As part of its cybersecurity program, based on the covered entity’s risk assessment each covered entity shall limit user access privileges to information systems that provide access to nonpublic information and shall periodically review such access privileges.