23 CRR-NY 500.15NY-CRR

STATE COMPILATION OF CODES, RULES AND REGULATIONS OF THE STATE OF NEW YORK
TITLE 23. FINANCIAL SERVICES
CHAPTER I. REGULATIONS OF THE SUPERINTENDENT OF FINANCIAL SERVICES
PART 500. CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
23 CRR-NY 500.15
23 CRR-NY 500.15
500.15 Encryption of nonpublic information.
(a) As part of its cybersecurity program, based on its risk assessment, each covered entity shall implement controls, including encryption, to protect nonpublic information held or transmitted by the covered entity both in transit over external networks and at rest.
(1) To the extent a covered entity determines that encryption of nonpublic information in transit over external networks is infeasible, the covered entity may instead secure such nonpublic information using effective alternative compensating controls reviewed and approved by the covered entity’s CISO.
(2) To the extent a covered entity determines that encryption of nonpublic information at rest is infeasible, the covered entity may instead secure such nonpublic information using effective alternative compensating controls reviewed and approved by the covered entity’s CISO.
(b) To the extent that a covered entity is utilizing compensating controls under subdivision (a) of this section, the feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually.
23 CRR-NY 500.15
Current through June 15, 2022
End of Document

IMPORTANT NOTE REGARDING CONTENT CURRENCY: The "Current through" date indicated immediately above is the date of the most recently produced official NYCRR supplement covering this rule section. For later updates to this section, if any, please: consult editions of the NYS Register published after this date; or contact the NYS Department of State Division of Administrative Rules at [email protected]. See Help for additional information on the currency of this unofficial version of NYS Rules.