This is the fourth in a series of blog posts analyzing certain major proposed changes in the New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation. Our prior posts can be found here, here and here.
Previously under the NYDFS’ Cybersecurity Regulation, the Chief Information Security Officer (“CISO”) together with senior officer(s) were responsible for administering and enforcing a company’s cybersecurity program. However, new language in the Cybersecurity Regulation threatens to change this dynamic by placing part of this responsibility on the “senior governing body” of a company. What’s the impact? Here’s what executives need to know.
More Board expertise required.
500.1(p) Senior governing body means the covered entity’s board of directors (or an appropriate committee thereof) or equivalent governing body or, if neither of those exist, the senior officer of the covered entity responsible for the covered entity’s cybersecurity program.
500.4(d) If the covered entity has a board of directors or equivalent, the board or an appropriate committee thereof shall: (1) exercise oversight of, and provide direction to management on, the…
