence processes used to evaluate the adequacy of cybersecurity practices of such third parties;
(4) changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, taking into account the criticality of business systems and processes involved and re-assessment of risks;
(5) periodic assessment, at least annually, of third parties and the continued adequacy of the cybersecurity practices of such parties; and
(6) the access rights of third-party service providers shall be removed upon termination of contract or agreement or adjusted upon change.
(e)Contestant location. A registrant shall ensure that a platform reasonably detects the physical location of an authorized contestant attempting to access such platform and blocks contestants who attempt to enter contests from the IP addresses of known proxy servers.
(f)Disaster recovery plan. Each registrant shall prepare a disaster recovery plan that minimizes loss to contestant funds and prize winnings in the event the interactive fantasy sports system is rendered inoperable.
(g)Technical standards. The commission, by directive, may issue technical standards, or adopt existing technical standards, for the certification of a registrant's platform.

N.Y. Comp. Codes R. & Regs. Tit. 9 § 5606.2

Adopted New York State Register October 18, 2023/Volume XLV, Issue 42, eff. 10/18/2023