23 CRR-NY 500.17NY-CRR

OFFICIAL COMPILATION OF CODES, RULES AND REGULATIONS OF THE STATE OF NEW YORK
TITLE 23. FINANCIAL SERVICES
CHAPTER I. REGULATIONS OF THE SUPERINTENDENT OF FINANCIAL SERVICES
PART 500. CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
23 CRR-NY 500.17
23 CRR-NY 500.17
500.17 Notices to superintendent.
(a) Notice of cybersecurity event.
Each covered entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a cybersecurity event has occurred that is either of the following:
(1) cybersecurity events impacting the covered entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
(2) cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.
(b) Annually each covered entity shall submit to the superintendent a written statement covering the prior calendar year. This statement shall be submitted by April 15th in such form set forth as Appendix A of this Title, certifying that the covered entity is in compliance with the requirements set forth in this Part. Each covered entity shall maintain for examination by the department all records, schedules and data supporting this certificate for a period of five years. To the extent a covered entity has identified areas, systems or processes that require material improvement, updating or redesign, the covered entity shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the superintendent.
23 CRR-NY 500.17
Current through June 15, 2022
End of Document