Section 500.04

Chief Information Security Officer.

(a) Chief Information Security Officer. Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”). The CISO may be employed by the Covered Entity, one of its Affiliates or a Third Party Service Provider. To the extent this requirement is met using a Third Party Service Provider or an Affiliate, the Covered Entity shall:
(1) retain responsibility for compliance with this Part;
(2) designate a senior member of the Covered Entity’s personnel responsible for direction and oversight of the Third Party Service Provider; and
(3) require the Third Party Service Provider to maintain a cybersecurity program that protects the Covered Entity in accordance with the requirements of this Part.
(b) Report. The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a Senior Officer of the Covered Entity responsible for the Covered Entity’s cybersecurity program. The CISO shall report on the Covered Entity’s cybersecurity program and material cybersecurity risks. The CISO shall consider to the extent applicable:
(1) the confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems;
(2) the Covered Entity’s cybersecurity policies and procedures;
(3) material cybersecurity risks to the Covered Entity;
(4) overall effectiveness of the Covered Entity’s cybersecurity program; and
(5) material Cybersecurity Events involving the Covered Entity during the time period addressed by the report.