23 CRR-NY 500.1NY-CRR

OFFICIAL COMPILATION OF CODES, RULES AND REGULATIONS OF THE STATE OF NEW YORK
TITLE 23. FINANCIAL SERVICES
CHAPTER I. REGULATIONS OF THE SUPERINTENDENT OF FINANCIAL SERVICES
PART 500. CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
23 CRR-NY 500.1
23 CRR-NY 500.1
500.1 Definitions.
For purposes of this Part only, the following definitions shall apply:
(a) Affiliate means any person that controls, is controlled by or is under common control with another person. For purposes of this subdivision, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise.
(b) Authorized user means any employee, contractor, agent or other person that participates in the business operations of a covered entity and is authorized to access and use any information systems and data of the covered entity.
(c) Covered entity means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.
(d) Cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system.
(e) Information system means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.
(f) Multi-factor authentication means authentication through verification of at least two of the following types of authentication factors:
(1) knowledge factors, such as a password;
(2) possession factors, such as a token or text message on a mobile phone; or
(3) inherence factors, such as a biometric characteristic.
(g) Nonpublic information shall mean all electronic information that is not publicly available information and is:
(1) business related information of a covered entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the covered entity;
(2) any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements:
(i) social security number;
(ii) drivers’ license number or non-driver identification card number;
(iii) account number, credit or debit card number;
(iv) any security code, access code or password that would permit access to an individual’s financial account; or
(v) biometric records;
(3) any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to:
(i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family;
(ii) the provision of health care to any individual; or
(iii) payment for the provision of health care to any individual.
(h) Penetration testing means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside the covered entity’s information systems.
(i) Person means any individual or any non-governmental entity, including but not limited to any non-governmental partnership, corporation, branch, agency or association.
(j) Publicly available information means any information that a covered entity has a reasonable basis to believe is lawfully made available to the general public from: Federal, State or local government records; widely distributed media; or disclosures to the general public that are required to be made by Federal, State or local law.
(1) For the purposes of this subdivision, a covered entity has a reasonable basis to believe that information is lawfully made available to the general public if the covered entity has taken steps to determine:
(i) that the information is of the type that is available to the general public; and
(ii) whether an individual can direct that the information not be made available to the general public and, if so, that such individual has not done so.
(k) Risk assessment means the risk assessment that each covered entity is required to conduct under section 500.9 of this Part.
(l) Risk-based authentication means any risk-based system of authentication that detects anomalies or changes in the normal use patterns of a person and requires additional verification of the person’s identity when such deviations or changes are detected, such as through the use of challenge questions.
(m) Senior officer(s) means the senior individual or individuals (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk of a covered entity, including a branch or agency of a foreign banking organization subject to this Part.
(n) Third party service provider(s) means a person that:
(1) is not an affiliate of the covered entity;
(2) provides services to the covered entity; and
(3) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the covered entity.
23 CRR-NY 500.1
Current through June 15, 2022
End of Document