§ Cybersecurity Program. Will establish a cybersecurity program designed to ensure the confidentiality, integrity and availability of information systems that performs five core cybersecurity functions:
• Identification of cyber risks.
• Implementation of policies and procedures to protect unauthorized access/use or other malicious acts.
• Detection of cybersecurity events.
• Responsiveness to identified cybersecurity events to mitigate any negative events.
• Recovery from cybersecurity events and restoration of normal operations and services.
§ Adoption of a Cybersecurity Policy. Adopt a written cybersecurity policy, setting forth policies and procedures for the protection of their information systems and nonpublic information that addresses, at a minimum, the following:
• Information security.
• Data governance and classification.
• Access controls and identity management.
• Business continuity and disaster recovery planning and resources.
• Capacity and performance planning.
• Systems operations and availability concerns.
• Systems and network security.
• Systems and network monitoring.
• Systems and application development and quality assurance
• Physical security and environmental controls.
• Customer data privacy.
• Vendor and third party service provider management.
• Risk assessment.
• Incident response.
§ Chief Information Security Officer. Designate a qualified individual to serve as Chief Information Security Officer (CISO) responsible for overseeing and implementing the institution’s cybersecurity program and enforcing its
cybersecurity policy. The CISO must report to the board, at least bi-annua
Data, Network and Cyber Security