| A | B |
|---|
| Authorized User | Any employee, contractor, agent or other person that participates in the business operations of a covered entity and is authorized to access and use any information systems and data of the covered entity. |
| Covered entity | Any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law of New York |
| Cybersecurity Event | Any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on the information system |
| Information System | A discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems |
| Multi-Factor Authentication | Authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; or (2) Possession factors, such as a token or text message on a mobile phone; or (3) Inherence factors, such as a biometric characteristic |
| Risk-Based Authentication | Any risk-based system of authentication that detects anomalies or changes in the normal use patterns of a person and requires additional verification of the person’s identity when such deviations or changes are detected, such as through the use of challenge questions. |
| Third Party Service Provider | A person that (i) is not an affiliate of the covered entity, (ii) provides services to the covered entity, and (iii) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the covered entity |
| Chief Information Security Officer (CISO) | A qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy |
