N.Y. Comp. Codes R. & Regs. tit. 23 § 500.14

Current through Register Vol. 46, No. 45, November 2, 2024
Section 500.14 - Monitoring and training
(a) As part of its cybersecurity program, each covered entity shall:
(1) implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users;
(2) implement risk-based controls designed to protect against malicious code, including those that monitor and filter web traffic and electronic mail to block malicious content; and
(3) provide periodic, but at a minimum annual, cybersecurity awareness training that includes social engineering for all personnel that is updated to reflect risks identified by the covered entity in its risk assessment.
(b) Each class A company shall implement, unless the CISO has approved in writing the use of reasonably equivalent or more secure compensating controls:
(1) an endpoint detection and response solution to monitor anomalous activity, including but not limited to lateral movement; and
(2) a solution that centralizes logging and security event alerting.

N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.14

Adopted, New York State Register March 1, 2017/Volume XXXIX, Issue 09, eff. 3/1/2017
Amended New York State Register November 1, 2023/Volume XLV, Issue 44, eff. 11/1/2023