• * Identify and assess internal and external cyber risks by, at minimum, identifying the nonpublic information stored on their information systems, the sensitivity of such information and how and by whom this information can be accessed; 
• * use defensive infrastructure and implement policies and procedures to protect their information systems and the nonpublic information stored on it from unauthorized access or other malicious acts;
• * detect cybersecurity events; 
• * respond to identified or detected cybersecurity events and mitigate any negative effects; 
• * recover from cybersecurity events and restore normal operations and services; and 
• * fulfill all regulatory reporting obligations. 

In addition, entities would also need to implement and maintain policies regarding cybersecurity, third- party information access, in-house application use and incident response.

They would also need to designate a qualified person to act as Chief Information Security Officer and have a staff to support that person; perform regular risk assessment and penetration tests; have audit trails capable of reconstructing past transactions and other events; limit user privileges to information systems; use multifactor authentication controls; encrypt data; implement training and monitoring for personnel; and periodically dispose of nonpublic information no longer necessary for business operations. 

The Society, in a Nov. 11 comment letter, expressed measured support for the regulations, but had concerns about some of the particulars. It felt that a more risk-based approach would be more appropriate, as the original proposal called for specific controls that, given the pace of technology, could lead companies to establish ineffective or outdated controls. While the final version does still mandate some specific measures, it also requires that the company assess its specific risk profile and design a program addressing its risks.