View Document - New York Codes, Rules and Regulations

23 CRR-NY 200.16NY-CRR

STATE COMPILATION OF CODES, RULES AND REGULATIONS OF THE STATE OF NEW YORK

TITLE 23. FINANCIAL SERVICES

CHAPTER I. REGULATIONS OF THE SUPERINTENDENT OF FINANCIAL SERVICES

PART 200. VIRTUAL CURRENCIES

23 CRR-NY 200.16

200.16 Cyber security program.

(a) Generally.

Each licensee shall establish and maintain an effective cyber security program to ensure the availability and functionality of the licensee’s electronic systems and to protect those systems and any sensitive data stored on those systems from unauthorized access, use, or tampering. The cyber security program shall be designed to perform the following five core cyber security functions:

(1) identify internal and external cyber risks by, at a minimum, identifying the information stored on the licensee’s systems, the sensitivity of such information, and how and by whom such information may be accessed;

(2) protect the licensee’s electronic systems, and the information stored on those systems, from unauthorized access, use, or other malicious acts through the use of defensive infrastructure and the implementation of policies and procedures;

(3) detect systems intrusions, data breaches, unauthorized access to systems or information, malware, and other cyber security events;

(4) respond to detected cyber security events to mitigate any negative effects; and

(5) recover from cyber security events and restore normal operations and services.

(b) Policy.

Each licensee shall implement a written cyber security policy setting forth the licensee’s policies and procedures for the protection of its electronic systems and customer and counterparty data stored on those systems, which shall be reviewed and approved by the licensee’s board of directors or equivalent governing body at least annually. The cyber security policy must address the following areas:

(1) information security;

(2) data governance and classification;

(3) access controls;

(4) business continuity and disaster recovery planning and resources;

(5) capacity and performance planning;

(6) systems operations and availability concerns;

(7) systems and network security;

(8) systems and application development and quality assurance;

(9) physical security and environmental controls;

(10) customer data privacy;

(11) vendor and third-party service provider management;

(12) monitoring and implementing changes to core protocols not directly controlled by the licensee, as applicable; and

(13) incident response.

Each licensee shall designate a qualified employee to serve as the licensee’s chief information security officer (“CISO”) responsible for overseeing and implementing the licensee’s cyber security program and enforcing its cyber security policy.

(d) Reporting.

Each licensee shall submit to the department a report, prepared by the CISO and presented to the licensee’s board of directors or equivalent governing body, at least annually, assessing the availability, functionality, and integrity of the licensee’s electronic systems, identifying relevant cyber risks to the licensee, assessing the licensee’s cyber security program, and proposing steps for the redress of any inadequacies identified therein.

(e) Audit.

Each licensee’s cyber security program shall, at a minimum, include audit functions as set forth below.

(1) Penetration testing. Each licensee shall conduct penetration testing of its electronic systems, at least annually, and vulnerability assessment of those systems, at least quarterly.

(2) Audit trail. Each licensee shall maintain audit trail systems that:

(i) track and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting;

(ii) protect the integrity of data stored and maintained as part of the audit trail from alteration or tampering;

(iii) protect the integrity of hardware from alteration or tampering, including by limiting electronic and physical access permissions to hardware and maintaining logs of physical access to hardware that allows for event reconstruction;

(iv) log system events including, at minimum, access and alterations made to the audit trail systems by the systems or by an authorized user, and all system administrator functions performed on the systems; and

(v) maintain records produced as part of the audit trail in accordance with the recordkeeping requirements set forth in this Part.

(f) Application security.

Each licensee’s cyber security program shall, at minimum, include written procedures, guidelines, and standards reasonably designed to ensure the security of all applications utilized by the licensee. All such procedures, guidelines, and standards shall be reviewed, assessed, and updated by the licensee’s CISO at least annually.

(g) Personnel and intelligence.

Each licensee shall:

(1) employ cyber security personnel adequate to manage the licensee’s cyber security risks and to perform the core cyber security functions specified in paragraphs (a)(1)-(5) of this section;

(2) provide and require cyber security personnel to attend regular cyber security update and training sessions; and

(3) require key cyber security personnel to take steps to stay abreast of changing cyber security threats and countermeasures.

23 CRR-NY 200.16

Current through June 15, 2022

End of Document