N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.1 - Definitions
For purposes of this Part only, the following definitions shall apply:
(a) Affiliate means any
person that controls, is controlled by or is under common control with another
person. For purposes of this subdivision, control means the possession, direct
or indirect, of the power to direct or cause the direction of the management
and policies of a person, whether through the ownership of stock of such person
or otherwise.
(b) Authorized user
means any employee, contractor, agent or other person that participates in the
business operations of a covered entity and is authorized to access and use any
information systems and data of the covered entity.
(c)
Chief Information Security
Officer or CISO means a qualified individual
responsible for overseeing and implementing a covered entity's cybersecurity
program and enforcing its cybersecurity policy.
(d)
Class A company means a
covered entity with at least $20,000,000 in gross annual revenue in each of the
last two fiscal years from all business operations of the covered entity and
the business operations in this State of the covered entity's affiliates and:
(1) over 2,000 employees averaged over the
last two fiscal years, including employees of both the covered entity and all
of its affiliates no matter where located; or
(2) over $1,000,000,000 in gross annual
revenue in each of the last two fiscal years from all business operations of
the covered entity and all of its affiliates no matter where located.
For purposes of this subdivision, when calculating the number of employees and gross annual revenue, affiliates shall include only those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity.
(e)
Covered entity means any
person operating under or required to operate under a license, registration,
charter, certificate, permit, accreditation or similar authorization under the
Banking Law, the Insurance Law or the Financial Services Law, regardless of
whether the covered entity is also regulated by other government
agencies.
(f)
Cybersecurity event means any act or attempt, successful or
unsuccessful, to gain unauthorized access to, disrupt or misuse an information
system or information stored on such information system.
(g)
Cybersecurity incident
means a cybersecurity event that has occurred at the covered entity, its
affiliates, or a third-party service provider that:
(1) impacts the covered entity and requires
the covered entity to notify any government body, self-regulatory agency or any
other supervisory body;
(2) has a
reasonable likelihood of materially harming any material part of the normal
operation(s) of the covered entity; or
(3) results in the deployment of ransomware
within a material part of the covered entity's information systems.
(h)
Independent
audit means an audit conducted by internal or external auditors free
to make decisions not influenced by the covered entity being audited or by its
owners, managers or employees.
(i)
Information system means a discrete set of electronic
information resources organized for the collection, processing, maintenance,
use, sharing, dissemination or disposition of electronic information, as well
as any specialized system such as industrial/process controls systems,
telephone switching and private branch exchange systems, and environmental
control systems.
(j)
Multi-factor authentication means authentication through
verification of at least two of the following types of authentication factors:
(1) knowledge factors, such as a
password;
(2) possession factors,
such as a token; or
(3) inherence
factors, such as a biometric characteristic.
(k)
Nonpublic information
means all electronic information that is not publicly available information and
is:
(1) business related information of a
covered entity the tampering with which, or unauthorized disclosure, access or
use of which, would cause a material adverse impact to the business, operations
or security of the covered entity;
(2) any information concerning an individual
which because of name, number, personal mark, or other identifier can be used
to identify such individual, in combination with any one or more of the
following data elements:
(i) social security
number;
(ii) drivers' license
number or non-driver identification card number;
(iii) account number, credit or debit card
number;
(iv) any security code,
access code or password that would permit access to an individual's financial
account; or
(v) biometric
records;
(3) any
information or data, except age or gender, in any form or medium created by or
derived from a health care provider or an individual and that relates to:
(i) the past, present or future physical,
mental or behavioral health or condition of any individual or a member of the
individual's family;
(ii) the
provision of health care to any individual; or
(iii) payment for the provision of health
care to any individual.
(l)
Penetration testing
means testing the security of information systems by attempting to circumvent
or defeat the security features of an information system by authorizing
attempted penetration of databases or controls from outside or inside the
covered entity's information systems.
(m)
Person means any
individual or entity, including but not limited to any partnership,
corporation, branch, agency or association.
(n)
Privileged account means
any authorized user account or service account that can be used to perform
security-relevant functions that ordinary users are not authorized to perform,
including but not limited to the ability to add, change or remove other
accounts, or make configuration changes to information systems.
(o)
Publicly available
information means any information that a covered entity has a
reasonable basis to believe is lawfully made available to the general public
from: Federal, State or local government records; widely distributed media; or
disclosures to the general public that are required to be made by Federal,
State or local law. A covered entity has a reasonable basis to believe that
information is lawfully made available to the general public if the covered
entity has taken steps to determine:
(1) that
the information is of the type that is available to the general public;
and
(2) whether an individual can
direct that the information not be made available to the general public and, if
so, that such individual has not done so.
(p)
Risk assessment means
the process of identifying, estimating and prioritizing cybersecurity risks to
organizational operations (including mission, functions, image and reputation),
organizational assets, individuals, customers, consumers, other organizations
and critical infrastructure resulting from the operation of an information
system. Risk assessments incorporate threat and vulnerability analyses and
consider mitigations provided by security controls planned or in place .
(q)
Senior governing
body means the board of directors (or an appropriate committee
thereof) or equivalent governing body or, if neither of those exist, the senior
officer or officers of a covered entity responsible for the covered entity's
cybersecurity program. For any cybersecurity program or part of a cybersecurity
program adopted from an affiliate under section
500.2(d) of this
Part, the senior governing body may be that of the affiliate.
(r)
Senior officer(s) means
the senior individual or individuals (acting collectively or as a committee)
responsible for the management, operations, security, information systems,
compliance and/or risk of a covered entity, including a branch or agency of a
foreign banking organization subject to this Part.
(s)
Third-party service
provider(s) means a person that:
(1) is not an
affiliate of the covered entity;
(2) is not a governmental entity;
(3) provides services to the covered entity;
and
(4) maintains, processes or
otherwise is permitted access to nonpublic information through its provision of
services to the covered entity.
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.