NY DFS Part 500 requires each covered entity to designate a qualified Chief Information Security Officer (CISO) responsible for overseeing and implementing the cybersecurity program. The CISO must report at least annually to the board of directors or a senior officer. The CISO function can be fulfilled by a third-party service provider, but the covered entity retains accountability.
Keep Exploring