What is required?
All organizations including those with limited exemption must
Establish a security program and implement cybersecurity policies
Provide notice to Superintendent of a cybersecurity event
Establish policies for disposal of non-public information no longer needed
Limit and periodically review access privileges
Conduct periodic risk assessments
Implement policies & procedures to secure information accessible to third party service providers
Non-exempt entities must also do the following
Identify a Chief Information Security Officer (CISO) internally or retain the services of a third party. If a third party is used a senior member of the organization must provide oversite and be named.
Conduct an annual internal and external penetration test.
Bi-annual vulnerability assessment of the companies technologies.
Transactional Audit logs are retained of cyber events, responses, and must be retained for at least 5 years.
Evaluating and testing security of internal and externally developed business applications.
Qualified cybersecurity personnel must be utilized and sufficiently trained in the cybersecurity tools used.
Multi-Factor Authentication must be used by anyone accessing the internal network externally.
Provide regular cybersecurity training, and monitor network to detect unauthorized access.
Encryption of Nonpublic Information is required both in transit and at rest.
Written policies and procedures to address a cybersecurity event, and ensure a timely remediation and recovery.