23 CRR-NY 500.3NY-CRR

OFFICIAL COMPILATION OF CODES, RULES AND REGULATIONS OF THE STATE OF NEW YORK
TITLE 23. FINANCIAL SERVICES
CHAPTER I. REGULATIONS OF THE SUPERINTENDENT OF FINANCIAL SERVICES
PART 500. CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
23 CRR-NY 500.3
23 CRR-NY 500.3
500.3 Cybersecurity policy.
Cybersecurity policy.Each covered entity shall implement and maintain a written policy or policies, approved by a senior officer or the covered entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the covered entity’s policies and procedures for the protection of its information systems and nonpublic information stored on those information systems. The cybersecurity policy shall be based on the covered entity’s risk assessment and address the following areas to the extent applicable to the covered entity’s operations:
(a) information security;
(b) data governance and classification;
(c) asset inventory and device management;
(d) access controls and identity management;
(e) business continuity and disaster recovery planning and resources;
(f) systems operations and availability concerns;
(g) systems and network security;
(h) systems and network monitoring;
(i) systems and application development and quality assurance;
(j) physical security and environmental controls;
(k) customer data privacy;
(l) vendor and third party service provider management;
(m) risk assessment; and
(n) incident response.
23 CRR-NY 500.3
Current through November 30, 2020
End of Document