What is required?

All organizations including those with limited exemption must

  • Establish a security program and implement cybersecurity policies
  • Provide notice to Superintendent of a cybersecurity event
  • Establish policies for disposal of non-public information no longer needed
  • Limit and periodically review access privileges
  • Conduct periodic risk assessments
  • Implement policies & procedures to secure information accessible to third party service providers

Non-exempt entities must also do the following

  • Identify a Chief Information Security Officer (CISO) internally or retain the services of a third party. If a third party is used a senior member of the organization must provide oversite and be named.
  • Conduct an annual internal and external penetration test.
  • Bi-annual vulnerability assessment of the companies technologies.
  • Transactional Audit logs are retained of cyber events, responses, and must be retained for at least 5 years.
  • Evaluating and testing security of internal and externally developed business applications.
  • Qualified cybersecurity personnel must be utilized and sufficiently trained in the cybersecurity tools used.
  • Multi-Factor Authentication must be used by anyone accessing the internal network externally.
  • Provide regular cybersecurity training, and monitor network to detect unauthorized access.
  • Encryption of Nonpublic Information is required both in transit and at rest.
  • Written policies and procedures to address a cybersecurity event, and ensure a timely remediation and recovery.

Get Started