Implement a cybersecurity program based on its Risk Assessment;Implement written policies and procedures, approved by a Senior Officer or the Board, for the protection of its Information Systems and Nonpublic Information stored on those systems;Designate a CISO;Limit user access privileges to Information Systems which access Nonpublic Information;Utilize qualified cybersecurity personnel to manage the Covered Entity’s cybersecurity risks and core cybersecurity functions, and provide verified training to such personnel;
Implement a written incident response plan designed to respond to and recover from a Cybersecurity Event;
Provide notice to DFS within 72 hours from a determination that a Cybersecurity Event has occurred (Cybersecurity Event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System; notice must be given if the event is one that requires notice be provided to any government body, self-regulatory agency or any other supervisory body, or one that has a reasonable likelihood of materially harming any material part of the normal operation of the Covered Entity); and
Certify annually its compliance with the Cybersecurity Regulation.
CISO must report in writing at least annually to the Board on specified cybersecurity issues;Implement a plan for continuous monitoring of the cybersecurity program, or for periodic Penetration Testing and vulnerability assessments;Conduct a periodic Risk Assessment of its Information Systems to inform the design of the cybersecurity program;Implement Multi-Factor Authentication (or reasonably equivalent access controls) at least for any individual accessing internal networks from an external network; and Provide regular cybersecurity awareness training for all company personnel.
Audit trail systems designed to reconstruct material financial transactions and to detect and respond to Cybersecurity Events;Procedures and standards ensuring secure development practices for in-house developed applications and for evaluating the security of externally developed applications;Policies and procedures for the secure disposal of Nonpublic Information;Risk-based policies, procedures and controls to monitor Authorized Users’ activities on the company’s systems and detect unauthorized access to or use of Nonpublic Information; and Encryption – both in transit and at rest – of Nonpublic Information, unless infeasible, in which case alternative compensating controls must be implemented.
This article was updated on November 20, 2018