N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.17 - Notices to Superintendent

(a) Notice of cybersecurity incident .

(1) Each covered entity shall notify the superintendent electronically in the form set forth on the department's website as promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider.

(2) Each covered entity shall promptly provide to the superintendent any information requested regarding such incident. Covered entities shall have a continuing obligation to update the superintendent with material changes or new information previously unavailable.

(b) Notice of compliance.

(1) Annually each covered entity shall submit to the superintendent electronically by April 15 either:

(i) a written certification that:

(a) certifies that the covered entity materially complied with the requirements set forth in this Part during the prior calendar year; and

(b) shall be based upon data and documentation sufficient to accurately determine and demonstrate such material compliance, including, to the extent necessary, documentation of officers, employees, representatives, outside vendors and other individuals or entities, as well as other documentation, whether in the form of reports, certifications, schedules or otherwise; or

(ii) a written acknowledgment that:

(a) acknowledges that, for the prior calendar year, the covered entity did not materially comply with all the requirements of this Part;

(b) identifies all sections of this Part that the entity has not materially complied with and describes the nature and extent of such noncompliance; and

(c) provides a remediation timeline or confirmation that remediation has been completed.

(2) Such certification or acknowledgment shall be submitted electronically in the form set forth on the department's website and shall be signed by the covered entity's highest-ranking executive and its CISO. If the covered entity does not have a CISO, the certification or acknowledgment shall be signed by the highest-ranking executive and by the senior officer responsible for the cybersecurity program of the covered entity.

(3) Each covered entity shall maintain for examination and inspection by the department upon request all records, schedules and other documentation and data supporting the certification or acknowledgment for a period of five years, including the identification of all areas, systems and processes that require or required material improvement, updating or redesign, all remedial efforts undertaken to address such areas, systems and processes , and remediation plans and timelines for their implementation.

(c) Notice and explanation of extortion payment. Each covered entity, in the event of an extortion payment made in connection with a cybersecurity event involving the covered entity, shall provide the superintendent electronically, in the form set forth on the department's website, with the following:

(1) within 24 hours of the extortion payment, notice of the payment; and

(2) within 30 days of the extortion payment, a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.

Notes

N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.17

Adopted, New York State Register March 1, 2017/Volume XXXIX, Issue 09, eff. 3/1/2017 Amended New York State Register April 22, 2020/Volume XLII, Issue 16, eff. 4/22/2020 Amended New York State Register November 1, 2023/Volume XLV, Issue 44, eff. 11/1/2023